Difficulty: Low

Lab Overview

This lab demonstrates a basic HTML injection vulnerability where user input is directly inserted into HTML output without proper validation or encoding. The application allows injection of arbitrary HTML content that gets rendered by the browser.

Objective: Inject HTML content to manipulate the page appearance and potentially execute JavaScript.

Vulnerable Code

// Vulnerable: Direct output without validation
function process_html_input($input) {
    if (empty($input)) {
        return "No input provided.";
    }
    
    // Vulnerable: Direct output without encoding
    return $input;
}

HTML Injection Tester

HTML Injection Examples

Try these basic HTML tags:

<h1>Hello World</h1> - Heading
<p style="color:red">Red Text</p> - Styled paragraph
<img src="image.jpg"> - Image
<script>alert('XSS')</script> - JavaScript

Vulnerability Details

Type: HTML Injection
Severity: Medium
Method: POST
Issue: Direct HTML output without encoding

Test Payloads

<h1>Hello</h1> - Basic HTML
<img src="x"> - Image tag
<script>alert(1)</script> - JavaScript
<style>body{background:red}</style> - CSS

HTML Injection Payloads

Use these payloads to test the HTML injection vulnerability:

1. Basic HTML Tags:

Hello World

This is a paragraph

Bold text Italic text Underlined text

2. Styled Content:

Red text

Yellow background

Blue border

Centered heading

3. Images and Media:

4. Links and Navigation:

External Link JavaScript Link OnClick Link

5. Forms and Inputs:

6. Tables and Lists:

    NameAge
John25

Item 1
Item 2

First
Second

Name	Age
John	25

7. JavaScript Execution:

8. CSS Injection:

9. Meta Tags and Headers:

Hacked Page

10. Event Handlers:

Hover me

11. Advanced JavaScript:

12. DOM Manipulation:

Real-World Attack Scenarios

Defacement and content manipulation
Cross-Site Scripting (XSS) attacks
Session hijacking and account takeover
Data exfiltration and sensitive information disclosure
Malicious redirects and phishing attacks
Compliance violations and security breaches

Mitigation Strategies

Implement proper input validation and sanitization
Use HTML encoding functions (htmlspecialchars, htmlentities)
Implement Content Security Policy (CSP)
Use whitelist-based filtering for allowed HTML tags
Implement proper output encoding
Regular security testing and vulnerability assessments
Monitor for unusual HTML injection patterns

Lab 1: Basic HTML Injection