www.acunetix.com Open in urlscan Pro
2606:4700::6812:be0  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Get a demo Toggle navigation Get a demo
 * Product
 * Why Acunetix?
   * Solutions
     * INDUSTRIES
       * IT & Telecom
       * Government
       * Financial Services
       * Education
       * Healthcare
     * ROLES
       * CTO & CISO
       * Engineering Manager
       * Security Engineer
       * DevSecOps
   * Case Studies
   * Customers
   * Testimonials
 * Pricing
 * About Us
   * Our story
   * In the news
   * Careers
   * Contact
 * Resources
   * Blog
   * Webinars
   * White papers
   * Buyer’s guide
   * Partners
   * Support
 * Get a demo

WEB APPLICATION VULNERABILITIES Standard & Premium


HTML INJECTION


DESCRIPTION

HTML Injection is an attack that is similar to Cross-site Scripting (XSS). While
in the XSS vulnerability the attacker can inject and execute Javascript code,
the HTML injection attack only allows the injection of certain HTML tags. When
an application does not properly handle user supplied data, an attacker can
supply valid HTML code, typically via a parameter value, and inject their own
content into the page. This attack is typically used in conjunction with some
form of social engineering, as the attack is exploiting a code-based
vulnerability and a user's trust.

Attack scenario (OWASP)

A possible attack scenario is demonstrated below:

 * Attacker discovers injection vulnerability and decides to use an HTML
   injection attack
 * Attacker crafts malicious link, including his injected HTML content, and
   sends it to a user via email
 * The user visits the page due to the page being located within a trusted
   domain
 * The attacker's injected HTML is rendered and presented to the user asking for
   a username and password
 * The user enters a username and password, which are both sent to the attackers
   server




REMEDIATION

Your script should filter metacharacters from user input.


REFERENCES

Testing for HTML Injection (OTG-CLIENT-003)

CERT advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests

Postcards from the post-XSS world


RELATED VULNERABILITIES

WordPress Plugin Spider FAQ Cross-Site Scripting (1.0.4)

WordPress Plugin WP Visitor Statistics (Real Time Traffic) Cross-Site Scripting
(6.4)

WordPress 'wp-register.php' Multiple Cross-Site Scripting Vulnerabilities (2.0 -
2.0.1)

WordPress Plugin FireStats Cross-Site Scripting (1.6.4)

Joomla! Core 3.x.x Cross-Site Scripting (3.0.0 - 3.8.3)


SEVERITY

Medium


CLASSIFICATION

CWE-80 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N


TAGS

Abuse Of Functionality XSS


TAKE ACTION AND DISCOVER YOUR VULNERABILITIES

Get a demo

PRODUCT INFORMATION


 * AcuSensor Technology
 * AcuMonitor Technology
 * Acunetix Integrations
 * Vulnerability Scanner
 * Support Plans

USE CASES


 * Penetration Testing Software
 * Website Security Scanner
 * External Vulnerability Scanner
 * Web Application Security
 * Vulnerability Management Software

WEBSITE SECURITY


 * Cross-site Scripting
 * SQL Injection
 * Reflected XSS
 * CSRF Attacks
 * Directory Traversal

LEARN MORE


 * White Papers
 * TLS Security
 * WordPress Security
 * Web Service Security
 * Prevent SQL Injection

COMPANY


 * About Us
 * Customers
 * Become a Partner
 * Careers
 * Contact

DOCUMENTATION


 * Case Studies
 * Support
 * Videos
 * Vulnerability Index
 * Webinars

 * Login
 * Invicti Subscription Services Agreement
 * Privacy Policy
 * Terms of Use
 * Sitemap

 * Find us on Facebook
 * Follow us on Twiter
 * Follow us on LinkedIn

© Acunetix 2024, by Invicti