HTML Injection

Rejah Rehim
Published on
02 Jul 2018
3 min read

HTML(HyperText Markup Language) injection is related to cross-site scripting. This attack involves injecting certain HTML tags. Some servers are vulnerable to HTML injection. This type of injection occurs when an attacker can control an input point and can inject malicious HTML code into a vulnerable web page or web application.

HTML injection is done using meta-characters. This vulnerability leads to disclosure of a user’s session cookies. It can also allow the attacker to modify the page content seen by the victims (end users). HTML injection occurs due to improper sanitisation of user input and improper encoding of output.

This injection vulnerability allows an attacker to inject or sends a malicious HTML page to the end users. As the browser doesn’t know if the page is trusted or not, it will execute and parse all the parts of the page. If the page had any malicious codes in it, the codes would be executed on behalf of the end user. This vulnerability will, in turn, make the end user vulnerable to many more attacks.

This attack can be executed using a wide range of methods and attributes that could be used to render HTML content. If this method is provided with untrusted input, then there will be a massive chance for HTML injection attack. Other attacks include XSS attack.

Malicious HTML code could be injected via innerHTML, that is used to render user inserted HTML code. If strings are not correctly sanitised, the problem could lead to XSS based HTML injection. Another method to execute this attack could be to use document.write() function.

Example of HTML Injection

The below code has unvalidated input. This code is used to create dynamic HTML in the page context:

        var userposition=location.href.indexOf("user=");
        var user=location.href.substring(userposition+5);
        document.getElementById("Welcome").innerHTML=" Hello, "+user;


If the code is like this, then an attacker can use the URL below.<img%20src='aaa'%20onerror=alert(1)>


The above URL will add the page into the image tag. The application will execute a JavaScript code inserted by the malicious user in the HTML context.

Impact of HTML Injection

Using this vulnerability, an attacker can:-

  • read, update and delete arbitrary data/tables from the database.

  • execute commands on the underlying operating system.

  • disclosure a user’s session cookies. so that, he can impersonate the victim.

  • inject HTML that renders to seek username and password of host user.

  • send the username and password from users to himself.

How to Prevent HTML Injection

Beagle Security recommends the following fixes for HTML Injection vulnerability:-

  • Use scripts that filters meta-characters from users’ inputs.

  • Use appropriate validation for input and output.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment