What Is HTML Injection ?

HTML injection is also known as Cross Site Scripting. This is a security flaw that allows attackers to inject HTML code into web pages that are viewed by other users.

Attackers often inject malicious JavaScript, VBScript, ActiveX, and/or HTML into vulnerable applications to trick users into collecting data from them. An attacker can use a Cross-site scripting (XSS) vulnerability to bypass authentication controls by accessing sensitive data on your system. Well-crafted malware can even help an attacker gain access to the entire system. 

Example of HTML injection

• The first attacker discovered a website vulnerable to HTML injection

• The attacker then sends the URL with the malicious code inserted into the URL to the victim user, via email or some other mechanism.

• If the victim user clicks on this malicious URL, it will execute the JavaScript or VBScript code with the victim user’s privileges.

• Depending on the code being executed, it can reveal sensitive information about the user or even compromise the victim’s computer.

Avoid HTML injection?

Web programming best practices should include:

• Validate user input by checking data length, type, format, and range. 

• Encode any user input that will be generated by the application.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *