My first HTML injection

Hello everyone! thankyou for spending your time reading my article, before we jumped into the story of my first HTML injection. Let me introduce myself. My name is jody jeremi hadrian ritonga, 19years old from indonesia. And ive been in 10 months in bug bounty world. so im still baby at security world. If there is any misinformation in this article, I really like to hear that so I can fix it in the next article. okay, I’ve talked too much so let's jump into the story of My first HTML injection.

First of all what is HTML injection? and why it considered as a vulnerability in the website?

HTML injection is a type of attack that let malicious user to inject the HTML code into the web, similar to XSS but not as malicious as XSS but still HTML injection cant be ignored, it can lead to phising, defacing, or Exfiltrating sensitive data from user, the same like XSS there is two type of HTML injection

• Reflected HTML injection (which required user interaction)
• Stored HTML injection (More malicious because it stay on the website)

How to prevent those nasty injection at our website ?

1. implement a policy to forbide special character in fill form
2. You can also use DOM purify on your website

And right now let me tell you how did i found HTML injection on a new startup website that focus on law education in indonesia.

1. First of all, my metholody as always, if there is a login page, i will always test for a no rate limit in that page. when i went to my burpsuite and test it, it was no luck. they implement rate limit policy
2. So at that time, im checking also for IDOR in profile , and Bypass OTP and none of that worked.
3. And after that i dont know why, but mind tell me to register another account with different email and learn the register flow

4. and when i try to register my second account, i saw something fishy in the table form

5. i can inject a special code into the name, and there is no warning, or policy to disallow that character, so my mind goes like this

6. and then after that i inject a script that look like this

Firstname : <img src=”https://www.google.com/url?sa=i&url=https%3A%2F%2Fgulfsouthtech.com%2Funcategorized%2F7-signs-youve-been-hacked%2F&psig=AOvVaw2oBjD0_Bktt-djE4vcYmel&ust=1675338796864000&source=images&cd=vfe&ved=0CA8QjRxqFwoTCNCcssGh9PwCFQAAAAAdAAAAABAE">

Lastname: <h1>Injeksi HTML</h1> (injeksi HTML is indonesian word for HTML injection)

7. And thats it my first HTML injection, my dophamine rush away through my brain, because of it. And after that i contacted the IT team leader, and the IT leader responded very well and friendly !

And thats it my fellow pro bug hunter and researcher thats the story of how ive found my first HTML injection ! hope you can learn 1 or 2 little things. keep learning folks and dont let duplicate stop you ! see you on the next article !

Timeline :

11/12/2022 Found the bug and reported to the IT team

12/12/2022 The IT team confirmed the bug that i found and appreciate me

(yes its quite fast respond, i love that team)

Source to learn more about HTML injection

1. https://www.invicti.com/learn/html-injection/
2. https://www.acunetix.com/vulnerabilities/web/html-injection/