HTML Injection is a type of security vulnerability where an attacker is able to inject malicious HTML code into a web page. This can occur when user input is improperly sanitized, allowing attackers to insert their own HTML tags, attributes, or other markup into a web application.
Types of HTML Injection
- Stored (Persistent) HTML Injection
- Reflected (Non-Persistent) HTML Injection
- DOM-based HTML Injection
1. Stored (Persistent) HTML Injection
Stored HTML injection occurs when the injected HTML code is permanently stored on the target server, such as in a database or a message board. This means that the malicious code will be executed every time the affected page is viewed.
Example: Suppose a web application has a comment section where users can post comments. If the input is not sanitized, an attacker could post a comment containing malicious HTML.
Payload:
<script>alert('Stored HTML Injection');</script>
When a user views the comment section, the script will execute, displaying an alert box.
2. Reflected (Non-Persistent) HTML Injection
Reflected HTML injection occurs when the injected code is reflected off a web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server.
Example: A search functionality that reflects the user’s input back on the page without proper sanitization.
Payload:
<script>alert('Reflected HTML Injection');</script>
When the payload is submitted via the search form, the server reflects it back, and the script executes, displaying an alert box.
3. DOM-based HTML Injection
DOM-based HTML injection occurs when the client-side script (JavaScript) dynamically updates the content of the page based on user input or other data sources without proper sanitization.
Example: A web page that takes a query parameter and dynamically updates the DOM.
Payload:
https://example.com?name=<script>alert('DOM-based HTML Injection');</script>
If the JavaScript on the page uses document.write or innerHTML to insert the name parameter into the page, the script will execute.
Example Vulnerability Scenarios
Stored HTML Injection Scenario
Imagine a web application where users can create their profile with a bio section.
Input Field:
<textarea name="bio"></textarea>
Malicious Input:
<img src="x" onerror="alert('Stored HTML Injection')">
Vulnerability: The bio is saved in the database and displayed on the user profile page without sanitization.
Result: Every time someone views the profile, the onerror event triggers, displaying the alert.
Reflected HTML Injection Scenario
A website has a search form that reflects the search term in the results page.
Search Form:
<form action="/search">
<input type="text" name="query">
</form>
URL:
https://example.com/search?query=<script>alert('Reflected HTML Injection');</script>
Vulnerability: The search term is reflected in the results page without sanitization.
Result: When the URL is visited, the script executes, showing the alert.
By understanding and implementing these prevention techniques, you can protect web applications from HTML injection attacks and enhance overall security.