HTML-Injection

HTML Injection

HTML-Injection

Content
📚 What Is HTML Injection ?
🤔 Why HTML Injection Happen ?
⚔ Impact
🔎 How To Find
📕 Referance

---

📚 What Is HTML Injection?

HTML injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags.

HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.

▶ You Can Know More about HTML HERE

---

🤔 Why HTML Injection Happen?

This vulnerability occurs when user input is not correctly sanitized and the output is not encoded.

For example, malicious HTML code can be injected via the innerHTML JavaScript method usually used to render user-inserted HTML code.

If strings are not correctly sanitized, the method can enable HTML injection. A JavaScript function that can be used for this purpose is document.write().

---

⚔ Impact

1. It can allow an attacker to modify the page.

2. To steal another person’s identity.

3. The attacker discovers an injection vulnerability and decides to use an HTML injection attack.

4. The attacker crafts malicious links, including his injected HTML content, and sends it to a user via email.

5. The attacker’s injected HTML is rendered and presented to the user asking for a username and password.

6. The user enters a username and password, which are both sent to the attacker’s server.

---

🔎 How To Find

Like XSS and DOM-Based XSS check every endpoint or parameter that accepts your HTML tags or source code functions that render Html Content

---

📕 Reference

1. OWASP

2. Hacktricks

3. Vistainfosec

4. Acunetix

5. Imperva