Pierluigi Paganini
June 29, 2015
Let me introduce myself, I’m a Brazilian Security Information Consultant, you can contact me searching on LinkedIn Rafael Fontes Souza. First I found vulnerabilities in the website of Forbes, and was thinking about how to do it ethically, in that case was applied HTMLi (HTML Injection), sent message to my brother Muhammad Shahzad(Youngest Ethical Hacker from Pakistan) for we explore more attack vectors and to report correctly, but unfortunately it is not easy to contact the vendor.
Now, I am going to explain some concepts of the attack in summary:
HTML injection vs Cross-site Scripting
A HTML Injection vulnerability occurs when a web application allows users to insert valid HTML code via a specific parameter value and inject his own content into the targeted page.
Basically, an HTML Injection occurs when an application does not properly handle user supplied data
To turn this vulnerability into a Cross-site Scripting vulnerability we would just need to use a script tag in order to execute our JavaScript code. Its simple HTML, the site which we’re going to show as an example actually even doesn’t encode the input as most of the sites do, its adds our provided query into its HTML code.
Some web apps try native countermeasures like looking for “typical” attacks that have words like “<script>” or “alert” within them. Most of the time it’s possible to bypass such weak filters by slightly altering the payload, like in most of the sites they just look for the exact keyword but if we capitalize some letters in order to confuse the web application so it would perfectly work.
I was worried about doing it the right way, my purpose is to learn not to steal information or use for malicious purposes. It is known that the attacker using this technique can follow steps to continue the exploitation.
Mitigation:
Your code should filter meta-characters from user input. The admins must take appropriate measures for their web applications in order to prevent these type of attacks as these can damage you more than you expect.
All of the information mentioned here is for educational purposes, we aren’t responsible for what you do afterwards.
About the Rafael Fontes Souza
(Security Affairs – Forbes, hacking)
