HTML Code: Tags, Tricks & INJECTION

Hey everyone! Today, let’s see an overview of HTML, HTML tags, and HTML injection. It’s like learning the ABCs of the web, but with a cybersecurity twist. Whether you’re an HTML ninja or a newbie, feel free to check this out.

So, basically, HTML, or Hypertext Markup Language, is the digital architect of the web world. It’s the backbone that structures your web content, making it look all fancy and organized. Now, many of you might think of it as a “coding” language but let me clear it up — it’s NOT! It’s not here to write code or perform crazy calculations. Think of it as that cool designer friend who arranges and designs your stuff, giving you a blast appearance at the time of the party!

Basic but IMPORTANT HTML Tags You Must Know!

1. <html></html>: encapsulating the entire content.

2. <title>: Sets the title of the HTML page displayed on the browser tab.

3. <body>: For the main content of the HTML page.

4. <p>: Defines a paragraph, separating text content.

5. <img src=””>: Adds an image into the HTML document, with the specified source.

6. <video src=”” autoplay>: Embedding a video, with the source and autoplay attribute.

7. <table>: Creating tables to organize data.

8. <ol>: For an ordered list, defining a numbered list.

9. <ul>: For an unordered list, defining a bulleted list.

10. <li>: For list items, used within <ol> and <ul> tags.

11. <iframe>: Embeds content from another source, often used for YouTube videos.

12. <marquee>: For making text move horizontally across the page.

13. <header>: For the header section of the HTML page.

14. <footer>: For the footer section of the HTML page.

15. <a href=”” alt=”” > name </a>: Creates a hyperlink with the specified destination and alternative text.

16. <hr>: Draws a horizontal line to separate content.

17. <br>: Inserts a line break, moving content to the next line.

18. <h1> <h6>: Defines header tags for headings, ranging from the largest (h1) to the smallest (h6).

19. <article>: Container for standalone content, often used for blog posts or news articles.

20. <div>: Defines a division or a section in an HTML document, often used for styling purposes.

21. <strong> or <b>: Renders text in bold.

22. <pre>: Represents preformatted text, maintaining both spaces and line breaks.

23. <em> or <i>: Renders text in italics.

24. <sub>: Renders text as subscript, typically used for footnotes.

25. <sup>: Renders text as superscript, often used for exponents.

    
    

And there are many more tags. But these are some very basic and important which one should know.

HTML doesn't throw any error, okay? It simply doesn’t work or doesn’t show the required output.

Here is a sample HTML code and I hope you guys will try out by yourself, and this is the reason I am not putting the code in text format 😉

Okay so now imagine, you’re following a simple recipe to bake chocolate chip cookies, and suddenly the instructions tell you to add hot sauce and jalapeños. That’s a bug — a weird glitch in the sweet cookie plan.

Now, injection is like your sneaky sibling switching the recipe card, adding their spicy twist. They slip in extra steps to turn your cookies into a spicy surprise. Bugs are the unexpected flavor hiccups, and injections are your mischievous sibling spicing things up in the kitchen. It’s like expecting cookies and getting a spicy meme-worthy treat!

Code Injection is very similar to the example I gave above.

HTML Injection is a chef scheming into your recipe. Means, it involves an attacker adding HTML code to a webpage, just like your sibling messing up with your recipe steps. This can lead to vulnerabilities, as injected code might manipulate the webpage’s structure, opening the door for unauthorized actions or data theft. It’s like your recipe going from sweet to spicy concern.

Technically HTML injection is a web-based vulnerability that opens a door for the attacker to inject malicious code. It’s very similar to XSS (Cross-Site Scripting) Vulnerability. Process is same but the content(tags)/codes are different. Though it is less dangerous then XSS but vulnerability is still a vulnerability.

Some of you might think, what is XSS? So, it is also a web-based vulnerability that lets attacker inject undesired code or commands (usually JavaScript) which is executed by a browser on behalf of the web application.

If you are wondering whether a website is vulnerable to HTML injection or not, here is a simple trick. Put a simple small HTML code into the search bar. If the site displays the expected output, well, it might be vulnerable. But, if it throws an error, the website wins this round. Don’t worry — keep hunting, try finding another vulnerability. In the backend, when you input HTML code in a website’s search bar, the server process and interprets the input. If the server doesn’t validate the input, it might reflect the injected code in the output, indicating a vulnerability. On the other hand, secured backend would catch and prevent such injections.

In this website I added

And it reflected the output. It means website is vulnerable.

How to Prevent HTML Injection?

To prevent HTML Injection, we should create layers of defense that leads in reduction of the risk of HTML injection vulnerabilities on your website.

1. Input validation: This is the root of all evil in web application security. Always validate and sanitize(filter) user inputs on the server side. Ensure that any input from user is checked and validated before processing the content. The HTML5 specification includes build-in validation features allowing the direct specification of constraints within HTML. These includes input field attributes like “required” to indicate a mandatory field, “type” for specifying data types, “maxlength” to set a maximum length limit, and “pattern” to define a regex pattern for valid values. Additionally, the specification introduces CSS pseudo-classes such as “:valid” and “:invalid”, enabling the application of distinct styles based on the validation outcome.

   
   

2. Content Security Policy (CSP): Implement and enforce a Content Security Policy on your website. This can help mitigate the impact of any potential injection attacks by specifying the sources of content that the browser should consider as valid.

   
   

3. Escape User-Generated Content: Escape characters with special meanings in HTML, such as <, >, and &. This ensures that user inputs are treated as plain text rather than interpreted as HTML code.

   
   

4. Limit User Permissions: Restrict user permissions to the minimum necessary for their tasks. If users have limited access, even in the event of a successful injection, the potential damage can be minimized.

   
   

5. Regular Security Audits and Testing: Regularly conduct security audits and penetration testing on your web applications to identify and address potential vulnerabilities, including HTML injection. This proactive approach can catch issues before they become serious threats.

   
   

I hope this will be useful for you and if you’ve got any questions or just want to chat more about tech, feel free to reach out to me on LinkedIn.