HTML injection is an exploitable vulnerability in case unfiltered user input is directly displayed on the page (bypassing the backend).
If you noticed that an entry directly displays the result on the page, example with the code below:
<!DOCTYPE html>
<html>
<body>
<button onclick="inputFunction()">Click to enter your name</button>
<p id="output"></p>
<script>
function inputFunction() {
var input = prompt("Please enter your name", "");
if (input != null) {
document.getElementById("output").innerHTML = "Your name is " + input;
}
}
</script>
</body>
</html>
Then you can inject html code like below (this code allows you to display an image):
<style> body { background-image: url('https://www.ebuyer.com/blog/wp-content/uploads/2017/05/hacked-logo.jpg'); } </style>
- Web browser
- Burp Suite