Reputation: 11
XSS (Cross Site Scripting) vs HTML Injection
How do we exactly differentiate betweet XSS and html injection. Both of these fall under Code-injection and XSS is mainly related to Java Script but includes other other elements also as mentioned here on Mitre. Quoting from this source :
During page generation, the application does not prevent the data from containing content that is executable by a web browser, such as JavaScript, HTML tags, HTML attributes, mouse events, Flash, ActiveX, etc.
While HTML is mainly related to injecting HTML code and if i go through this page of OWASP it points out HTML injection as a type of XSS. Quoting from this source :
If these methods are provided with an untrusted input, then there is an high risk of XSS, specifically an HTML injection one.
On the other hand many sources claim that HTML injection is subset of XSS for example this page of OWASP. Quoting from this source :
Cross-site scripting, better known as XSS, is in fact a subset of HTML injection
There are sources trying to explain the differences between the two but none of them seems to be a satisfactory answer (rather they are controversial). So how exactly are they different ? Can one of them be treated as subset of the other ?
Upvotes: 0
Views: 2270
Answers (2)
Reputation: 11
Xss is related to JavaScript however I agree that it includes HTML entities as well therefore considered as closely related to HTML injection but do note that mostly the payloads used by testers are for demonstration purpose only and not include the actual impact of the vulnerability and that's why they don't even contain much JavaScript. Also SOME HTML entities are important for breaking out of context but that doesn't makes it similar to HTML injection.
Upvotes: 0
Reputation: 5698
There is no consensus in these sources. In the case where sources contradict eachother, you will have to make clear which definition you are using when working with the terminology.
Some sources seem to interpret XSS as Javascript injection (1 and 2), which then is similar to HTML injection. Both are mutually exclusive subsets of code injection under this definition.
Others will define XSS as code injection (3), in which senario HTML injection is a subset of XSS.
Upvotes: 1
Related Questions
- How to inject HTML code safely (avoid HTML injection)
- html() vs innerHTML jquery/javascript & XSS attacks
- Cross Site Scripting injection
- Difference between Javascript Injection and XSS
- Cross Site Scripting: Is restricting the use of < and > tags an effective way to reduce Cross Site Scripting?
- Why should we be aware of Code Injection in Javascript?
- JavaScript HTML injection efficiency/best practice
- Does XSS/Cross Site Scripting also include CSS injection?
- Is it Better Practice to Inject HTML Through a Server or Through JavaScript?
- Which is the better way of injecting javascript into my application?