Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

HTML injection is sometimes impossible to exploit because of CSP configurations. The author details a strategy for exfiltrating credentials via HTML injection when scripts can't run.

The Referer header contains the URL of the page the request came from, including parameters. This can contain the Origin, domain, port, path, and query parameters. By default, the browser fallbacks to strict-origin-when-cross-origin. With it, same-origin requests gets a Referer with all of the data but everything else only gets the origin. This setting can be configured via the Referrer-Policy but most sites do not do this.

The author decided to look into what happens when there's no Referrer-Policy setting with images, scripts, iframes, anchor tags and forms. On Safari, the anchor tag and meta redirect have an incorrect referer header. On Chrome, all tags leak the referer completely. When an application sets the no-referrer on the policy, Safari & Firefox leaks the origin on some tags and it leaks the whole URL on anchor and meta tags, with Chrome doing some of the tags but not all the same. From this, the anchor tag and metadata redirection work to always leak the full URL of the page with HTML injection.

The next trick is used when you want to exfiltrate passwords. It is well known that Chrome will autofill passwords on a website for you in a form; with HTML injection, all it takes is a single click from the user to send the credentials. With a strict CSP, this may not always be the case, though; the request may be rejected.

To circumvent this check, a few tricks can be used. First, set the referrer policy via the meta tag in the HTML injection to unsafe-url to allow referer leaking. Second, make the form a GET request. By default, the browser will put the filled-out fields into the query parameters. By combining the injected meta referrer, and redirect, the credentials are sent in a top-level navigation to the attacker's site. Pretty neat!

This is a good post on how to get impact with HTML injection, even when the CSP is solid. Great write up on the functionality of browsers and the exploitation of HTML injection!