HTML Injection Back

Security related information and use within the scope of pentesting


HTML Injection describes a type of vulnerability where it is possible to inject arbitrary HTML code into the current context of a vulnerable web page. This also includes <script> elements and event-handlers and therefore allows the injection and execution of JavaScript (which is referred as Cross Site Scripting aka XSS) [1].

DOS via CSP via meta-tag

I've stumbled across a neat and creative trick by how HTML Injection can be exploited to restrict the loading of included scripts (like jquery.js) and therefore suspending the functionality of pages completely relying on JavaScript (e.g. node.js Express framework). When the injection point gets reflected in the pages <head> tag (header-section) a <meta> element can be used to define a CSP (Content-Security-Policy) which blocks the execution/loading of embedded scripts:

<meta property="og:url" content="http://;script-src 'none'" http-equiv="Content-Security-Policy" property="">