BA
Uploaded byBoston Institute of Analytics
PPTX, PDF200 views

Uncovering HTML Injection Vulnerabilities in Web Applications: A Comprehensive Analysis

This document presents a project report on HTML injection vulnerabilities in web applications, specifically targeting the Manage Engine website. The report outlines the research methodology, findings on potential impacts of such vulnerabilities, and detailed recommendations for mitigation including input validation and content security policies. A proof of concept demonstrates how an HTML injection can be exploited, highlighting the importance of proper security measures to prevent these vulnerabilities.

Download to read offline
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Project Report on Uncovering HTML Injection Vulnerabilities in Web Applications
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Agenda • Research • Data Collection • Impact Analysis • Recommendation • Abstract • Tools • Proof of Concept (PoC) • References
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Research • Website Details: • Name: Manage Engine • URL: https://manageengine.com • Category/Type: Computer-and-Internet-Info • Overall Ranking/Usage/Popularity: Low-Risk
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Data Collection: • Technology Stack: • Frontend: HTML, CSS, JavaScript • Backend: PHP • Database: MySQL • Web Server: Apache
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Impact Analysis: • HTML Injection vulnerabilities can have significant impacts, including: • Defacement: Attackers can modify the appearance of the website. • Phishing: Injected HTML can create fake login forms to steal user credentials. • Malicious Redirection: Users can be redirected to malicious sites. • Cookie Theft: JavaScript injection can steal cookies, leading to session hijacking.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Recommendation : To mitigate HTML Injection vulnerabilities, the following security measures should be implemented: • Input Validation: Validate and sanitize all user inputs on the server-side to ensure they do not contain any HTML tags or scripts. • Output Encoding: Encode data before displaying it on the web page to prevent the browser from interpreting it as HTML or JavaScript. • Content Security Policy (CSP): Implement a CSP to restrict the sources from which scripts and other resources can be loaded. • Regular Security Audits: Perform regular security audits and vulnerability assessments to identify and fix potential security issues. • Use Security Libraries: Utilize security libraries and frameworks that offer built-in protection against common web vulnerabilities.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Abstract: • The goal of this report is to identify and demonstrate the presence of an HTML Injection vulnerability on a specific website. HTML Injection occurs when an attacker can inject arbitrary HTML code into a web page due to improper input validation. This report includes a detailed analysis of the vulnerability, its impact, and recommendations for mitigating such security issues. Additionally, a Proof of Concept (PoC) is provided to demonstrate the exploit.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Tools: • Browser: Has used for manual testing • Burp Suite: has used for intercepting and modifying requests • Temp-mail: has used for generating temporary mails.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Proof of Concept (PoC): Capture Packets with BurpSuite:  open BurpSuite and set up the proxy.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses.  Configure the browser to use BurpSuite’s proxy.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Navigate to the vulnerable website https://www.manageengine.com.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Go to support in that request a demo.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Now start the burp proxy to capture the http request from the website.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Turn on the intercept on the burp suite.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Get the temporary mail from https://temp-mail.org.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Fill all the required information in the given form and click on submit.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Go to the burp suite and search for the username in the captured request.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Copy this html line of code and paste it into the http request in burp suite.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Paste it in between the <h1></h1> in the username and replace “test.com” to “evil.com” send the request.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Turn off the interception in the burp suite.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Turn off the burp proxy.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Reload the vulnerable website page.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Go to the temp mail website and search for the inbox mail.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Open the mail which we received from vulnerable website.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Click on the given link address in the mail.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • And it redirected to the “evil.com”.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. References: OWASP HTML Injection HTML Injection Example
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Conclusion • The project successfully identified an HTML Injection vulnerability on the target website. The provided PoC demonstrates the exploit, and appropriate recommendations have been made to mitigate such vulnerabilities in the future. Proper input validation, output encoding, and security policies are crucial in protecting against HTML Injection attacks.
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Questions ?
CONFIDENTIAL: The information in this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Thank You!

More Related Content

PPTX
Exploiting HTML Injection: A Comprehensive Proof of Concept
byBoston Institute of Analytics
 
PDF
Python-Based Web Vulnerability Detection: Enhancing Cybersecurity with Automa...
byBoston Institute of Analytics
 
PPTX
Government Cybersecurity Standards: Building a Secure Digital Landscape
byBoston Institute of Analytics
 
PPTX
Ethical Hacking Techniques for Web Application Security
byBoston Institute of Analytics
 
PDF
Getting Inside Common Web Security Threats
byAndy Longshaw
 
PPTX
Designing a Simple Python Tool for Website Vulnerability Scanning
byBoston Institute of Analytics
 
PPTX
Building a Simple Python Tool for Website Vulnerability Scanning
byBoston Institute of Analytics
 
PPTX
Secure Your Web Applications with Solve Labs
byBoston Institute of Analytics
 
Exploiting HTML Injection: A Comprehensive Proof of Concept
byBoston Institute of Analytics
 
Python-Based Web Vulnerability Detection: Enhancing Cybersecurity with Automa...
byBoston Institute of Analytics
 
Government Cybersecurity Standards: Building a Secure Digital Landscape
byBoston Institute of Analytics
 
Ethical Hacking Techniques for Web Application Security
byBoston Institute of Analytics
 
Getting Inside Common Web Security Threats
byAndy Longshaw
 
Designing a Simple Python Tool for Website Vulnerability Scanning
byBoston Institute of Analytics
 
Building a Simple Python Tool for Website Vulnerability Scanning
byBoston Institute of Analytics
 
Secure Your Web Applications with Solve Labs
byBoston Institute of Analytics
 

Similar to Uncovering HTML Injection Vulnerabilities in Web Applications: A Comprehensive Analysis

PPTX
Analysis of Vulnerabilities in E-Commerce Websites: A Detailed Report
byBoston Institute of Analytics
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
bySam Bowne
 
PPTX
Building a Simple Python-Based Website Vulnerability Scanner
byBoston Institute of Analytics
 
PPTX
Developing a Simple Python Tool for Website Vulnerability Scanning
byBoston Institute of Analytics
 
PPTX
Mitigating Parameter Tampering: Practical Insights and Solutions
byBoston Institute of Analytics
 
PDF
Burp suite
byYashar Shahinzadeh
 
PPTX
Solving Labs for Vulnerabilities: Login Bypass & SQL Injection Exploits
byBoston Institute of Analytics
 
PDF
Active Https Cookie Stealing
bySecurityTube.Net
 
PPTX
Session Hijacking: Understanding and Preventing Online Attacks
byBoston Institute of Analytics
 
DOCX
15.3 student guide web application tool time overviewtodays c
byUMAR48665
 
DOCX
15.3 Student Guide Web Application Tool TimeOverviewTodays c
byMatthewTennant613
 
DOCX
15.3 Student Guide Web Application Tool TimeOverviewTodays c
byAnastaciaShadelb
 
PDF
Web Security 101
byBrent Shaffer
 
PDF
Web Security - Introduction v.1.3
byOles Seheda
 
PDF
Web Security - Introduction
bySQALab
 
PDF
Ch 13: Attacking Users: Other Techniques (Part 2)
bySam Bowne
 
PPTX
Hacking_Environment_Web_Application_updated.pptx
byshibabrataghosh1
 
PPTX
Burp Suite With CSRF Demo presentarion.pptx
bybeboorabi7
 
PPTX
Security Testing Training With Examples
byAlwin Thayyil
 
PPT
Application Security
bynirola
 
Analysis of Vulnerabilities in E-Commerce Websites: A Detailed Report
byBoston Institute of Analytics
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
bySam Bowne
 
Building a Simple Python-Based Website Vulnerability Scanner
byBoston Institute of Analytics
 
Developing a Simple Python Tool for Website Vulnerability Scanning
byBoston Institute of Analytics
 
Mitigating Parameter Tampering: Practical Insights and Solutions
byBoston Institute of Analytics
 
Burp suite
byYashar Shahinzadeh
 
Solving Labs for Vulnerabilities: Login Bypass & SQL Injection Exploits
byBoston Institute of Analytics
 
Active Https Cookie Stealing
bySecurityTube.Net
 
Session Hijacking: Understanding and Preventing Online Attacks
byBoston Institute of Analytics
 
15.3 student guide web application tool time overviewtodays c
byUMAR48665
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
byMatthewTennant613
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
byAnastaciaShadelb
 
Web Security 101
byBrent Shaffer
 
Web Security - Introduction v.1.3
byOles Seheda
 
Web Security - Introduction
bySQALab
 
Ch 13: Attacking Users: Other Techniques (Part 2)
bySam Bowne
 
Hacking_Environment_Web_Application_updated.pptx
byshibabrataghosh1
 
Burp Suite With CSRF Demo presentarion.pptx
bybeboorabi7
 
Security Testing Training With Examples
byAlwin Thayyil
 
Application Security
bynirola
 

More from Boston Institute of Analytics

PPTX
"Predicting Employee Retention: A Data-Driven Approach to Enhancing Workforce...
byBoston Institute of Analytics
 
PPTX
"Ecommerce Customer Segmentation & Prediction: Enhancing Business Strategies ...
byBoston Institute of Analytics
 
PPTX
Music Recommendation System: A Data Science Project for Personalized Listenin...
byBoston Institute of Analytics
 
PPTX
Mental Wellness Analyzer: Leveraging Data for Better Mental Health Insights -...
byBoston Institute of Analytics
 
PPTX
Suddala-Scan: Enhancing Website Analysis with AI for Capstone Project at Bost...
byBoston Institute of Analytics
 
PPTX
Fraud Detection in Cybersecurity: Advanced Techniques for Safeguarding Digita...
byBoston Institute of Analytics
 
PPTX
Enhancing Brand Presence Through Social Media Marketing: A Strategic Approach...
byBoston Institute of Analytics
 
PPTX
Employee Retention Prediction: Leveraging Data for Workforce Stability
byBoston Institute of Analytics
 
PPTX
Predicting Movie Success: Unveiling Box Office Potential with Data Analytics
byBoston Institute of Analytics
 
PPTX
Financial Fraud Detection: Identifying and Preventing Financial Fraud
byBoston Institute of Analytics
 
PPTX
Smart Driver Alert: Predictive Fatigue Detection Technology
byBoston Institute of Analytics
 
PPTX
Smart Driver Alert: Predictive Fatigue Detection Technology
byBoston Institute of Analytics
 
PPTX
E-Commerce Customer Segmentation and Prediction: Unlocking Insights for Smart...
byBoston Institute of Analytics
 
PPTX
Predictive Maintenance: Revolutionizing Vehicle Care with Demographic and Sen...
byBoston Institute of Analytics
 
PPTX
Smart Driver Alert: Revolutionizing Road Safety with Predictive Fatigue Detec...
byBoston Institute of Analytics
 
PDF
Water Potability Prediction: Ensuring Safe and Clean Water
byBoston Institute of Analytics
 
PDF
Developing a Training Program for Employee Skill Enhancement
byBoston Institute of Analytics
 
PPTX
Website Scanning: Uncovering Vulnerabilities and Ensuring Cybersecurity
byBoston Institute of Analytics
 
PPTX
Analyzing Open Ports on Websites: Functions, Benefits, Threats, and Detailed ...
byBoston Institute of Analytics
 
PPTX
Cybersecurity and Ethical Hacking: Capstone Project
byBoston Institute of Analytics
 
"Predicting Employee Retention: A Data-Driven Approach to Enhancing Workforce...
byBoston Institute of Analytics
 
"Ecommerce Customer Segmentation & Prediction: Enhancing Business Strategies ...
byBoston Institute of Analytics
 
Music Recommendation System: A Data Science Project for Personalized Listenin...
byBoston Institute of Analytics
 
Mental Wellness Analyzer: Leveraging Data for Better Mental Health Insights -...
byBoston Institute of Analytics
 
Suddala-Scan: Enhancing Website Analysis with AI for Capstone Project at Bost...
byBoston Institute of Analytics
 
Fraud Detection in Cybersecurity: Advanced Techniques for Safeguarding Digita...
byBoston Institute of Analytics
 
Enhancing Brand Presence Through Social Media Marketing: A Strategic Approach...
byBoston Institute of Analytics
 
Employee Retention Prediction: Leveraging Data for Workforce Stability
byBoston Institute of Analytics
 
Predicting Movie Success: Unveiling Box Office Potential with Data Analytics
byBoston Institute of Analytics
 
Financial Fraud Detection: Identifying and Preventing Financial Fraud
byBoston Institute of Analytics
 
Smart Driver Alert: Predictive Fatigue Detection Technology
byBoston Institute of Analytics
 
Smart Driver Alert: Predictive Fatigue Detection Technology
byBoston Institute of Analytics
 
E-Commerce Customer Segmentation and Prediction: Unlocking Insights for Smart...
byBoston Institute of Analytics
 
Predictive Maintenance: Revolutionizing Vehicle Care with Demographic and Sen...
byBoston Institute of Analytics
 
Smart Driver Alert: Revolutionizing Road Safety with Predictive Fatigue Detec...
byBoston Institute of Analytics
 
Water Potability Prediction: Ensuring Safe and Clean Water
byBoston Institute of Analytics
 
Developing a Training Program for Employee Skill Enhancement
byBoston Institute of Analytics
 
Website Scanning: Uncovering Vulnerabilities and Ensuring Cybersecurity
byBoston Institute of Analytics
 
Analyzing Open Ports on Websites: Functions, Benefits, Threats, and Detailed ...
byBoston Institute of Analytics
 
Cybersecurity and Ethical Hacking: Capstone Project
byBoston Institute of Analytics
 

Recently uploaded

PPTX
Addition_and_Subtraction_of_Radicals_Worksheet.pptx
byKennMyreenRosas
 
PPTX
How to Create Automatic Transfers in Odoo Accounting
byCeline George
 
PDF
'25 BC Powering Pathways– Career Connections and National Bonner Alumni Advis...
byBonner Foundation
 
PPTX
Historical Development and Evolution of Indian Knowledge system
byBanaras Hindu University
 
PDF
2025 Bonner Congress Strategy Session– Student Leadership Bonner and Beyond.pdf
byBonner Foundation
 
PDF
Transformation Framework for Transitioning Traditional Universities to Online...
byLeonel Morgado
 
PDF
On the Wrong Side of the Tracks: How Japan Mapped Modernism.pdf
byyalehistoricalreview
 
PDF
World Sight day 2025/Love your eyes/.pdf
byanmols3059
 
PDF
New Frontier-Cultivating Discipleship in an AI-Driven World.pdf
bySr Nancy Usselmann
 
PPTX
QUARTER TWO MATATAG CURRICULUM PE AND HEALTH
byhitpreeman122
 
PPTX
The law of Triads pptx(Science 8 week 5)
byAnnabelAlarcon
 
PPTX
Common problems or challenges faced by Indian adolescents
byDr. Harpal Kaur
 
PDF
Slit lamp parts 1/ppt/pdf/notes/save.pdf
byanmols3059
 
PPTX
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
PPTX
unit-2 PATIENT CARE UNIT. pptx
byAneetaSharma15
 
PPTX
How to Manage Vehicle Model in Odoo 18 Fleet
byCeline George
 
PDF
जनपद स्तरीय नवाचार महोत्सव : आयोजकः जिला शिक्षा एवं प्रशिक्षण संस्थान, बाँदा
byCOLOURIMPRESSION
 
PDF
Slit lamp parts 2/ppt/notes/download.pdf
byanmols3059
 
PPTX
UNIT -1 INTRODUCTION OF PSYCHOLOGY IN GNM.pptx
byPoojaSen20
 
PDF
LDMMIA Reiki Yoga 20th Workshop Study Lounge
byVirtual LDMMia
 
Addition_and_Subtraction_of_Radicals_Worksheet.pptx
byKennMyreenRosas
 
How to Create Automatic Transfers in Odoo Accounting
byCeline George
 
'25 BC Powering Pathways– Career Connections and National Bonner Alumni Advis...
byBonner Foundation
 
Historical Development and Evolution of Indian Knowledge system
byBanaras Hindu University
 
2025 Bonner Congress Strategy Session– Student Leadership Bonner and Beyond.pdf
byBonner Foundation
 
Transformation Framework for Transitioning Traditional Universities to Online...
byLeonel Morgado
 
On the Wrong Side of the Tracks: How Japan Mapped Modernism.pdf
byyalehistoricalreview
 
World Sight day 2025/Love your eyes/.pdf
byanmols3059
 
New Frontier-Cultivating Discipleship in an AI-Driven World.pdf
bySr Nancy Usselmann
 
QUARTER TWO MATATAG CURRICULUM PE AND HEALTH
byhitpreeman122
 
The law of Triads pptx(Science 8 week 5)
byAnnabelAlarcon
 
Common problems or challenges faced by Indian adolescents
byDr. Harpal Kaur
 
Slit lamp parts 1/ppt/pdf/notes/save.pdf
byanmols3059
 
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
unit-2 PATIENT CARE UNIT. pptx
byAneetaSharma15
 
How to Manage Vehicle Model in Odoo 18 Fleet
byCeline George
 
जनपद स्तरीय नवाचार महोत्सव : आयोजकः जिला शिक्षा एवं प्रशिक्षण संस्थान, बाँदा
byCOLOURIMPRESSION
 
Slit lamp parts 2/ppt/notes/download.pdf
byanmols3059
 
UNIT -1 INTRODUCTION OF PSYCHOLOGY IN GNM.pptx
byPoojaSen20
 
LDMMIA Reiki Yoga 20th Workshop Study Lounge
byVirtual LDMMia
 

Uncovering HTML Injection Vulnerabilities in Web Applications: A Comprehensive Analysis

  • 1.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Project Report on Uncovering HTML Injection Vulnerabilities in Web Applications
  • 2.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Agenda • Research • Data Collection • Impact Analysis • Recommendation • Abstract • Tools • Proof of Concept (PoC) • References
  • 3.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Research • Website Details: • Name: Manage Engine • URL: https://manageengine.com • Category/Type: Computer-and-Internet-Info • Overall Ranking/Usage/Popularity: Low-Risk
  • 4.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Data Collection: • Technology Stack: • Frontend: HTML, CSS, JavaScript • Backend: PHP • Database: MySQL • Web Server: Apache
  • 5.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Impact Analysis: • HTML Injection vulnerabilities can have significant impacts, including: • Defacement: Attackers can modify the appearance of the website. • Phishing: Injected HTML can create fake login forms to steal user credentials. • Malicious Redirection: Users can be redirected to malicious sites. • Cookie Theft: JavaScript injection can steal cookies, leading to session hijacking.
  • 6.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Recommendation : To mitigate HTML Injection vulnerabilities, the following security measures should be implemented: • Input Validation: Validate and sanitize all user inputs on the server-side to ensure they do not contain any HTML tags or scripts. • Output Encoding: Encode data before displaying it on the web page to prevent the browser from interpreting it as HTML or JavaScript. • Content Security Policy (CSP): Implement a CSP to restrict the sources from which scripts and other resources can be loaded. • Regular Security Audits: Perform regular security audits and vulnerability assessments to identify and fix potential security issues. • Use Security Libraries: Utilize security libraries and frameworks that offer built-in protection against common web vulnerabilities.
  • 7.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Abstract: • The goal of this report is to identify and demonstrate the presence of an HTML Injection vulnerability on a specific website. HTML Injection occurs when an attacker can inject arbitrary HTML code into a web page due to improper input validation. This report includes a detailed analysis of the vulnerability, its impact, and recommendations for mitigating such security issues. Additionally, a Proof of Concept (PoC) is provided to demonstrate the exploit.
  • 8.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Tools: • Browser: Has used for manual testing • Burp Suite: has used for intercepting and modifying requests • Temp-mail: has used for generating temporary mails.
  • 9.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Proof of Concept (PoC): Capture Packets with BurpSuite:  open BurpSuite and set up the proxy.
  • 10.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses.  Configure the browser to use BurpSuite’s proxy.
  • 11.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
  • 12.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Navigate to the vulnerable website https://www.manageengine.com.
  • 13.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Go to support in that request a demo.
  • 14.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Now start the burp proxy to capture the http request from the website.
  • 15.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Turn on the intercept on the burp suite.
  • 16.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Get the temporary mail from https://temp-mail.org.
  • 17.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Fill all the required information in the given form and click on submit.
  • 18.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Go to the burp suite and search for the username in the captured request.
  • 19.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Copy this html line of code and paste it into the http request in burp suite.
  • 20.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Paste it in between the <h1></h1> in the username and replace “test.com” to “evil.com” send the request.
  • 21.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Turn off the interception in the burp suite.
  • 22.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Turn off the burp proxy.
  • 23.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Reload the vulnerable website page.
  • 24.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Go to the temp mail website and search for the inbox mail.
  • 25.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Open the mail which we received from vulnerable website.
  • 26.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses.
  • 27.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • Click on the given link address in the mail.
  • 28.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. • And it redirected to the “evil.com”.
  • 29.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. References: OWASP HTML Injection HTML Injection Example
  • 30.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Conclusion • The project successfully identified an HTML Injection vulnerability on the target website. The provided PoC demonstrates the exploit, and appropriate recommendations have been made to mitigate such vulnerabilities in the future. Proper input validation, output encoding, and security policies are crucial in protecting against HTML Injection attacks.
  • 31.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Questions ?
  • 32.
    CONFIDENTIAL: The informationin this document belongs to Boston Institute of Analytics LLC. Any unauthorized sharing of this material is prohibited and subject to legal action under breach of IP and confidentiality clauses. Thank You!