HTML Injection Testing Tutorial with Example

By Vijay

By Vijay

I'm Vijay, and I've been working on this blog for the past 20+ years! I’ve been in the IT industry for more than 20 years now. I completed my graduation in B.E. Computer Science from a reputed Pune university and then started my career in…

Full Bio >

Follow
Learn about our editorial policies.
 Updated May 9, 2025

Let’s take an in-depth look at HTML Injection:

In order to get a better perception of HTML Injection, firstly we should know what HTML is.

HTML is a markup language, where all the website’s elements are written in the tags. It is mostly being used for creating websites. Web pages are being sent to the browser in the form of HTML documents. Then those HTML documents are being converted into normal websites and displayed for the final users.

This tutorial will give you a complete overview of HTML Injection, its types and preventive measures along with practical examples in simple terms for your easy understanding of the concept.

HTML Injection Tutorial

HTML Injection

What is HTML Injection?

The essence of this type of injection attack is injecting HTML code through the vulnerable parts of the website. The Malicious user sends HTML code through any vulnerable field with a purpose to change the website’s design or any information, that is displayed to the user.

As a result, the user may see the data that was sent by the malicious user. Therefore, in general, HTML Injection is just the injection of markup language code to the document of the page.

Data that is being sent during this type of injection attack may be very different. There can be a few HTML tags that will just display the sent information. It can also be a whole fake form or page. When this attack occurs, the browser usually interprets malicious user data as legit and displays it.

Changing a website’s appearance is not the only risk that this type of attack brings. It is quite similar to the XSS attack, where a malicious user steals another person’s identities. Therefore stealing another person’s identity may also happen during this injection attack.

Types of HTML Injection

This attack does not seem to be very difficult to understand or to perform, as HTML is considered a quite simple language. However, there are different ways to perform this type of attack. We can also distinguish different types of this injection.

Firstly, different types may be sorted by the risks that they bring.

As mentioned, this injection attack can be performed with two different purposes:

  • To change the displayed website’s appearance.
  • To steal another person’s identity.

Also, this injection attack can be performed through different parts of the website i.e data input fields and the website’s link.

However, the main types are:

  • Stored HTML Injection
  • Reflected HTML Injection

#1) Stored HTML Injection:

The main difference between those two injection types is that stored injection attack occurs when malicious HTML code is saved in the web server and is being executed every time when the user calls for an appropriate functionality.

However, in the reflected injection attack case, malicious HTML code is not being permanently stored on the webserver. Reflected Injection occurs when the website immediately responds to malicious input.

#2) Reflected HTML Injection:

This can again be divided into more types:

  • Reflected GET
  • Reflected POST
  • Reflected URL

Reflected Injection attacks can be performed differently according to the HTTP methods i.e, GET and POST. I would like to remind you that with POST method data is being sent and with GET method data is being requested.

To know which method is used for the appropriate website elements, we can check the source of the page.

For example, a tester can check the source code for the login form and find out what method is being used for it. The appropriate HTML Injection method can be selected accordingly.

HTML Injection method

Reflected GET Injection occurs when our input is being displayed (reflected) on the website. Suppose we have a simple page with a search form, which is vulnerable to this attack. Then if we type any HTML code, it will appear on our website and at the same time, it will be injected into the HTML document.

For example, we enter simple text with HTML tags:

HTML Injection text

Reflected POST HTML Injection is a little bit more difficult. This occurs when a malicious HTML code is being sent instead of the correct POST method parameters.

For example, we have a login form that is vulnerable to HTML attack. Data typed in the login form is being sent using the POST method. Then, if we type any HTML code instead of the correct parameters, then it will be sent with the POST method and displayed on the website.

To perform the Reflected POST HTML attack, it is recommended to use a special browser plugin that will fake the sent data. One of them is the Mozilla Firefox plugin “Tamper Data”. The plugin takes over the sent data and allows the user to change it. Then changed data is being sent and displayed on the website.

For Example, if we use such a plugin then we would send the same HTML code <h1>Testing test</h1>, and it will also display the same as the previous example.

HTML Injection text

Reflected URL happens when HTML code is being sent through the website URL, displayed in the website and at the same time injected into the website’s HTML document.

How is HTML Injection Performed?

In order to perform this type of injection, firstly, the malicious user should find vulnerable parts of the website. As mentioned, vulnerable parts of the website may be data input fields and website links.

Malicious HTML code can get into the source code by inner HTML. Please remember that innerHTML is the property of DOM document and with innerHTML, we can write dynamic HTML code. It is used mostly for data input fields like comment fields, questionnaire forms, registration forms, etc. Therefore, those elements are most vulnerable to HTML attack.

Suppose we have a questionnaire form where we are filling in the appropriate answers and our name. When the questionnaire is completed, an acknowledgment message is being displayed. In the acknowledgment message, the indicated user’s name is also being displayed.

The message may look as shown below:

questionnaire form

As we understand, Tester_name is the name indicated by the user. Therefore, the acknowledgment message code may look like the one below:

var user_name=location.href.indexOf(“user=”);

document.getElementById(“Thank you for filling our questionnaire”).innerHTML=” Thank you for filling our questionnaire, ”+user;

The demonstrated code is vulnerable to such an attack. If in the questionnaire form we would type any HTML code, its message would be displayed on the acknowledgment page.

The same happens with the comment fields as well. Suppose, if we have a comment form, then that is vulnerable to the HTML attack.

comment form

In the form, the user types his name and comment’s text. All saved comments are listed on the page and loaded on the page load. Therefore, if malicious code is typed and saved, it will also be loaded and displayed on the website.

For Example, if in the comments field we would save the code as mentioned below then a popup window with the message “Hello world!” would be displayed on the page load.

<html>
<body>
<script>
alert( 'Hello, world!' );
</script>
</body>
</html>

Another way for this type of injection to be performed is through the website’s link. Suppose we have a PHP website link.

As we see, “site” is a parameter and “1” is its value. Then, if for the parameter “site” instead of value “1” we would indicate any HTML code with the text to display, this indicated text would be displayed in the “Page Not Found” page. This happens only if the page is vulnerable to HTML attack.

Suppose, we are typing a text with the tags <h1>Testing</h1> instead of the parameter’s value.

Then we would get a text displayed on the website as shown below:

Text displayed

Also, as it was mentioned, not only a piece of the HTML code may be injected. The entire malicious page may also be sent to the final user, too.

For example, if the user opens any login page and types his credentials. In this case, if instead of the original page, a malicious page is being loaded and the user sends his credentials through this page, the third party may get the user’s credentials.

How to Test Against HTML Injections?

When starting to test against a possible injection attack, a tester should first list out all the potentially vulnerable parts of the website.

I wanted to remind you that it may be:

  • All data input fields
  • Website link

Then manual tests could be performed.

When testing manually, if an HTML Injection is possible, then a simple HTML code could be entered – For Example, to check if the text would be displayed. There is no point to test with a very complicated HTML code, simple code may be enough to check if it is being displayed.

For example, there may be simple tags with text:

<h1>HTML Injection testing</h1>

Or search for the form code if you would like to test with something more complicated

<form method="post" action="index.html">
<p><input type="text" name="search" value="" placeholder="Search text"></p>
<p class="search_text">
<label>
<input type="checkbox" name="search_text" id="search_text">

Type text to search

</label>
</p>
<p class="submit"><input type="submit" name="commit" value="Search"></p>
</form>

If an HTML code being saved somewhere is displayed, then the tester can be sure that this injection attack is possible. Then a more complicated code may be tried – for Example, to display the fake login form.

Another solution is HTML Injection scanner. Scanning automatically against this attack may save a lot of your time. I would like to notify you that there are not many tools for HTML Injection testing in comparison with other attacks.

However, one possible solution is the WAS application. WAS can be named quite a strong vulnerabilities scanner, as it tests with different inputs and does not just stop with the first fail.

It is helpful for testing, maybe as mentioned in the above browser plugin “Tamper Data”, it gets sent data, allows the tester to change it and sends it to the browser.

We can also find some online scanning tools, where you only have to provide the website’s link and scanning against HTML attack will be performed. Once testing is completed, a summary will be displayed.

I would like to comment, that when selecting a scanning tool, we have to pay attention on how it analyzes the results and if it is accurate enough or not.

However, we should keep in mind that testing manually should not be forgotten. This way we can be sure what exact inputs are tried and what exact results we are getting. Also this way it is easier to analyze the results as well.

Out of my experience in a software testing career, I would like to comment, that for both the testing ways we should have good knowledge of this type of injection. Otherwise, it would be difficult to select an appropriate automation tool and analyze its results. Also, it is always recommended not to forget to test manually, as it just makes us more sure about the quality.

How to Prevent HTML Injection?

There is no doubt that the main reason for this attack is the developer’s inattention and lack of knowledge. This type of injection attack occurs when the input and output are not properly validated. Therefore the main rule to prevent HTML attack is appropriate data validation.

All inputs should be checked to see if it contains any script code or any HTML code. Usually it is being checked, if the code contains any special script or HTML brackets – <script></script>, <html></html>.

There are many functions for checking if the code contains any special brackets. Selection of the check function depends on the programming language that you are using.

It should be remembered, that good security testing is also a part of prevention. I would like to pay attention, that as HTML Injection attack is very rare, there is less literature to learn about it and less scanner to select for automatic testing. However, this part of security testing really should not be missed, as you never know when it may happen.

Also, both the developer and tester should have proper knowledge of how this attack is being performed. A good understanding of this attack process may help to prevent it.

Comparison with other Attacks

In comparison with the other possible attacks, this attack definitely will not be considered so risky as SQL Injection or JavaScript Injection attack or even XSS may be. It will not destroy the whole database or steal all the data from the database. However, it should not be considered as insignificant.

As mentioned earlier, the main purpose of this type of injection is changing the displayed website’s appearance with malicious purpose, displaying your sent information or data to the final user. Those risks may be considered less important.

However, changing the website’s appearance may cost your company’s reputation. If a malicious user destroys your website’s appearance, then it may change the visitor’s opinions about your company.

It should be remembered that another risk that this attack on a website brings is stealing another user’s identity.

As mentioned, with HTML Injection the malicious user may inject the whole page, that would be displayed for the final user. Then if the final user indicates his login data on the fake login page, then it will be sent to the malicious user. This, of course, is the riskier part of the attack.

It should be mentioned, that for stealing other user’s data, this type of attack is less frequently selected, as there are a lot of other possible attacks.

However, it is very similar to the XSS attack, which steals the user’s cookies and other users identities. There are also XSS attacks, which are HTML based. Therefore testing against XSS and HTML attack may be very similar and performed together.

Conclusion

As HTML Injection is not as popular as other attacks, it may be considered less risky than other attacks. Hence testing against this type of injection is sometimes skipped.

Also, it is noticeable that there is definitely less literature and information about HTML Injection. Therefore, testers may decide not to perform this type of testing. However, in this case, HTML attack risks may not be evaluated enough.

As we have analyzed in this tutorial, with this type of injection the whole design of your website may be destroyed or even the user’s login data may be stolen. Therefore it is highly recommended to include HTML Injection for security testing and invest good knowledge.

Have you come across any typical HTML Injections? Feel free to share your experiences in the comments section below.

Was this helpful?

Thanks for your feedback!

Recommended Reading

  • JavaScript Injection Tutorial: Testing JS Injection Attack
    JavaScript Injection

    What is Javascript Injection? Javascript is one of the most popular technologies and is most widely used for web pages and web applications. It can be used for realizing different website functionalities. However, this technology can bring some security issues, which the developer and tester should be conscious about. Javascript…

  • Parasoft SOAtest Tutorial: Scriptless API Testing Tool
    SOATest

    This SOAtest Tutorial explains how to create a sample project, .tst file, test suite, and REST Client in Parasoft SOAtest. It also presents you with a glossary of the most important terms and describes major components of the application. It will provide you with an example of how a .tst…

  • Destructive Testing and Non Destructive Testing Tutorial
    Destructive and Non Destructive Testing

    Difference Between Destructive Testing and Non-Destructive Testing with Its Types and Methods: In this article, we are going to discuss details about destructive testing and non-destructive software testing. We will learn about them one by one and will also see the differences between these two testing types at the end…

  • Introduction to Micro Focus LoadRunner - Load Testing with LoadRunner Tutorial #1
    Introduction to Micro Focus LoadRunner

    HP LoadRunner is now changed to Micro Focus LoadRunner but still, the content on the page is valid on the new Micro Focus domain and tools as well. This introductory tutorial will explain to you all about Micro Focus LoadRunner in detail along with a video tutorial for your easy…

READ MORE FROM THIS SERIES:


7 thoughts on “HTML Injection Testing Tutorial with Example”

  7. Unfortunately, it might have been written by a smart person, but not a person gifted with the ability to teach.

Comments are closed.

Software Testing Help

Communication Details

Main Office: A708, City Vista, Fountain Road, Kharadi, Pune, MH, 411014.

Email Us: info@softwaretestinghelp.com

Facebook Linkedin X-twitter Youtube

Software Testing Tools

Performance Testing Tools

Automation Testing Tools

Data Tools

Coding Software

Security Testing Tools

Testing Service Providers

Software Development

Networking Tools

Project Management Tools

Cloud Tools

Security Software

IT Management Tools