Pierluigi Paganini June 29, 2015

The security expert Rafael Fontes Souza has discovered vulnerabilities in the website of Forbes and decided to disclose them for educational purpose.

Let me introduce myself, I’m a Brazilian Security Information Consultant, you can contact me searching on LinkedIn Rafael Fontes Souza. First I found vulnerabilities in the website of Forbes, and was thinking about how to do it ethically, in that case was applied HTMLi (HTML Injection), sent message to my brother Muhammad Shahzad(Youngest Ethical Hacker from Pakistan) for we explore more attack vectors and to report correctly, but unfortunately it is not easy to contact the vendor.

Now, I am going to explain some concepts of the attack in summary:

HTML injection vs Cross-site Scripting

A HTML Injection vulnerability occurs when a web application allows users to insert valid HTML code via a specific parameter value and inject his own content into the targeted page.

Basically, an HTML Injection occurs when an application does not properly handle user supplied data

To turn this vulnerability into a Cross-site Scripting vulnerability we would just need to use a script tag in order to execute our JavaScript code. Its simple HTML, the site which we’re going to show as an example actually even doesn’t encode the input as most of the sites do, its adds our provided query into its HTML code.

Some web apps try native countermeasures like looking for “typical” attacks that have words like “<script>” or “alert” within them. Most of the time it’s possible to bypass such weak filters by slightly altering the payload, like in most of the sites they just look for the exact keyword but if we capitalize some letters in order to confuse the web application so it would perfectly work.

I was worried about doing it the right way, my purpose is to learn not to steal information or use for malicious purposes. It is known that the attacker using this technique can follow steps to continue the exploitation.

• Attacker discovers injection vulnerability and use an HTML injection attack.
• Attacker crafts malicious link, including his injected HTML content, and sends it to a user via email.
• The user visits the page due to the page being located within a trusted domain.
• The attacker’s injected HTML is rendered and presented to the user asking for your credentials (username and password).
• The user enters with the credentials, which are both sent to the attackers server

Mitigation:

• Filter input parameters for special characters.
• Filter output based upon input parameters for special characters.

Your code should filter meta-characters from user input. The admins must take appropriate measures for their web applications in order to prevent these type of attacks as these can damage you more than you expect.

All of the information mentioned here is for educational purposes, we aren’t responsible for what you do afterwards.

About the Rafael Fontes Souza

Edited by Pierluigi Paganini

(Security Affairs – Forbes, hacking)