Client Side Vulnerabilities / HTML Injection
Description
HTML Injection, also known as Cross-site Scripting (XSS), is a type of client-side vulnerability that involves injecting malicious HTML code into a web page or API. This type of attack is classified under CWE-79 in the Common Weakness Enumeration (CWE) directory and is part of the OWASP Top 10 Web Application Vulnerabilities. The goal of HTML Injection is to gain access to a user's session, steal sensitive information, and even execute malicious code. HTML Injection can be used to attack both web and API applications.
Risk
HTML Injection attacks can have a devastating impact on an organization. They can lead to data breaches, account hijacking, and other malicious activities. Organizations should perform a risk assessment to identify any assets that may be vulnerable to HTML Injection attacks, as well as to determine the potential impact of such attacks.
Solution
Organizations can protect against HTML Injection attacks by using input validation and output encoding. Input validation should be used to ensure that all user input is valid and safe. Output encoding should be used to help prevent malicious code from being executed. Additionally, organizations should ensure that their web and API applications are kept up to date with the latest security patches.
Example
The following example shows an example of HTML Injection attack using the CVE-2019-17072 vulnerability.
<script>
var url = window.location.href;
if(url.indexOf("?vuln=true") > -1){
alert("Vulnerable!");
}
</script>