HTML injection is also known as Cross Site Scripting. This is a security flaw that allows attackers to inject HTML code into web pages that are viewed by other users.
Attackers often inject malicious JavaScript, VBScript, ActiveX, and/or HTML into vulnerable applications to trick users into collecting data from them. An attacker can use a Cross-site scripting (XSS) vulnerability to bypass authentication controls by accessing sensitive data on your system. Well-crafted malware can even help an attacker gain access to the entire system.
Example of HTML injection
• The first attacker discovered a website vulnerable to HTML injection
• The attacker then sends the URL with the malicious code inserted into the URL to the victim user, via email or some other mechanism.
• If the victim user clicks on this malicious URL, it will execute the JavaScript or VBScript code with the victim user’s privileges.
• Depending on the code being executed, it can reveal sensitive information about the user or even compromise the victim’s computer.
Avoid HTML injection?
Web programming best practices should include:
• Validate user input by checking data length, type, format, and range.
• Encode any user input that will be generated by the application.
Wow 😲