# HTML-Injection

## HTML Injection <a href="#html-injection" id="html-injection"></a>

<figure><img src="https://3344169606-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjoHbOFRbwrmbD6PvIUkf%2Fuploads%2FfrNplS5sodwmfdWSmMgY%2Fimage.png?alt=media&#x26;token=30f0f339-d2bd-4c55-aa17-d018db30f5e3" alt=""><figcaption><p>HTML-Injection</p></figcaption></figure>

| Content                            |
| ---------------------------------- |
| **📚 What Is HTML Injection ?**    |
| **🤔 Why HTML Injection Happen ?** |
| **⚔ Impact**                       |
| **🔎 How To Find**                 |
| **📕 Referance**                   |

***

### 📚 What Is HTML Injection? <a href="#what-is-html-injection" id="what-is-html-injection"></a>

**HTML injection** is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags.

**HTML injection** is a type of **injection vulnerability** that occurs when a user is able to control an input point and is able to inject arbitrary **HTML code** into a vulnerable web page.

▶ You Can Know More about HTML [**HERE**](https://www.w3schools.com/html/)

***

### 🤔 Why HTML Injection Happen? <a href="#why-html-injection-happen" id="why-html-injection-happen"></a>

**This vulnerability occurs** when user **input is not correctly sanitized** and the **output is not encoded.**

For example, malicious HTML code can be injected via the **`innerHTML`** JavaScript method usually used to render user-inserted HTML code.

If strings are not correctly sanitized, the method can enable HTML injection. A JavaScript function that can be used for this purpose is **`document.write()`**.

***

### ⚔ Impact <a href="#impact" id="impact"></a>

1. It can allow an attacker to **modify** the page.
2. To **steal** another person’s **identity**.
3. The attacker discovers an injection vulnerability and decides to use an HTML injection attack.
4. The attacker **crafts malicious links**, including his **injected HTML content**, and sends it to a user **via email**.
5. **The attacker’s injected HTML** is rendered and presented to the user **asking for a username and password.**
6. **The user enters a username and password**, which are both **sent to the attacker’s server**.

***

### 🔎 How To Find <a href="#how-to-find" id="how-to-find"></a>

Like XSS and DOM-Based XSS **check** every endpoint or parameter that **accepts your HTML tags** or **source code functions that render Html Content**

***

### 📕 Reference <a href="#referance" id="referance"></a>

1. [**OWASP**](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection)
2. [**Hacktricks**](https://book.hacktricks.xyz/pentesting-web/dangling-markup-html-scriptless-injection)
3. [**Vistainfosec**](https://www.vistainfosec.com/blog/comprehensive-guide-on-html-injection/)
4. [**Acunetix**](https://www.acunetix.com/vulnerabilities/web/html-injection/)
5. [**Imperva**](https://www.imperva.com/learn/application-security/html-injection/)

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xkourama.gitbook.io/blog/vulnerabilities-and-techniques/web-vulnerabilities/html-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.