HTMLi
HTMLi (Hyper Text Markup Language Injection)
HTML is what you see in the webpages.
The Big texts in a website,background color,images and many more are all done with the possibility of HTML.
Thats why its called Frontend.
A Live example:
- Go to https://htmledit.squarefree.com/ {Live HTML editor}
- Enter a html code such as “HTML",In the editor and you will get the output.
- Try including a image with “” tag
in the above code “src” means “Source” {where the file is retrieved from} and “width”=500 to adjust the size of the image<img src="https://raw.githubusercontent.com/slvignesh05/akino/1bc52c3d14a8a1fb04c48db700e1f3ab5b15688f/cat0nkolam.png" width=500>
5.The fun part , Try injecting a XSS/HTML payload in the editor
<img src=0 onerror=alert("xss")>
You will observe a alert box popup!.
Wondering why? - This happends due to the void supply of src {source link}.
We did not give a source link to the img tag and said the img tag to raise a alert() box on “onerror”.
And its obvious that an alert() will be popped up.
Basic HTML syntax involves
<h1>title</h1> "<h1>title</h1>" - Title tag
<p>paragraph tag</p> "<p>paragraph tag</p>"
So what happens in HTMLi
HTML injection is similar to XSS, Where attackers inject malicious codes and these will be reflected in the website.
Hence the vulnerable areas to look into will be same as XSS
- Any input fields
- Search field
- Name fields
HTML injection will have a severity of “low” to “medium” and HTML injection bugs will be mostly valid , If they can be injected in Emails too!.
Emails? Yes
Companies send emails with the name you entered in their “Name” field. Therefore the injected HTML code will be caught there.
Same as XSS but why is it rated lower? Cause HTML injection in most cases need human interaction.
Even if the injected code is present in the screen of the victim’s device,He needs to click it for a sucessful attck.
CWE
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
you reached till here?
