Security Test: HTML Injection¶

Description¶

Default Severity:

HTML injection happens when untrusted input from users isn't properly checked or cleaned, allowing an attacker to insert harmful HTML or JavaScript into a webpage. This is risky because the injected code can change how a page behaves or steal confidential data, essentially giving attackers access to your users' sessions or personal information. Developers often fall into the trap of assuming that user input is safe, so the error usually comes from not validating or safely encoding the content before displaying it. If left unaddressed, it can lead to further attacks like XSS, browser hijacking, or information theft, impacting both site functionality and user trust.

Reference:

https://owasp.org/www-community/attacks/HTML_Injection

Configuration¶

Identifier: injection/html_injection

Examples¶

All configuration available:

checks:
  injection/html_injection:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API10:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.1`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-32`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-4`
CWE	`79`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C`
CVSS Score	`9.8`