The security expert Rafael Fontes Souza has discovered vulnerabilities in the website of Forbes and decided to disclose them for educational purpose.
Let me introduce myself, I’m a Brazilian Security Information Consultant, you can contact me searching on LinkedIn Rafael Fontes Souza. First I found vulnerabilities in the website of Forbes, and was thinking about how to do it ethically, in that case was applied HTMLi (HTML Injection), sent message to my brother Muhammad Shahzad(Youngest Ethical Hacker from Pakistan) for we explore more attack vectors and to report correctly, but unfortunately it is not easy to contact the vendor.
Now, I am going to explain some concepts of the attack in summary:
A HTML Injection vulnerability occurs when a web application allows users to insert valid HTML code via a specific parameter value and inject his own content into the targeted page.
Basically, an HTML Injection occurs when an application does not properly handle user supplied data
Some web apps try native countermeasures like looking for “typical” attacks that have words like “<script>” or “alert” within them. Most of the time it’s possible to bypass such weak filters by slightly altering the payload, like in most of the sites they just look for the exact keyword but if we capitalize some letters in order to confuse the web application so it would perfectly work.
I was worried about doing it the right way, my purpose is to learn not to steal information or use for malicious purposes. It is known that the attacker using this technique can follow steps to continue the exploitation.
Attacker discovers injection vulnerability and use an HTML injection attack.
Attacker crafts malicious link, including his injected HTML content, and sends it to a user via email.
The user visits the page due to the page being located within a trusted domain.
The attacker’s injected HTML is rendered and presented to the user asking for your credentials (username and password).
The user enters with the credentials, which are both sent to the attackers server
Filter input parameters for special characters.
Filter output based upon input parameters for special characters.
Your code should filter meta-characters from user input. The admins must take appropriate measures for their web applications in order to prevent these type of attacks as these can damage you more than you expect.
All of the information mentioned here is for educational purposes, we aren’t responsible for what you do afterwards.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.