📓
Cheat Sheets
  • Application Security Cheat Sheet
  • Android Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
      • Package Manager
    • Intent Vulnerabilities
      • Deep Linking Vulnerabilities
    • WebView Vulnerabilities
      • WebResourceResponse Vulnerabilities
      • WebSettings Vulnerabilities
  • Cloud
    • AWS
      • Amazon API Gateway
      • Amazon Cognito
      • Amazon S3
  • Container
    • Overview
      • Container Basics
      • Docker Engine
    • Escaping
      • CVE List
      • Exposed Docker Socket
      • Excessive Capabilities
      • Host Networking Driver
      • Sensitive Mounts
    • Container Analysis Tools
  • Framework
    • Spring
      • Overview
      • Mass Assignment
      • Routing Abuse
      • SpEL Injection
      • Spring Boot Actuators
      • Spring Data Redis Insecure Deserialization
      • Spring View Manipulation
    • React
      • Overview
      • Security Issues
  • Linux
    • Overview
      • Philosophy
      • File
      • File Descriptor
      • I/O Redirection
      • Process
      • Inter Process Communication
      • Shell
      • Signals
      • Socket
      • User Space vs Kernel Space
    • Bash Tips
  • iOS Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
    • Getting Started
      • IPA Patching
      • Source Code Patching
      • Testing with Objection
  • Resources
    • Lists
      • Payloads
      • Wordlists
    • Researching
      • Web Application
      • Write-ups
    • Software
      • AWS Tools
      • Azure Tools
      • Component Analysis
      • Docker Analysis
      • Dynamic Analysis
      • Fuzzing
      • GCP Tools
      • Reverse Engineering
      • Static Analysis
      • Vulnerability Scanning
    • Training
      • Secure Development
  • Web Application
    • Abusing HTTP hop-by-hop Request Headers
    • Broken Authentication
      • Two-Factor Authentication Vulnerabilities
    • Command Injection
      • Parameters Injection
    • Content Security Policy
    • Cookie Security
      • Cookie Bomb
      • Cookie Jar Overflow
      • Cookie Tossing
    • CORS Misconfiguration
    • File Upload Vulnerabilities
    • GraphQL Vulnerabilities
    • HTML Injection
      • base
      • iframe
      • meta
      • target attribute
    • HTTP Header Security
    • HTTP Request Smuggling
    • Improper Rate Limits
    • JavaScript Prototype Pollution
    • JSON Web Token Vulnerabilities
    • OAuth 2.0 Vulnerabilities
      • OpenID Connect Vulnerabilities
    • Race Condition
    • Server Side Request Forgery
      • Post Exploitation
    • Web Cache Poisoning
Powered by GitBook
On this page
  • XSS
  • Open redirect
  • References
  1. Web Application
  2. HTML Injection

meta

PreviousiframeNexttarget attribute

Last updated 2 years ago

The tag represents metadata that cannot be represented by other HTML meta-related elements.

Some <meta> tags are informational, for example:

<meta name="name" content="content">

And some affect the page in some way, for example:

<meta http-equiv="content-security-policy" content="default-src 'none'; base-uri 'self'">

Moreover, CSP does not regulate such <meta> elements. <meta http-equiv=...> is a tag on the page that may emulate a subset of functions normally reserved for page headers. Similarly, some of these functions appear in Javascript, which is already heavily regulated by CSP. Dangerous functions that can be performed by <meta http-equiv=...> include:

  • set-cookie,

  • refresh:

    • redirect to any regular URL,

    • redirect to any data: URL.

set-cookie instruction was removed from the standard, and is no longer supported at all in Firefox 68 and Chrome 65.

XSS

We can use the <meta> tag with content = "0; data: " URI to execute arbitrary Javascript code (works only on safari), for example:

<meta name="language" content="0;data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" http-equiv="refresh"/>

Firefox and Chrome will block this:

  • Not allowed to navigate top frame to data URL (Firefox)

  • Navigation to toplevel data: URI not allowed (Chrome)

Open redirect

Using a similar payload, you can redirect the victim to an malicious page:

<meta name="language" content="5;http://malicious-website.com" http-equiv="refresh"/>

References

<meta>
<meta> and <iframe> tags chained to SSRF