HTTP:// *Illegal content? / send an email with link to withdrawal from the post!
ZicutaKE | Search Articles

Thursday, December 25, 2014

HTML Code Injection Technique

HTML code injection techniques
Introduction:This article is about HTML injection techniques used to exploit web site vulnerabilities. Nowadays, it's not usual to find a completely vulnerable site to this type of attacks, but only one is enough to exploit it. I'll make a compilation of these techniques all together, in order to facilitate the reading and to make it entertaining. HTML injection is a type of attack focused upon the way HTML content is generated and interpreted by browsers at client side. Otherwise, JavaScript is a widely used technology in dynamic web sites, so the use of techniques based on this, like injection, complements the nomenclature of 'codeinjection'.

Code Injection
This type of attack is possible by the way the client browser has the ability to interpret scripts embedded within HTMLcontent enabled by default, so if an attacker embeds script tags such <SCRIPT> , <OBJECT> , <APPLET> , or <EMBED> into a web site, the web browser's JavaScript engine will execute it. Typical targets of this type of injection are forums, guestbooks, or whatever section where the administrator allows the insertion of text comments; if the design of the web site isn't parsing the comments inserted, and takes < or > as real chars, a malicious user could type:
I like this site because <script>alert('Injected!');</script> teaches me a lot
If it works and you can see the message box, the door is opened to the attacker's imagination limits! A common code insertion used to drive navigation to another website is something like this:
<H1> Vulnerability test </H1> <METAHTTP-EQUIV="refresh"CONTENT="1;url=">
Same within a
<FK> or <LI> tag:
<FKSTYLE="behavior: url(http://<<Other website>> ;">
Other tags used to execute malicious JavaScript code are, for example, <BR> , <DIV> , even background-image:
<BRSIZE="&{alert('Injected')}"><DIVSTYLE="background-image: url(javascript:alert('Injected'))">
The <title> tag is a common weak point if it's generated dynamically. For example, suppose this situation:
echo$_GET['titulo']; ?</TITLE> </HEAD> <BODY> > ...
If you build title as 'example </title> </head> </body><img src= http://myImage.png>' HTML resulting would insert the 'myImage.png' image first of all:
<BODY><imgsrc= http://myImage.png></TITLE> </HEAD> <BODY>...
There is another dangerous HTML tag that could exploit a web browser's frames support characteristic: <IFRAME> This tag allows (within Sandbox security layer) cross-scripting exploiting using web browser elements (address bar or bookmarks, for example), but this theme is outside the scope of this article.