HTML Injection
-
Hello guys,
A site that i made for a client has gone through Acunetix security test and it has sent back an alert which you can find below
——-beginning of alert——–
/wp-admin/adminajax. php Alert group HTML Injection Severity Medium Description HTML Injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust. Attack scenario (OWASP) A possible attack scenario is demonstrated below: Attacker discovers injection vulnerability and decides to use an HTML injection attack Attacker crafts malicious link, including his injected HTML content, and sends it to a user via email The user visits the page due to the page being located within a trusted domain The attacker's injected HTML is rendered and presented to the user asking for a username and password The user enters a username and password, which are both sent to the attackers server Recommendations Your script should filter metacharacters from user input. Alert variants 13 Details URL encoded POST input vars was set to mdf%5Bfilter_post_blocks%5D%5B%5D=4198&mdf%5Bfilter_post_blocks_toggles%5 D%5B%5D=0&mdf%5Bmedafi_60db388190310%5D=the&mdf%5Bfilter_post_blocks% 5D%5B%5D=4199&mdf%5Bfilter_post_blocks_toggles%5D%5B%5D=0&mdf%5Btaxon omy%5D%5Bselect%5D%5Bcategories%5D=&mdf%5Btaxonomy%5D%5Bselect%5D %5Bcategories%5D%5B%5D=-1&mdf%5Btaxonomy%5D%5Bselect%5D%5Bpublisher %5D=&mdf%5Btaxonomy%5D%5Bselect%5D%5Bpublisher%5D%5B%5D=-1&mdf%5B filter_post_blocks%5D%5B%5D=4197&mdf%5Bfilter_post_blocks_toggles%5D%5B% 5D=0&mdf%5Bmedafi_60db384b4054d%5D%5Bfrom%5D=1604271599&mdf%5Bmedaf i_60db384b4054d%5D%5Bto%5D=1622584799&meta_data_filter_bool=AND&mdf_tax_ bool=AND&mdf%5Bmdf_widget_options%5D%5Bslug%5D=documents&mdf%5Bmdf_ widget_options%5D%5Bmeta_data_filter_cat%5D=15&mdf%5Bmdf_widget_options% 5D%5Bshow_items_count_dynam%5D=&mdf%5Bmdf_widget_options%5D%5Btaxon omies_options_post_recount_dyn%5D=1&mdf%5Bmdf_widget_options%5D%5Btaxo nomies_options_hide_terms_0%5D=0&mdf%5Bmdf_widget_options%5D%5Bhide_me ta_filter_values%5D=0&mdf%5Bmdf_widget_options%5D%5Bhide_tax_filter_values% 5D=0&mdf%5Bmdf_widget_options%5D%5Bsearch_result_page%5D=self&mdf%5Bm df_widget_options%5D%5Bsearch_result_tpl%5D=self&mdf%5Bmdf_widget_options %5D%5Bwoo_search_panel_id%5D=0&mdf%5Bmdf_widget_options%5D%5Baddition al_taxonomies%5D=&mdf%5Bmdf_widget_options%5D%5Breset_link%5D=self&meta _data_filter_cat=15<atXR9wL x=9578>.
———–end alert—–
i can not offer access to the web cause the client doesn’t want to publish it before removing these alerts
please let me know if there is anything i can do about this.
thank you for your time
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
- The topic ‘HTML Injection’ is closed to new replies.