Skip to content

Security Test: HTML Injection

Description

Default Severity:

HTML Injection occurs when an application takes user input and shows it on a webpage without properly checking or cleaning it first. This allows an attacker to insert unwanted HTML or JavaScript into the page, which could change its behavior, steal sensitive information, or hijack user sessions. The risk comes from assuming that any incoming data is safe, rather than validating or encoding it before display. If overlooked, this vulnerability can lead to further issues like XSS attacks, breaking the trust of users and compromising the site’s functionality.

Reference:

Configuration

Identifier: frontend_injection/html_injection

Examples

All configuration available:

checks:
  frontend_injection/html_injection:
    skip: false # default

Compliance and Standards

Standard Value
OWASP API Top 10 API10:2023
OWASP LLM Top 10 LLM06:2023
PCI DSS 6.5.1
GDPR Article-32
SOC2 CC1
PSD2 Article-32
ISO 27001 A.14.2
NIST SP800-53
FedRAMP AC-4
CWE 79
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
CVSS Score 9.8