HTML Injection to DoS (P2)
Vulnerability Summary
HTML Injection is a web security vulnerability that occurs when an application fails to properly sanitize or validate user-supplied input before rendering it in a web page. As a result, an attacker can insert arbitrary HTML code into the page, which is then displayed and executed in the browsers of other users. This can allow the attacker to manipulate the structure or content of the page, inject misleading elements, or create malicious links, potentially compromising user trust and the integrity of the website.
Improved Summary
HTML Injection is a web vulnerability that allows an attacker to inject arbitrary HTML code into a web page, which is then viewed by other users. This occurs when user-supplied input is not adequately sanitized before being rendered in the browser. Unlike Cross-Site Scripting (XSS), which typically involves JavaScript injection, HTML Injection can manipulate the appearance and behavior of a webpage through HTML alone.
Detailed Description
During a security assessment of a web application, I discovered a stored HTML injection vulnerability. Initially, I could only inject basic HTML tags such as <h1>, <a>, <b>, <i>, and <div>. However, further analysis revealed that the <div> tag accepted a style attribute, which allowed me to craft a payload that created an overlay on the website. By using an opaque black color value in the rgba function, I effectively rendered the entire page invisible. Additionally, I manipulated the position and z-index properties to ensure that the overlay covered the entire viewport, resulting in complete defacement of the webpage.
