HTML Injection (How Websites Work: Task 5) – Full Lab Write-Up: TryHackMe Pre-Security

Durre ShaffaDurre Shaffa
3 min read

Table of contents

Introduction

When we interact with a website, filling forms, submitting comments, or searching content, we rarely think about what happens behind the scenes. But if a website handles input carelessly, it may be vulnerable to HTML Injection, a client-side vulnerability that allows an attacker to insert custom code into the webpage.

In Task 5 of TryHackMe’s Pre-Security course under the “How Websites Work” module, learners are introduced to this subtle yet dangerous issue. Let’s explore what HTML injection is, why it matters, and how it was exploited in this lab.

What is HTML Injection?

HTML Injection is a vulnerability that occurs when:

  • A user submits input to a website (e.g., through a form)

  • The website fails to sanitize or validate that input

  • The input is then directly rendered into the HTML of the page

This means that instead of just displaying a user’s name or message, the site may interpret and render submitted HTML code — potentially allowing the attacker to change how the page looks or behaves.

Why It’s a Problem

If an attacker can control what HTML appears on a page, they can:

  • Inject malicious links (e.g., to phishing sites)

  • Deface the page or alter content

  • Insert fake forms to steal user credentials

  • Potentially chain the attack with JavaScript Injection or escalate it to XSS

This is especially dangerous in public-facing applications like comment sections, forums, or contact forms.

The Lab Scenario

In this lab, we’re given access to a simple web form asking:

“What’s your name?”

The form passes the input to a JavaScript function named sayHi(), which then outputs the result back onto the web page.

However, there's a critical flaw:
🚨 There is no input sanitization.
Whatever HTML the user enters is directly rendered into the page's DOM.

Lab Task Objective

Inject HTML so that a malicious link to http://hacker.com is shown.

🔍 Step-by-Step Solution

  1. Click the “View Site” button in the lab environment.

  2. In the input field, enter the following HTML payload:

htmlCopyEdit<a href="http://hacker.com">Malicious Link</a>
  1. Click the button to submit your name.

✅ The page renders your input and displays the link as real, clickable HTML — not as plain text.

That means the site has failed to sanitize your input, making it vulnerable to HTML Injection.

🔐 Correct Answer:

HTML_INJ3CTI0N

Why Input Sanitization Matters

User input should always be treated as untrusted. To protect against HTML Injection (and similar issues like XSS), developers should:

  • Sanitize all input by removing or escaping HTML tags

  • Use libraries that automatically escape output in frameworks like React, Vue, or Angular

  • Avoid directly inserting user input into the DOM

  • Validate input on both the client and server side

Conclusion

This lab gives a clear example of how easily a website can be manipulated when developers skip a vital security step: input sanitization. HTML Injection might seem harmless at first, but it opens the door to more advanced attacks and can severely compromise user trust and data.

Always remember:

Never trust user input — always sanitize and validate.

0
Subscribe to my newsletter

Read articles from Durre Shaffa directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecurityCyberSeccyber securityTryHackMe WalkthroughtryhackmeethicalhackingEthical Hacking

Written by

Durre Shaffa
Durre Shaffa