1. Home
  2. Training Library
  3. Programming
  4. Programming Courses
  5. A Practical Introduction to HTML Injection

HTML Injection



The course is part of this learning path

Start course
1h 34m

This course explores HTML injection, stored HTML injection, and other types of attacks in order to begin carrying out some web pen testing in a practical way. 

Intended Audience

This course is intended for anyone who wants to learn the necessary skills to become an ethical hacker and/or a bug bounty hunter.


We recommend that this course be taken as part of our Web Penetration Testing & Bug Bounty Hunting learning path.


Hi, within this lecture, we're going to start learning about web pentesting and we're going to start with HTML Injection. So, choose your bug from here and if you did something you can always reset the bWAPP so it will just undo what you have done. If you tested something and if you broke something during the lessons, don't forget you can come back here and click on reset to reset everything that you have done, okay? So, what we're going to do, we're going to start with HTML injection. So, when we talk about injection, we're trying to inject something that we're not supposed to be injecting or we're not supposed to be putting yet. HTML injection is not the only injection that we're going to see, as you can see I'm choosing this HTML injection-Reflected (GET) and we're going to see other types of injection like PHP or SQL injections later on. So, my Burp Suite is running, okay? We left it running in the previous lecture, maybe you remember that and we have gathered some information over here. They are not crucial at this point and in fact we don't need Burp Suite in order to understand this injection at all. But it's always good idea to leave Burp Suite running at the site since we try to learn about Burp Suite and since we want to gather as much as information we can over here, okay? We're going to see what the scope and other things are later on. We have seen the proxy, we have actually done the options and we turned the intercept as off in the previous lecture. So , if you didn't do that, just make sure you open the Burp Suite and for right now, I'm just going to click on that and turn the intercept on and show you what intercepting means. So, here is a web page and it asks for a first name and last name. So, we generally see that kind of stuff, right? So, if we write something like Atil Sam here and click on go, then it won't send the request because as you can see nothing happens in this web page right now because it's interrupted, it's intercepted by the Burp Suite so that we can take a look at what we are doing. So, for example when I clicked on that button, I know that it's doing a request over here and I can see that request. It's sending something to the server and as you can see it's a GET request. So, there are a couple of request types like GET request, POST request. We generally see GET request and POST request, but in SQL we're going to be dealing with the UPDATE or DELETE requests as well. So, generally it's not the rule but generally we want to get information so we use GET request, okay? When we want to write some information or when we want to post some information then we use a POST request. It's not mandatory but it's kind of its nature and you're going to see what I'm talking about as we go through the lessons, okay? Right now it's doing a GET request and we don't even know what this website is doing right now. We can only see it's a GET request and it's sending some parameters to the server. And as you can see the parameters are first name and last name. So, this is the website URL. We see the website URL and we see the first name and last name and we see some kind of form. So, if we forward this it will be sent to the server and we can see the response in here as you can see it says that "Welcome Atil Sam." So, that's what this website does. It asks for a first name and a last name and it just shows us welcome message, okay? So, this is our URL in here and we actually see the parameters in the URL in this case as well. But if we didn't see them we could have seen them in the target when we intercepted it or in here, okay? After we forward this request, we can find the request and response if we don't have the intercept on we can always come back here and find the web page that we are on. So, let me just find it. Yeah, it's under there and as you can see we can see the request in here. So, if we didn't even intercept we can later on analyze what's going on in here and we can see the response as well. Of course, we can see the response in the web page as well so this is an HTML form as you can see, HTML page and browser interprets this and show us the documentation. Show us the UI actually not the documentation, show us the document itself. But again, maybe there might be some hidden things that we might find in the response and request that we cannot actually see in the website. So, it's always a good idea to have Burb Suite running so we can analyze what's going on. So, again, this is a website, it just takes in a couple of parameters like a first name and last name and displays some sort of a message to us like a welcome message, okay? Welcome Atil Sam. So, if we see an input like this, we can always try to see if we can inject HTML code. So, I'm going to turn the intercept on and I'm going to do the same thing one more time. I'm going to say Atil Sam and if I say go, I can see the message. So, what if I write some HTML code over here, something like this h1 h1. So, it will be heading, heading 1. So, if I say go, here we go. Now Atil is shown in big font so this is working. So, it means that I can run some HTML codes through this input boxes. This is not website is expecting most of the time. Of course, there might be some websites that allows you to run some HTML codes but it's not intended to be, right? If it was, it would have just said it so. It would have said, "Yeah, you can run HTML codes in here." But it doesn't say it so, so it might be a security flaw or a bug, we can report this, we can say that there is an HTML injection over here. And if I go to google.com and if I search for HTML injection, so let me see. Let me come over here and just write html injection cheat sheet github. Yes, this one. So, this will bring us some cheat sheets so we don't have to of course know everything about HTML or any other injection types that we're going to work with, we can cheat a little bit and just try different payloads or different codes that we want to or that we want to try to inject to the website. So, if you do this, I'm not even going to share the links over here because there are tons of GitHub pages, you can just pick one and use one, okay? And it would be a good exercise for you. For example, I'm going to just open a couple of them and try to see what they look like. So, first of all, I'm going to open this one. So, this one is apparently called cure53/HSSC, okay? So, let me open the OWASP here or the xsuperbug. So, let me open the OWASP as well since OWASP is the most relatable one to us right now. For example, over here we see something called XSS and we're going to see what an XSS is, we're going to see how to find XSS vulnerabilities and stuff. It's related to HTML injection but not exactly, okay? They could be separate to each other or they could be very similar in a website, so depending on the case and here we go. As you can see there is an h1 script over here, so we can just copy this and try to run it on our web page, okay? So, I'm going to tell you what it does since you don't know right now what it does. As you can see, it starts with hello and then it runs a script inside of h1. So, the script stands for JavaScript, okay? Or any kind of script that we may want to run in here. So, this alert shows an alert dialog. So, you don't have to know JavaScript over here, it's pretty basic as you can see. We are seeing that, we want to run this JavaScript and we want to display an alert dialog box that shows one. So, if we can run JavaScript in this web page then it can get really, really malicious. So, it can be an HTML injection, it can be an XSS injection as well. XSS, by the way, we're going to see it but it generally allows us to run JavaScript on browser of the victim, okay? We're going to see the details of them later on throughout the course. They are one of the most popular vulnerabilities as well, but it goes hand in hand with HTML injection somehow. As you can see, we have seen we can run HTML code but maybe we can try if we can actually run the JavaScript code inside of an HTML code here as well. If we can do it then it actually increases the severity of the injection vulnerability. So, it may actually increase the bug bounty price or bug bounty reward that we're going to get out of this website, okay? So, it will basically display an alert dialog. So, it's not biggie but it can get very malicious, I'm going to talk about that later on. So, I'm going to come over here and give some last name as well and if I say go, as you can see, we can display the alert dialog over here. So, this is the alert message. So, it displays 1. So, it means that I can actually run JavaScript in this page throughout this first name thing, okay? And you can actually write whatever you want in here in quotation marks like "Hacked" and you can just say anything you want and as you can see it displays Hacked. So, for example if I just send this link to anybody, if they open it, they will come across with a hacked dialog and it's already affecting the reputation of the website, so it's no good. And if you find something like this it's an HTML injection. Depending on the case it might be an XSS injection as well. So, the reason why we see Reflected and GET over here, it's a GET request. First of all, we have seen this and confirmed this in Burp Suite and it's Reflected, it means that we get to run it from the link or we don't store it actually, okay? We're going to see some stored kind of HTML injection as well. Stored means it's going to be stored in the database, so whenever we visit it it will be run automatically for us. Right now it's only Reflected. If you send this link to anyone then they will see that alert dialog popping up in their browser. They will see that JavaScript is going to be running their browser, okay? So, Reflected, GET and POST are basically the same way but we're going to cover the HTML injection stored within the next lecture. So, I hope you understood what we are doing at this point because we are just getting started. We're going to make it much more complex in the following sections, okay? So, this is just the beginning of this course. So, let's stop here and continue with the HTML injection in the next lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.