HTML Injection

• Testing for HTML Injection (WSTG-CLNT-03)

💡 Use with CSS keylogger

Content Spoofing

Content spoofing / content injection / “arbitrary text injection” / virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain. This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user’s trust.

HTML injection can be used in content spoofing.

• Content Spoofing (OWASP)