Injection: HTML Injection¶

Identifier: html_injection

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

HTML Injection occurs when an application takes user input and shows it on a webpage without properly checking or cleaning it first. This allows an attacker to insert unwanted HTML or JavaScript into the page, which could change its behavior, steal sensitive information, or hijack user sessions. The risk comes from assuming that any incoming data is safe, rather than validating or encoding it before display. If overlooked, this vulnerability can lead to further issues like XSS attacks, breaking the trust of users and compromising the sites functionality.

References:

https://owasp.org/www-community/attacks/HTML_Injection

Configuration¶

Example¶

Example configuration:

---
security_tests:
  html_injection:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.