HTML Injection
detect, understand, remediate

What is HTML injection?

HTML injection (CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page, sometimes referred to as Basic XSS) is any condition where an application reflects attacker-controlled markup into the rendered HTML of a page without first encoding it for the HTML context. The injected fragment becomes part of the document tree the browser parses. The attacker does not need JavaScript to execute. The damage comes from new structural elements appearing inside the page: a fake login form rendered above the real content, a misleading CSS-styled banner that overlays the navigation, a hyperlink that points away from the legitimate domain, an image that pulls a tracking pixel, or a malformed tag that swallows the rest of the document until a closing brace.

The vulnerability sits inside OWASP A03:2021 Injection, next to but distinct from cross-site scripting (CWE-79), which adds JavaScript execution to the same root cause. The line between the two is filter-dependent. A page that filters <script> tags but accepts an <iframe> or an <a href> is still HTML injection; with a single bypass it becomes XSS. Many engagements report the finding as XSS because the script-execution payload lands first; the underlying class is HTML injection and the fix has to address the markup-injection problem at the root, not the specific JavaScript payload that exploited it.

Treat HTML injection as a standalone finding when the injection point allows new tags or attributes but the application's output context, encoding layer, or downstream Content Security Policy stops script execution. The leftover damage is real: phishing overlays inside the legitimate domain, brand defacement, link redirection, dangling-markup data exfiltration, and the conditions for chaining into clickjacking or open-redirect attacks. A finding that says "<script> is filtered, so this is informational" misses the threat model.

HTML injection vs XSS: where the line sits

The two findings get confused, conflated, and reported under the wrong CWE on most engagements. The table below names the practical distinctions a tester should walk before deciding which class a finding belongs to.

Where HTML injection shows up on real engagements

The injection sinks are the same as XSS: any place the application reflects user input into the response. The difference is what each sink is filtered for. The list below pairs the common sink with the realistic injected payload that lands when JavaScript execution is blocked.

Why HTML injection really happens

The pattern is rarely a single missing call. It is a layered failure where a development team installs a script-blocker, declares the XSS class fixed, and never closes the markup-injection root. The next refactor adds a new sink, the filter does not match it, and the same input hits the document tree under a different tag.

A worked example: in-domain phishing through HTML injection

A common shape on engagements is a search results page that reflects the query into a header banner. The application is deployed behind a WAF that strips <script> tags, blocks javascript: URIs, and rejects on event-handler attributes. The team has run an automated scanner, seen no XSS hits, and signed off on the page. The pentester probes with a payload that uses no script and no event handlers.

# Vulnerable behaviour

GET /search?q=portal HTTP/1.1
Host: target.example

<!-- response body, abridged -->
<h1>Results for portal</h1>
<ul>...</ul>

# Pentester probe

GET /search?q=%3Cdiv+style%3D%22position%3Afixed%3Btop%3A0%3Bleft%3A0%3Bwidth%3A100%25%3Bbackground%3A%23fff%3Bz-index%3A9999%22%3EYour+session+expired.+Sign+in+at+%3Ca+href%3D%22https%3A%2F%2Fattacker.example%2Fsignin%22%3Etarget.example%2Fsignin%3C%2Fa%3E%3C%2Fdiv%3E HTTP/1.1
Host: target.example

# Decoded payload (rendered into the page)
<div style="position:fixed;top:0;left:0;width:100%;background:#fff;z-index:9999">
  Your session expired. Sign in at
  <a href="https://attacker.example/signin">target.example/signin</a>
</div>

# Result
The legitimate page renders normally. Above it sits a full-width white banner telling
the user that their session has expired, with a link that visually reads target.example
but resolves to attacker.example. Every visitor who follows the crafted URL sees the
overlay rendered inside the trusted origin, with a valid TLS certificate and the real
site chrome behind it. No script ever runs. CSP does not block any of this.

The pentester captures the request, the response, and a screenshot of the rendered overlay. The proof artefact is the in-domain screenshot, because that is what closes the question "is this informational or exploitable" for the client. The conversion path to harm is direct: the attacker emails or messages the crafted URL to a target user, the target sees the overlay inside the legitimate domain, and the captured credentials get reused on the real login form.

The fix is structural. The search header has to render through a context-aware encoder so the angle brackets become &lt; and &gt; in HTML body context. The Content Security Policy gets tightened to disallow inline styles, which removes the overlay vector even if a future regression breaks the encoder. A regression test asserts that the response for a payload containing markup characters renders the encoded form, not the raw form. On a SecPortal engagement, the proof artefacts (request, response, screenshot, payload, decoded payload, before-and-after screenshots after the fix lands) stay attached to the finding record through retest, so the close-out conversation references the patched encoder rather than a vague "it doesn't reproduce now" ticket.

How to detect HTML injection

How to fix HTML injection

Severity calibration

HTML injection findings get disputed in two predictable ways. Engineering pushes back that the discrepancy is "informational because the script blocker stopped XSS", which conflates the script-execution class with the markup-injection class. The CISO pushes back that the report should not flag a marketing page that reflects the URL into a heading, which over-corrects against legitimate findings on form-rendering pages. Both miss the calibration point. CVSS 3.1 for a confirmed HTML-injection finding with a reproducible in-domain phishing path typically lands at AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 base, Medium), and the score moves up when the sink is stored, when the affected page is authenticated, or when dangling markup can exfiltrate CSRF tokens.

The strongest reports name the payload class that landed (anchor, iframe, form, style, dangling markup), the affected sink, the rendered evidence (a screenshot of the in-domain overlay or the modified DOM), the realistic downstream impact for the specific application (in-domain phishing of session-bound users, defacement on a public profile, link redirection of a high-traffic search page), and the CVSS vector calibrated to the proven path. The severity calibration research covers the case-by-case decision-making that separates a real Medium from an inflated High and from a dismissed Low.

Reporting an HTML injection finding

On a SecPortal engagement, the finding sits on the engagement record with the affected sink, the rendered payload class, the captured request and response, the screenshot of the rendered output, the CVSS 3.1 vector calibrated to the realistic downstream chain, the CWE-80 mapping (with CWE-79 cross-reference if a script-execution path was demonstrated alongside it), and the remediation guidance from this page. The proof artefacts stay attached through retest, so the close-out conversation references the patched encoding boundary rather than a generic "can't reproduce now" note.

The finding triage workflow covers how to separate scanner-derived flags (an angle-bracket reflection in a JSON field) from manually validated findings (a captured screenshot of an in-domain overlay), so the report differentiates rule hits from confirmed exploits. The pentest report writing guide covers how to phrase the business impact for a reader who needs to understand why an HTML-injection finding matters when no script ran. And the retesting workflow covers the verification steps for a fix that has to land at multiple render tiers.

Compliance impact

A pentester checklist for HTML injection

The list below is the minimum coverage a tester should walk before declaring a target's rendered HTML free of injection. Each item maps to a specific sink class and a specific payload context.