- Status Closed
-
Assigned To
cbay - Private
Opened by Cypher - 05.02.2024
Last edited by cbay - 06.02.2024
FS#27 - Text Injection
Description:
Content spoofing, also referred to as content injection, “arbitrary text injection” or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain. This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user’s trust.
Impact:
An attacker can use text injection vulnerability to present a customized message on the application that can phish users into believing that the message is legitimate. The intent is typical to tick victims, although sometimes the actual purpose may be to simply misrepresent the organization or an individual.
Steps to Reproduce:
1: Navigate to given URL: https://admin.alwaysdata.com/ 2: At the end of the URL enter /hacker
3: Now on the page you will see hacker is reflecting on page.
Poc: https://https://drive.google.com/file/d/1gG_U7sszvkvv3Rz8CxK89EW2wp7xtxC8/view?usp=sharing
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
We do not believe it's a vulnerability. Even Gmail does the same.
Kind regards,
Cyril