What is HTML injection?

HTML Injection also known as Cross Site Scripting. It is a security vulnerability that allows an attacker to inject HTML code into web pages that are viewed by other users.

Attackers often inject malicious JavaScript, VBScript, ActiveX, and/or HTML into vulnerable applications to deceive the user in order to gather data from them.  Cross-site scripting (XSS) vulnerabilities can be used by attackers to bypass authentication controls there by gaining access to sensitive data on your system. Well crafted malicious code can even help the attacker gain access to the entire system.

Example of HTML injection

  • First the attacker finds out a site which is vulnerable to HTML injection
  • Then the attacker sends the URL with malicious code injected in the URL to the victim user either through email or some other mechanism.
  • If the victim user click this malicious URL, it will run the JavaScript or VBScript code with the privileges of the victim user.
  • Depending on the code being executed it can give out sensitive information of the user or even compromise the victim’s computer.

Avoiding HTML injections?

Web programming best practices should include:

  • Validation of user input by checking for length, type, format and data range.
  • Encode any user input that will be output by the application.

Please check the following links for more information.

Tool to check .NET code for XSS vulnerabilities