Aditya Chauhan
2 min readFeb 15, 2023

--

HTML Injection to Server-SideRequest Forgery(SSRF)

HTML injection to Server-Side Request Forgery (SSRF) is a dangerous vulnerability that allows an attacker to manipulate an application to make it perform unintended actions on behalf of the attacker. In this blog, we will discuss what HTML injection to SSRF is, how it works, and some best practices to prevent such attacks.

HTML Injection, also known as Cross-Site Scripting (XSS), is a type of vulnerability that allows an attacker to inject malicious code into a web application. This can lead to a variety of attacks, including session hijacking, phishing, and more. Server-Side Request Forgery (SSRF) is a type of vulnerability that allows an attacker to make a web application send unauthorized requests to other web applications or internal systems.

HTML injection to SSRF occurs when an attacker is able to inject HTML code that triggers a SSRF vulnerability. The following is an example of how an attacker can exploit this vulnerability.

Suppose an application has a vulnerable PHP code that includes a user-controlled parameter in an HTTP request to an external server. The code looks something like this

<?php
$url = $_GET['url'];
$request = "GET $url HTTP/1.1\r\n" .
"Host: example.com\r\n" .
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0\r\n" .
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" .
"Connection: close\r\n\r\n";
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket === false) {
die("Error: socket_create() failed: " . socket_strerror(socket_last_error()) . "\n");
}
$connect = socket_connect($socket, 'example.com', 80);
if ($connect === false) {
die("Error: socket_connect() failed: " . socket_strerror(socket_last_error()) . "\n");
}
socket_write($socket, $request, strlen($request));
$response = socket_read($socket, 2048);
echo $response;
?>

In this code, the user-controlled parameter $url is used in an HTTP request to the external server example.com. The attacker can exploit this vulnerability by injecting HTML code that tricks the application into sending unauthorized requests. Here's an example of a malicious URL:

http://example.com/index.php?url=http://localhost/%0d%0aGET%20/ssrf-request%20HTTP/1.1%0d%0aHost:%20example.com%0d%0a%0d%0a

In this example, the attacker is injecting the %0d%0a character sequence, which represents a newline in HTTP requests. The attacker is also adding a GET /ssrf-request HTTP/1.1 line to the request. This line tricks the application into sending a request to the /ssrf-request URL on the local server, which can lead to a SSRF vulnerability.

To prevent HTML injection to SSRF, developers should ensure that user-controlled parameters are properly validated and sanitized. Applications should also restrict the use of user-controlled parameters in HTTP requests and avoid using them as URLs for external resources. Regularly reviewing and auditing application code can help detect and prevent such vulnerabilities.

In conclusion, HTML injection to SSRF is a serious vulnerability that can allow an attacker to perform unauthorized actions on a web application. It is important for developers to be aware of this vulnerability and take appropriate measures to prevent it. Regularly auditing and reviewing application code can help detect and prevent such vulnerabilities.

--

--

Aditya Chauhan

ISO 27001 LA | VAPT | Synack Red Teamer | HTB Dante | HTB RASTA | HTB Cybernetics | HTB Offshore | HTB APTLabs | Cyber Security Analyst | Security Researcher