💻
Application Security Cheat Sheet
  • Application Security Cheat Sheet
  • Android Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
      • Package Manager
    • Intent Vulnerabilities
      • Deep Linking Vulnerabilities
    • WebView Vulnerabilities
      • WebResourceResponse Vulnerabilities
      • WebSettings Vulnerabilities
  • CI/CD
    • Dependency
      • Dependency Confusion
      • Dependency Hijaking
      • Typosquatting
    • GitHub
      • GitHub Actions
      • Code owners
      • Dependabot
      • Redirect
      • Releases
  • Cloud
    • AWS
      • Amazon API Gateway
      • Amazon Cognito
      • Amazon S3
  • Container
    • Overview
      • Container Basics
      • Docker Engine
    • Escaping
      • CVE List
      • Exposed Docker Socket
      • Excessive Capabilities
      • Host Networking Driver
      • PID Namespace Sharing
      • Sensitive Mounts
    • Container Analysis Tools
  • Framework
    • Spring
      • Overview
      • Mass Assignment
      • Routing Abuse
      • SpEL Injection
      • Spring Boot Actuators
      • Spring Data Redis Insecure Deserialization
      • Spring View Manipulation
    • React
      • Overview
      • Security Issues
  • Linux
    • Overview
      • Philosophy
      • File
      • File Descriptor
      • I/O Redirection
      • Process
      • Inter Process Communication
      • Shell
      • Signals
      • Socket
      • User Space vs Kernel Space
    • Bash Tips
  • iOS Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
    • Getting Started
      • IPA Patching
      • Source Code Patching
      • Testing with Objection
  • Resources
    • Lists
      • Payloads
      • Wordlists
    • Researching
      • Web Application
      • Write-ups
    • Software
      • AWS Tools
      • Azure Tools
      • Component Analysis
      • Docker Analysis
      • Dynamic Analysis
      • Fuzzing
      • GCP Tools
      • Reverse Engineering
      • Static Analysis
      • Vulnerability Scanning
    • Training
      • Secure Development
  • Web Application
    • Abusing HTTP hop-by-hop Request Headers
    • Broken Authentication
      • Two-Factor Authentication Vulnerabilities
    • Command Injection
      • Argument Injection
    • Content Security Policy
    • Cookie Security
      • Cookie Bomb
      • Cookie Jar Overflow
      • Cookie Tossing
    • CORS Misconfiguration
    • File Upload Vulnerabilities
    • GraphQL Vulnerabilities
    • HTML Injection
      • base
      • iframe
      • link
      • meta
      • target attribute
    • HTTP Header Security
    • HTTP Request Smuggling
    • Improper Rate Limits
    • JavaScript Prototype Pollution
    • JSON Web Token Vulnerabilities
    • OAuth 2.0 Vulnerabilities
      • OpenID Connect Vulnerabilities
    • Race Condition
    • Server Side Request Forgery
      • Post Exploitation
    • SVG Abuse
    • Weak Random Generation
    • Web Cache Poisoning
Powered by GitBook
On this page
  • Overview
  • Using the data: scheme to execute arbitrary JavaScript
  • Open redirect
  • References
  1. Web Application
  2. HTML Injection

meta

PreviouslinkNexttarget attribute

Last updated 1 year ago

Overview

The tag represents metadata that can not be represented by other HTML meta-related elements. Some <meta> tags are informational, like:

<meta name="name" content="content">

However, part of them affect the page in some way, like:

<meta http-equiv="content-security-policy" content="default-src 'none'; base-uri 'self'">

Content Security Policy does not regulate <meta> elements.

<meta http-equiv=...> is a tag on the page that may emulate a subset of functions normally reserved for page headers. The dangerous functions that can be performed by <meta http-equiv=...> include:

  • set-cookie:

    • set-cookie instruction was removed from the standard and is no longer supported at all in Firefox 68 and Chrome 65.

  • refresh:

    • redirect to any regular URL.

    • redirect to any data: URL.

Using the data: scheme to execute arbitrary JavaScript

The <meta> tag with the content = "0; data: " URI can be used to execute arbitrary JavaScript code, for example:

<meta name="language" content="0;data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" http-equiv="refresh"/>

It works only on Safari. Firefox and Chrome will block this:

  • Firefox does not allow navigation of the top frame to a data URL.

  • Chrome does not allow navigation to the top level data: URI.

Open redirect

It is possible to redirect a user to an arbitrary page using the following payload:

<meta name="language" content="5;http://malicious-website.com" http-equiv="refresh"/>

References

<meta>
<meta> and <iframe> tags chained to SSRF