HTML Injection By Information Security Expert Gaurav Kawatra

HTML Injection

In this article, we are giving some sort of explanation on HTML injection. HTML injection is an attack and helpful to impersonate as an actual content on any vulnerable page.

Before indulge in this article, you must have knowledge of web application technologies for understanding the concept of HTML Injection (HTMLi).


Injection is a technique to run attacker’s code (Malicious code) in Web application or say Web application technologies either its client-side (html, JavaScript, CSS, etc.) or server-side (Database), etc or both. Attacker try to inject their code either it’s written in HTML or JavaScriptor both depending upon the scenario of attack which is impersonate as an actual code of web site using some social engineering as well. Even sometimes, we only need to inject code for dump database without using any other involvement from victim like we require for client-side attacks i.e. XSS, CSRF, etc.


No need of explanation for HTML but still I explain in simple words. HTML (Hypertext Mark-up Language) is used for creating web pages and other information that you can saw at web browsers. Web browsers render the HTML elements with other technologies like CSS, JavaScript, etc and present at your door (browsers) which is client-side. Every browser has their own rendering process.

Number of technologies involve used by developers at client-side to present attractive pages on web browsers. So we can checked it by clicking on left-side of mouse, after that, a pop-up appears choose view-source option, a page appears which shows combination of different technologies involve in making of web-page.


HTMLI (HTML injection) is an attack which is helpful to change the content of web page and impersonate as an actual content. It is comes under the category of Code-injection vulnerability. It’s a client-side attack, an attacker make a script written in combination of CSS, HTML, etc. Example:

<h1>Sorry, Please login again. Your session is expired. </h1>

<BR>Username<input type=”text”>

<BR>Password <input type=”text”>

<BR>Input type=”Submit”   Value=”Submit”></h1>

Use this demo script, attacker steal credentials or perform other malicious attack.


As a non-technical person, victim never has interest to understand, they enter their credentials. Anyhow, attacker gets number of credentials using this code-injection vulnerability.

This is the result of trust on user input. So, it’s always better to put restriction on user input and always sanitize characters or white listing those characters/elements which are required and deny other characters. If required, use output encoded protection for special characters i.e. <, >, /, ‘, “, }, {, etc on client-side (browser).