HTML Injection

By Rohit Gautam
HTML Injection

Summary : When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust.

Severity :   Medium  

POST Request : 

Complexity : Easy 

From : Remote / External

Steps to Reproduce:

1. Attacker finds the vulnerable injection point (parameter)
2. Attacker is able to inject the HTML Tags and it gets executed
3. Attacker is able to perfrom successfull HTML Injection

Impact : An Adversary can carry out HMTLi attack to trick the victim in clicking the link and visiting the website, this way attacker can perfrom identify theft and steal credentials.

Affected IP's : IP Address	Port	443

Recommendations : 
Do not allow parsing or execution of HTML tags from the user input.

References :,injection%20of%20certain%20HTML%20tags.

Proof of Concept :

Attached Screenshot or Video