I am supposed to work on HTML, CSS, and Javascript. I am still astonished till this day on how great this non-profit organization has established itself. I have 1 edit, that needs to be finished so I can see this as a security vulnerability in any websites.
Noticed how "<dev/Mission> looks like a HTML code. On my website, I had the title as "dev/Mission"
 |
| the orange highlight of "dev/Mission" |
I tried to type "<dev/Mission>" in the HTML; yet, it still considered as a typo.
How is this a vulnerability?
"HTML injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. When an application does not properly handle user-supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust.
Attack scenario (OWASP)
A possible attack scenario is demonstrated below:
Attack scenario (OWASP)
A possible attack scenario is demonstrated below:
- Attacker discovers injection vulnerability and decides to use an HTML injection attack
- Attacker crafts malicious link, including his injected HTML content, and sends it to a user via email
- The user visits the page due to the page being located within a trusted domain
- The attacker's injected HTML is rendered and presented to the user asking for a username and password
- The user enters a username and password, which are both sent to the attackers' server"
- https://www.acunetix.com/vulnerabilities/web/html-injection
A cool volunteer named Francis Li mentioned in Slack that a way to edit it to look like "<dev/Mission>" instead of "dev/Mission" is using HTML escape entities (https://dev.w3.org/html5/html-author/charref)
I haven't looked too much into it, but I would consider this possibly a software security issue if I was running a major company that may save lives. Because there are creative people in this world who can make anything into reality.
Even if I was wrong, it's pretty cool that I learned a snippet about HTML injection.
Even if I was wrong, it's pretty cool that I learned a snippet about HTML injection.
No comments:
Post a Comment