While this is a really useful feature, it may not be the case for some people. If you don’t want others to know which Word File you recently opened in Word and you don’t want it to appear there, you can disable this feature. You can also remove specific documents from the list if you don’t want to turn it off completely.
1. What is HTML Injection?
HTML injection is a web application vulnerability that allows any attacker to embed their own html code into a web page. In a word, it can be used by any attacker to add their own html code inside a web page.
Let’s take a practical example:
In the above website you can see that it has a search feature. Try searching for something.
As you can see, I tried searching for “Faiyaz” and got this result. We can see that “Faiyaz” is mapping on the web page. By analyzing this, we can conclude that “Faiyaz” is showing up in the website. To confirm this, search for “anything” on the website.
So I guessed right. Now we have made sure that whatever we enter in the search field, will be displayed on the web page. Now, what if I type <h1>Faiyaz</h1> into the search field.
As we can see, the words “Faiyaz” are bold. It confirms that the html code i.e. Faiyaz has been displayed on the website successfully. You can continue to try other html codes on the site http://testphp.vulnweb.com.
2. How to find HTML Injection errors
You can insert HTML code anywhere on the web application as long as it accepts any user input and maps it onto the web page. It can be in:
- Input fields (Like the example above)
- Get parameter (Like https://example.com/?id=Hi)
- Title (Like X-Forwarded-Host: <h1>Hey</h1>)
- POST Parameters (Like username, password, etc.)
3. HTML Injection in practice
This is the story when I was searching on a private program about 2 months ago. The website has 2 functions:
- Login
- Signup
I started searching for these two functions for about 4 hours and got nothing. Then after resting for a day, I started hunting again. This time I started looking for HTML Injection vulnerabilities. So I tried to re-register on the site and noticed a few things:
The registration function requires an email address, username and password.
When I click register after filling those details. A confirmation email will be sent to your email account.
Inside that email there was something like this
“Hey Faiyaz, Please verify your account here: https://verificationlink.com/”
And here “Faiyaz” is the username that I entered when registering on the website.
Realizing this, I signed up again but this time I provided a username of:
<h1>Hacked</h1>
And surprisingly, I got the result as shown below: