At a Glance
In this attack video, Amichai Shulman demonstrates HTML injection vulnerabilities and attacks in the Power Platform environment. Power Platform allows citizen developers to create automation and applications independently. In general, HTML injection attacks are used in phishing scenarios, where the attacker tries to get the victim to click on a malicious link or provide sensitive information through a fake form.
Our example is based on a Power Automate flow to automate the processing of feedback form submissions. Whenever someone submits the form, the automation forwards the feedback in an email to the customer success people.
As helpful as this automation is, it opens up an entry point for attackers. What happens when an attacker comes in and, instead of just putting in standard feedback text, enhances it with some HTML code holding a malicious link?
As you can see in the demo, we submitted feedback with an HTML code and found out that the HTML code was rendered through the browser. In this case, containing a malicious link. Of course, the attacker could create a more complex phishing scenario and ask for further details. For example, “Please log in to our ticketing system by providing your credentials” is displayed on a fake screen that looks like the company’s internal ticketing system.
Notice that very few controls on the email could prevent an attacker from doing so because this is not an external email. It is an internal email sent through the company’s systems.
Please watch the video to understand the mistakes made by the citizen developer and for remediation tips.