Let me introduce myself, I’m a Brazilian Security Information Consultant, you can contact me searching on LinkedIn Rafael Fontes Souza. First I found vulnerabilities in the website of Forbes, and was thinking about how to do it ethically, in that case was applied HTMLi (HTML Injection), sent message to my brother Muhammad Shahzad(Youngest Ethical Hacker from Pakistan) for we explore more attack vectors and to report correctly, but unfortunately it is not easy to contact the vendor.
Now, I am going to explain some concepts of the attack in summary:
HTML injection vs Cross-site Scripting
A HTML Injection vulnerability occurs when a web application allows users to insert valid HTML code via a specific parameter value and inject his own content into the targeted page.
Basically, an HTML Injection occurs when an application does not properly handle user supplied data
Some web apps try native countermeasures like looking for “typical” attacks that have words like “<script>” or “alert” within them. Most of the time it’s possible to bypass such weak filters by slightly altering the payload, like in most of the sites they just look for the exact keyword but if we capitalize some letters in order to confuse the web application so it would perfectly work.
I was worried about doing it the right way, my purpose is to learn not to steal information or use for malicious purposes. It is known that the attacker using this technique can follow steps to continue the exploitation.
Your code should filter meta-characters from user input. The admins must take appropriate measures for their web applications in order to prevent these type of attacks as these can damage you more than you expect.
All of the information mentioned here is for educational purposes, we aren’t responsible for what you do afterwards.
About the Rafael Fontes Souza
(Security Affairs – Forbes, hacking)