Home Html Injection
Post
Cancel

Html Injection

Html Injection

HTML Injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page.

Exploitation

html

The webapp takes in user’s firstname and lastname and then displays a welcoming message.

Let’s supply our firstname and lastname as firstname: html, lastname: exploit .

html

We got a text saying welcome html exploit. Since it was reflecting our input back, it might be vulnerable to html injection if it does’nt sanitize user’s inputs. We can further inspect the page.

html

We will inject html button in the firstname field and html link in the lastname field and see whether they will be displayed on the page. Our inputs will be something like <button>Click</button> for the firstname field and <a href=#>Here</a> for the lastname field.

html

As you can see, the button and link appeared on the page.

Mitigations

  • Filter metacharacters from user input.

References

This post is licensed under CC BY 4.0 by the author.