HTML Injection in Craft-Cms Application

Craft CMS

Hello, fellow security researchers and bug bounty hunters.

In this article, I will share our experience of discovering a HTML Injection vulnerability.

Firstly, let’s have an overview of HTML Injection.

A comparable attack to cross-site scripting (XSS) is HTML injection. The HTML injection attack simply permits the injection of specific HTML tags, but the XSS vulnerability allows the attacker to inject and execute Javascript code. An attacker can inject their own material into a page by providing legal HTML code, generally through a parameter value, when an application fails to treat user-supplied data appropriately. Given that this attack relies on a code-based vulnerability and a user’s confidence, it is frequently combined with some type of social engineering.

Craft is a versatile, user-friendly CMS for designing unique digital experiences for the web and other platforms.

It features:

A simple, user-friendly control panel for managing tasks and creating content.Front-end development and content modelling strategy that starts from scratch and doesn’t have any preconceived notions about how your material should be used.There is an integrated plugin store with hundreds of available paid and unpaid plugins(opens new window).A strong framework for the creation of modules and plugins.A lively, dynamic neighborhood(opens new window).

Prerequisites: Redactor Plugin

Login to the application’s admin page.Go to plugin store and search for Redactor and install it.Now, go to “Settings -> Fields” and add a new field. Make sure to use Redactor as the field type.Add custom Redactor config to only enable bold and italics fonts and save the field.We now go to “Settings -> Globald” and add a new Global.In Field layout, we add a tab by clicking “new tab” and add the previously created field to the tab. Save the global.Now, go to global and observe we are allowed bold and italics styles.Enter some text in the textbox and then right click and select “Inspect”.Go to “Inspector” and observe the line has “style=”display: none;”Delete the “none” and now the attribute is “style=”display:;”.Observe a black terminal is now visible in the UI where it was just the textbox.The terminal box contains the html code of the text we wrote earlier in step 8.We inserted a html injection payload in the terminal box and clicked on “save”.After savig, we observe that the our Html injection payload is successful saved and it is also reflected in the web application where if a user clicks, they will be redirected to the URL mentioned in the html injection payload.

A normal enumeration will aid an attacker to find craft cms based web application. All he will do is add /admin/login and get to the login page. He will then try to brute force and get inside the admin panel. He will then inject the payload. This payload can lure the application’s customer and take them to the attacker’s intended websites which can be harmful.. This would also violate the Integrity of the application.