Introduction: This article is about HTML injection techniques used to exploit web site vulnerabilities. Nowadays, it's not usual to find a completely vulnerable site to this type of attacks, but only one is enough to exploit it. I'll make a compilation of these techniques all together, in order to facilitate the reading and to make it entertaining. HTML injection is a type of attack focused upon the way HTML content is generated and interpreted by browsers at client side. Otherwise, JavaScript is a widely used technology in dynamic web sites, so the use of techniques based on this, like injection, complements the nomenclature of 'codeinjection'.
Code Injection
This type of attack is possible by the way the client browser has the ability to interpret scripts embedded within HTMLcontent enabled by default, so if an attacker embeds script tags such <SCRIPT> , <OBJECT> , <APPLET> , or <EMBED> into a web site, the web browser's JavaScript engine will execute it. Typical targets of this type of injection are forums, guestbooks, or whatever section where the administrator allows the insertion of text comments; if the design of the web site isn't parsing the comments inserted, and takes < or > as real chars, a malicious user could type:
I like this site because <script>alert('Injected!');</script> teaches me a lot
If it works and you can see the message box, the door is opened to the attacker's imagination limits! A common code insertion used to drive navigation to another website is something like this:
<H1> Vulnerability test </H1> <METAHTTP-EQUIV="refresh"CONTENT="1;url= http://www.test.com">
Same within a<FK> or <LI> tag:
<FKSTYLE="behavior: url(http://<<Other website>> ;">
Other tags used to execute malicious JavaScript code are, for example, <BR> , <DIV> , even background-image:
<BRSIZE="&{alert('Injected')}"><DIVSTYLE="background-image: url(javascript:alert('Injected'))">
The <title> tag is a common weak point if it's generated dynamically. For example, suppose this situation:
<HTML>
<HEAD>
<TITLE>
<?php
echo$_GET['titulo']; ?</TITLE> </HEAD> <BODY> > ...
</BODY>
</HTML>
If you build title as 'example </title> </head> </body><img src= http://myImage.png>' HTML resulting would insert the 'myImage.png' image first of all:<HEAD>
<TITLE>
<?php
echo$_GET['titulo']; ?</TITLE> </HEAD> <BODY> > ...
</BODY>
</HTML>
<HTML>
<HEAD>
<TITLE>
example
</TITLE>
</HEAD>
<BODY><imgsrc= http://myImage.png></TITLE> </HEAD> <BODY>...
</BODY>
</HTML>
There is another dangerous HTML tag that could exploit a web browser's frames support characteristic: <IFRAME> This tag allows (within Sandbox security layer) cross-scripting exploiting using web browser elements (address bar or bookmarks, for example), but this theme is outside the scope of this article.<HEAD>
<TITLE>
example
</TITLE>
</HEAD>
<BODY><imgsrc= http://myImage.png></TITLE> </HEAD> <BODY>...
</BODY>
</HTML>
No comments :
Post a Comment
Are you avid to share your views? Go ahead and will be highly appreciated. Put your valuable comment that will help us to publish more worthy posts and content.