HTML Injection is a vulnerability in which the attacker can inject malicious html content in the webpage.
1 Admin has enabled Comments
module, so that people can comment on a blog post.
2 Attacker post the following comment:
<s><marquee><h1>SOMETHING+SOMETHING
Now, observe the changes in the webpage: This html gets executed. The footer of webpage is striked out etc.
Attackers can change the structure of webpage using different tags like <marquee>
, <h1>
, <center>
, <s>
etc.
Attackers can even hide the Leave Comment
button
This html code also executes in the admin panel when admin checks the comments on a post.