Categories
HTML STATIC WEBSITES TUTORIALS WEB SERVER WORDPRESS

What does Hyper Text Markup Language (HTML) even mean?

HTML is the language used to develop web pages for the world wide web. But what does HTML even mean? We know that HTML stands for Hyper Text Markup Language, but what does each of these terms even signify? This post will try to discuss upon each of these words and their significance in the world of the web.

What is Hyper Text?

Hyper text refers to the ability of web pages to link with each other, within the same website or between websites on the internet.

What is a Markup Language?

HTML is a markup language. But what does markup language even mean? It means that all the building blocks that make up a HTML web page are made up of HTML elements defined by HTML markups. In other words, HTML markups are special tags used to define all the HTML elements that make up a web page. These HTML markups includes tags like <head>, <title>, <body>, <footer> etc.

Why use semantic HTML markups for your web page?

With the recent HTML 5 specification, there has been an increase in the amount of these HTML markups (or tags) defined by the specification so that there are more semantically meaningful HTML markup tags available to define a web page. These new semantically appropriate HTML markup tags help improve the readability and understanding of the sections of these web pages by machines (aka algorithms) such as search engines.

Categories
CMS HTML STATIC WEBSITES TUTORIALS WEB SERVER WORDPRESS

How HTML Anchor Tag Could Be Used To Perform DDOS Attacks

Chinese attackers have been using HTML Anchor tags to perform DDOS attacks across the world these days. This is one such instance where a seemingly benign feature addition done to the HTML technical specification has inadvertently opened a Pandora box of its misuse/abuse by hackers and attackers.

As mentioned in my introductory article to HTML Anchor Tags, Anchor tags are used to link documents present on the word wide web so that users of a web page can easily navigate to a new web page seamlessly from their web browsers.

An example of HTML code using anchor tags looks something like this:

<a href="https://muddoo.com" title="Muddoo Home">Muddoo</a>

While the above code is a standard way of using HTML anchor tags, there are also additional anchor tag attributes one can use to add new features to the anchor tag’s overall functionality. In our previous article we looked at the noopener attribute that ensures that when the respective anchor links are opened in a new window, they are opened in a separate thread all together and have no relationship to the parent web page in anyways. This ensured that Cross Site Script (XSS) attacks could not be made from child web page to the parent page.

Just like the noopener attribute, we have another attribute associated with the anchor tags that some hackers are misusing to perform DDOS attacks on other websites. This attribute is the “ping” attribute of the anchor tags!

What is HTML Ping Attribute?

Ping is a new attribute of an Anchor tag that was introduced in HTML5 specification. Ping attribute would list a set of one or more URLs that are pinged back whenever a user of a web page follows a hyperlink from that anchor tag.

The idea of introducing Ping attribute to anchor tags was to enable web administrators track clicks on that hyperlink. An example of how this attribute looks like is shown below:

<a href="https://google.com" ping="https://muddoo.com/tracker">Go to Google</a>

So in the above example, whenever a user clicks on “Go to Google” hyperlink, he will be taken to the Google home page, but at the same time, a ping POST message is sent back to the https://muddoo.com/tracker webpage for muddoo.com website to keep track of number of users going to Google through that hyperlink.

But the problem occurred when some of the Chinese hackers started using this innocuous feature to perform DDOS attacks on many websites. They simply created web page with links to standard websites such as Alibaba or Tabao, while using ping back links to their target websites. They specifically targeted people using QQBrowser (from Chinese giant Tencent) to use their web pages to reach standard websites. This resulted in millions of Ping request going back to targeted websites thus acting as a DDOS attack on these websites.

How to prevent Anchor Tag Ping attacks from your web pages?

With good understanding of how the attack is being performed, you must be wondering how you can prevent such DDOS attacks originating from your websites or getting attacked by one. But unfortunately, there are no clear solutions in place as the support for Ping requests are part of HTML 5 specifications so all browsers will be supporting it (well, more or less), so your only best possibilities will be to keep monitoring such activities on your web server and take appropriate action at the right moment.

Hope this article gave good introduction to the possible Ping DDOS attacks happening due to the presence of Ping attribute in the HTML Anchor tags. This article has been part of series of articles that I have been writing about HTML tags with this being the third article on HTML Anchor Tags.

If you would like to take a look at other two articles, you can follow these links:

Introduction To HTML Anchor Tag

What is noopener vulnerability found in anchor tags of HTML?

Until next time, happy coding! 🙂

Categories
HTML STATIC WEBSITES TUTORIALS WEB SERVER WORDPRESS

What is noopener vulnerability found in anchor tags of HTML?

HTML anchor tags are used to link to different web pages available on the internet. We also frequently use “target” attribute with the anchor tags so that the linked web page is opened in a separate new window. This is achieved by using the anchor tag like this:

<a href="https://muddoo.com" target="_blank"title="Muddoo Home">Home</a>

Note that in the above code we set the “target” value to be _blank, which would result in the linked web page (https://muddoo.com in this case) to be opened in a new window.

However, it has been found that this can leave a possible vulnerability where in the remotely linked web page can take over control of your web page.

Why does this vulnerability happen?

This vulnerability of remotely linked web page taking over your web page (that is having the anchor tag) is because of the following reasons:

  1. In normal scenario, whenever you open a new web page in your browser in a new window, the web page is running in its own separate thread.
  2. Now when we open a link present in that web page, the new linked web page gets opened in a new window due to the presence of “target” attribute of the anchor tag. However, in this scenario, the newly opened web page is also running under its parent’s thread itself instead of its own thread.
  3. As a result, the newly opened external web page has controls over its parent’s thread. There by creating a vulnerable situation!

How to overcome anchor tag’s “target” vulnerability?

We can overcome this “target” thread control vulnerability simply by introducing a new attribute to your anchor tags called the rel=”noopener” attribute.

Thus, the new fixed anchor tag would look something like this:

<a href="https://muddoo.com" target="_blank"title="Muddoo Home" rel="noopener">Home</a>

With this simple change, we can ensure that the newly opened web page runs in it’s own thread there by having no link to it’s parent thread in any way!

Hope you are now aware of this possible vulnerability and ensure you start using the rel=”noopener” attributes to all your web pages’ external links!

Happy coding! 🙂

Note: This article is continuation of my previous article Introduction To HTML Anchor Tag