Stored Html Injection

What is  Html Injection ?

HTML Injection, also known as cross-site scripting (XSS), is a web vulnerability where an attacker injects malicious HTML or script code into a web application's input fields, URLs, or other user-controlled data. When the application does not properly sanitize or validate this input, it is displayed on web pages without proper encoding or filtering. As a result, unsuspecting users who view the affected pages may have the injected code executed by their browsers, leading to client-side attacks, data theft, session hijacking, or other malicious activities. Proper input validation and output encoding are crucial to mitigate the risk of HTML Injection vulnerabilities.

What is Stored Html Injection ?

Stored HTML Injection, also known as persistent or stored cross-site scripting (XSS), is a web vulnerability where an attacker injects malicious HTML or script code into a web application's database or storage. This injected code is then permanently stored and later displayed to other users accessing the affected pages. When unsuspecting users view the page, their browsers execute the injected code, potentially leading to client-side attacks, data theft, or other malicious activities. Stored HTML Injection poses a significant security risk and requires proper mitigation to prevent exploitation.

When a user accesses a page or data that contains the stored malicious code, the injected script or HTML can execute within their browser, leading to various security risks. These risks may include cookie theft, session hijacking, defacement of the website, phishing attacks, or even the installation of malware on the victim's system.

In This Article ?

  • What is Html Injection
  • What is Stored Html injection
  • Stored Html Injection Impact
  • Stored Html Injection Mitigation
  • How to Test
  • How to Reporting

How to Find ?

STEP #1: Go to any website create an account and Login.


STEP #2: Click the edit address option now paste the payload in address bar and save it.
payload : <img src="https://sanjeetmishra.com/SanjPromopic/WhatsApp%20Image%202023-05-03%20at%207.56.39%20AM.jpeg" alt="Girl in a jacket">


STEP #3: Now HTML payload is working because this input place is vulnerable to HTML Injection.


Impact :

The injected HTML or JavaScript code can execute within the victim's browser, leading to various malicious actions. This can include stealing sensitive user information, such as login credentials or personal data, manipulating website content, redirecting users to phishing websites, or delivering malware to their systems.

 Injected HTML code can be used to create convincing phishing forms or pages that trick users into entering their sensitive information, such as usernames, passwords, or credit card details. This information can then be harvested by the attacker for malicious purposes.

A successful stored HTML injection attack can damage the reputation of the affected website or application. Users may lose trust in the platform's security, resulting in a decline in user engagement, customer loyalty, and potentially financial losses for the organization.

It is crucial to address stored HTML injection vulnerabilities promptly to mitigate these impacts and protect the security and integrity of web applications and their users.

Mitigation :
Implement strict input validation mechanisms to ensure that user-generated content is properly validated and sanitized before being stored in the application's database or storage. Use input validation techniques such as whitelisting, blacklisting, and regular expressions to filter out potentially malicious HTML or script tags.

Employ a WAF as an additional layer of defense. A WAF can help detect and block attempts to exploit stored HTML injection vulnerabilities by analyzing incoming requests and responses, filtering out malicious code, and providing virtual patching for known vulnerabilities.

By implementing these mitigation techniques, organizations can significantly reduce the risk of stored HTML injection vulnerabilities and enhance the security posture of their web applications. It is important to adopt a proactive approach to security and prioritize ongoing monitoring, testing, and maintenance to stay ahead of evolving threats.

How To Report ?

Hello Team
                  I'm  Career Technology Cyber Security India a white security researcher from Mumbai INDIA, founded Vulnerability on your website: https://www.exmple.com

Vulnerability Name :  Stored Html Injection

Description: 
A "stored HTML" attack also known as "Persistence" occurs when a malicious script is injected into a web application and then permanently stored inside the application server. The application server then dumps the malicious script back out to the user when the user accesses the injected webpage.

Username : (login gmail)
Password : (login password)

Vulnerable URL : https://www.exmple/store/en/customer/address/edit/id/

Steps to reproduce ?
1.Visit on your website: https://www.exmple/en
2.Create an account & login open your profile
3. Click the edit address option
4. Then paste the payload in street Address option and save it
payload : 
<img src="https://sanjeetmishra.com/SanjPromopic/WhatsApp%20Image%202023-05-03%20at%207.56.39%20AM.jpeg" alt="Girl in a jacket">
5.now you can your street address place is vulnerable to stored html injection.
6.Please check the POC (Video) For More Information's .

Impact:
The impact of stored HTML injection includes client-side attacks, data theft, web page defacement, content manipulation, and potential compromise of user accounts or sensitive information.

Mitigation :
To mitigate stored HTML injection, implement input validation and output encoding techniques to sanitize user-generated content. Utilize proper input validation to filter out potentially malicious input, and apply output encoding to properly encode user-supplied data when displaying it on web pages. Additionally, consider implementing a Content Security Policy (CSP) to restrict the execution of untrusted scripts and mitigate the impact of injected code.

POC: Video & Screenshot

for more details you can ping me on mail

Thanks & Regard,
Career Technology Cyber Security India
Indian Bug Hunter

Comments

Popular posts from this blog

Some Dark web Links

How to join Cyber Cell or Cyber Crime Department in India || Exam or Direct or Skills???

ATM HACKING TOOL TRENDING ON DARK WEB