Diving Into HTML & My First Encounter With Web Vulnerabilities

Andrii RAndrii R
2 min read

Today was a big day.
I didn’t just learn what a <p> tag is. I learned that websites, the things we use daily, can sometimes be tricked by just typing stuff in. That’s right, no hacking gadgets or elite gear needed - just a keyboard, a form field, and some <script> tags.

Here’s what stood out to me and what I learned:

The Basics: HTML Structure

  • Tags vs Elements:
    Tags are like commands (e.g., <p>, <h1>, <img>), while elements are the full block, including the opening tag, content, and closing tag (like <p>Hello</p>).

  • Attributes:
    Tags can have attributes like class, id, or src. For example:
    <p class="bold-text" id="intro">Welcome</p> - class can style it, id can help find it with JavaScript.

  • Self-closing Tags:
    Some don’t need a closing tag. Like <br> for a line break.

Aha Moment: The Page Title

You know that tab at the top of your browser? The one that says something like “TryHackMe | How Websites Work”?
That’s the <title> element in your HTML’s <head> section. Felt good spotting it live in action!

JavaScript Magic

  • You can grab an element like this:
    document.getElementById("demo").innerHTML = "Hack the Planet";

  • You can change the content of the page without touching the HTML file manually. It’s dynamic. Like if a button is clicked, the text can change on the fly.

  • onclick can be inside the HTML or inside the <script> section. Either works.

HTML Injection: The First Taste of Hacking

This blew my mind.

If a website allows users to input stuff - like comments or feedback - and doesn’t properly sanitize that input, someone can type:

```html
<script>alert('Hacked');</script>
```

…and boom! The script runs. That’s HTML Injection.

Attackers can:

  • Change what the page looks like

  • Add images

  • Fake login forms

  • Trick users

  • Even redirect people to other websites

All just by typing into a regular input field.

So, Is It Dangerous?

Yes, if the website doesn’t filter user input.

Developers must sanitize inputs so that the browser treats them as text, not code. That means replacing < and > with &lt; and &gt;.

Final Thoughts

I always thought hacking started with some mysterious black terminal or typing like a mad genius. But turns out, even a comment box can be a gateway if the code behind it isn’t careful.

And the best part? I’m just getting started.
This is what cybersecurity feels like - theory meets action.

0
Subscribe to my newsletter

Read articles from Andrii R directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecuritytryhackmeHTML5JavaScriptbeginnerHTMLInjection

Written by

Andrii R
Andrii R