Hello guys, Hope everyone is well. I would like to share one of my findings.
What is HTML Injection?
HTML injection is a type of injection vulnerability that occurs when a user can control an input point and is able to inject arbitrary HTML code into a vulnerable web page.
How I exploited this vulnerability?
To inject any payloads, parameters are the entry points….Yes, I used the same here. I injected the payloads as a value to the parameters on the web application(eg: www.xyz.com).
After multiple attempts, one of the parameter on the web application accepted my payload and the parameter is “ID=”.
I wrote an HTML script to display the button(like in the below image) from there I trick the victim to click the button, once the victim clicks the button it will take/land/redirect the victim to a different website (Example: abc.com — — ->evil.com).
Remediation:
The code should filter and Prevent metacharacters from user input.
