Stealing Passwords via HTML Injection Under a Strict CSP

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://afine.com/blogs/stealing-passwords-via-html-injection-under-a-strict-csp
• Blog Title: Stealing Passwords via HTML Injection Under a Strict CSP
• Suggested Section: Pentesting Web -> Content Security Policy (CSP) Bypass, or Pentesting Web -> XSS / HTML Injection techniques

🎯 Content Summary

The post explains a practical credential-theft chain where reflected HTML injection is enough to steal passwords saved in a browser password manager, even when a very strict Content-Security-Policy makes JavaScript execution impossible. The attack abuses four behaviors together: attacker-controlled HTML is reflected into a trusted origin; the browser password manager autofills an injected login form; the injected form submits credentials with the default GET m...

🔧 Technical Details

HTML injection can weaponize browser password autofill without JavaScript. If attacker-controlled HTML is reflected into a trusted origin where the victim has saved credentials, the attacker can inject a fake login form with fields such as <input type=email name=email> and <input type=password name=password>. Browser password managers may autofill those fields because the form is rendered on the legitimate site. If the form omits method, it defaults to GET, causing the autofilled password to be appended to the URL as a query parameter after submission.

Strict CSP does not eliminate HTML-only exfiltration chains. A CSP like default-src 'none'; script-src 'none'; style-src 'none'; img-src 'none'; connect-src 'none'; frame-src 'none'; form-action 'self' blocks scripts, images, fetch, frames, and external form submissions, but it does not necessarily stop injected forms or <meta htt...

🤖 Agent Actions

Done.

Updated:

• src/pentesting-web/content-security-policy-csp-bypass/README.md

Added:

• A new subsection under Form-action covering:
  • HTML-only credential theft on strict CSP pages
  • password-manager autofill into injected same-origin forms
  • default GET form submission putting credentials in the URL
  • exfiltration via injected <meta name="referrer" content="unsafe-url">
  • cross-origin leak via <meta http-equiv="Refresh">
  • optional full-page invisible submit overlay when inline CSS is allowed
  • concise testing/impact/defense notes

Also updated the file’s References section with:

• the AFINE blog post
• MDN Referrer-Policy docs

I kept the change in a single existing file to avoid duplication.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://afine.com/blogs/stealing-passwords-via-html-injection-under-a-strict-csp

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Content Security Policy (CSP) Bypass, or Pentesting Web -> XSS / HTML Injection techniques".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0