HTML Injection is a form of web application security vulnerability wherein an assailant can infuse malicious HTML code into a web page accessed by other users. This assault can be initiaded by an assailant who inputs specially crafted HTML code, such as script tags or iframe elements, into the input field. Subsequently, the web application might display this malevolent HTML code to other users, potentially executing the code in their web browser and enabling the assailant to execute their malicious intents.
Description: HTML Injection occurs when an attacker simply inserts a payload into the Product Configuration's name field, which is executed upon the attacker saving the Product Configuration Creation.
Platform/Product: OpenCRX
Affected Component: Product Configuration Name Field
Impact: HTML injection can lead to the alteration of web page content or the execution of malicious scripts, resulting in the unauthorized retrieval of sensitive information, dissemination of malware, perpetration of phishing attacks, defacement of websites, or denial of service. It can significantly impact the reputation and security of a website and the organization operating it.
METHOD OF EXPLOITATION
1. Navigate to https://demo.opencrx.org/opencrx-core-CRX/ObjectInspectorServlet?requestld=3D06QMASG8CMLDTV63YISTS8F&event=24?loginFailed=false and log in using Guest credentials.
2. Create a new Product Configuration in the Product Section.
3. Insert HTML payload into the Name field as below:
Payload -
Code: Select all
<font color="red">Example</font>4. Click on the save button to preserve this activity Categor. Subsequently, click on the save button to store this activity Milestone. It has been noted by the auditor that the HTML payload executes successfully.