Description
During the scan, Cytrix managed to find that an HTML Injection is possible.
This vulnerability occurs when a user’s input is not being correctly validated and the output is not encoded.
A successful HTML Injection will allow the attacker to send malicious HTML pages to a victim.
This could lead to allowing the attacker to change\delete certain things from the site.
A possible attack scenario is demonstrated below :
- Attacker discovers injection vulnerability and decides to use an HTML based injection attack.
- He then crafts malicious link, including his injected HTML content, and sends it to a user via email.
- The user visits the page due to the page being located within a trusted domain.
- The attacker’s injected HTML is rendered and presented to the user asking for a username and password.
- The user enters a username and password, which are both sent to the attackers server.
Recommendation
Look for HTML elements in the incoming HTTP stream that contains the user’s input.
Simply remove any HTML-syntax sub strings (like tags and links) from any user-supplied text to prevent these situations.