HTML Injection vulnerability is a kind of injection vulnerability as you can understand from it’s name. It allows the user to inject his/her arbitrary HTML codes to the webpage. Injection type may be stored or reflected. It looks like a Cross-site Scripting (XSS) vulnerability. Some researchers consider the HTML Injection vulnerability to be a sub-part of XSS.

Then, What is HTML?

HTML (Hypertext Markup Language) is the cornerstone of websites. JavaScript and CSS body of websites. How can threat actors use HTML to fool people?


Impact of HTML Injection Vulnerability

Threat actors can create fake web pages via using HTML Injection vulnerability. They can manipulate a trustful but vulnerable website against HTML Injection. They can create a fake webpage by using stored HTML Injection or they achieve XSS. After achieving XSS threat actors can steal cookies, hijack accounts, steal credentials and other sensitive information.

HTML Injection vulnerability allows the user to modify the web page and that probably would have a bad influence on brand reputation. Your customers may think you don’t take necessary security measures and apply best practices.


How to Detect HTML Injection Vulnerabilities – Detection

HTML Injection detection is not very hard. You can detect HTML Injection vulnerabilities by checking your input fields. If the web page renders your query as an HTML code, bingo! You find an HTML injection vulnerability.

Please consider that you have a web page which comes after a search query:

<h1>Results of your search query: </h1>
<li>Result A</li>

As you can see in the above code, if there is no any mitigation your web page renders this query as an HTML code. If you query for “<a href=””> HACKED!! </a>”, you will see a web page which contains a clickable link in H2 tags.


How to Mitigate HTML Injection Vulnerability? – Protection

First of all, you should apply best practices according to your web server. Then:

  • Please use a proper input validation mechanism, check user inputs. Filter special tags like “<’#/>”.
  • Please encode user input.
  • To be able to prevent automated attacks like bruteforce etc., use captcha control mechanism after a predefined number of requests which probably won’t affect legitimate user experience.