Types of HTML Injection
HTML Injection comes in two flavours: Non-Persistent (Reflected) and Persistent (Stored). Each has distinct characteristics and risks.

1. Non-Persistent (Reflected) HTML Injection
This type occurs when malicious HTML is included in a request (e.g., via URL query parameters) and reflected in the server’s response without being stored. It affects only the user who triggers the request, making it temporary but still dangerous.

Example
Consider a search page with a URL like:

https://site.com/search?q=

Welcome, Hacker!

If the server doesn’t sanitise the q parameter, the browser renders

Welcome, Hacker!

as a large heading on the page. Attackers can craft URLs like this and trick users into clicking them, often via phishing emails or social engineering.

2. Persistent (Stored) HTML Injection
Persistent injection is more severe because the malicious HTML is stored on the server (e.g., in a database) and displayed to all users who view the affected content. This amplifies the attack’s reach.

Example
An attacker submits a blog comment like:

View Full Article

If the server stores and renders this as HTML, every visitor sees a clickable link that looks legitimate but leads to a malicious site. This can persist indefinitely until the content is removed or fixed.

Real-World Example: The Fake Login Form
To illustrate the danger, let’s walk through a realistic scenario. Suppose a job portal allows users to create profiles with a bio section. An attacker submits the following as their bio:

1
2
3
4
5