Hello Guys!! Today I am going to tell you about HTML Injection which is in OWASP’s Top 10 Vulnerabilities list. And is upon number 1 on the list as A1.
Sounds cool!! No?! So let’s start…

So the first question in your mind comes that what is HTML injection and for what purpose it is used. Right??
Well HTML is full of <tags> which are used to design a webpage and sometimes developers do a mistake of mixing Text and Code in a bad manner. They forget to sanitize input which means a user can insert his own code.

So HTML injection is a kind of attack which uses HTML tags to change contents or images or other things by an injection vulnerability (weakness) of a website or web application.

It occurs when a user is able to control the input point on a website and the attacker is able to inject some HTML codes to a web page. As you already know that HTML is used to create a website. So when a web developer makes a mistake which is that he/she doesn’t make the code sanitized then a hacker can inject his/her codes into the web page. HTML Injection is also known as content spoofing or virtual defacement.

Which means you can just deface a website directly by injecting some HTML codes. Lol!! That sounds interesting. doesn’t it?! xD

So basically what happens is when a website is vulnerable (weak) to HTML injection then an attacker can run his/her malicious codes to that website. But you might be thinking it is like SQL Injection or XSS.

So let me tell you no it is not like those because like SQL injection HTML injection does not dump the database information. I mean when we do SQL injection we make a conversation with the database but in HTML injection one can modify web page codes using HTML tags it doesn’t interact with the database.

However, XSS (Cross-site scripting) and HTML Injection are quite similar to each other and have only one difference which is XSS uses script and other techniques of JavaScript to exploit it and HTML injection simply uses HTML tags to modify the page for malicious intentions. This means an attacker can upload a shell to completely get access to the server or can deface the website by using some HTML codes. One can do social engineering too by exploiting HTML injection.

Types of HTML Injection

HTML Injection is categorized into four types:
1. Reflected (Get)
2. Reflected (Post)
3. Reflected (URL)
4. Stored

Hope you liked it.
Stay Tuned!! Happy Hacking!

Also Read: The Denial Of Service (DOS) Attack

Leave a Reply