Content Injection

medium Web App Scanning Plugin ID 113212



Content Injection


Content Injection is an attack that injects arbitrary characters into a web page. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value which is then reflected in the page. This attack is typically used as, or in conjunction with, social engineering by transmitting a URL that completely modifies the target page with, for example, a fake authentication test pattern in order to steal the user's identifiers. In some cases, this attack can also lead directly or indirectly to a Cross-Site Scripting.


To remedy to Content Injection vulnerabilities, it is important to never use untrusted or unfiltered data within the code of a HTML page.
Untrusted data can originate not only form the client but potentially a third party or previously uploaded file etc.
Filtering of untrusted data typically involves converting special characters to their HTML entity encoded counterparts (however, other methods do exist, see references). These special characters include:
* `&` * `<` * `>` * `'` * `'` * `/`
An example of HTML entity encoding is converting `<` to `&lt;`.
Although it is possible to filter untrusted input, there are five locations within an HTML page where untrusted input (even if it has been filtered) should never be placed:
1. Directly in a script. 2. Inside an HTML comment. 3. In an attribute name. 4. In a tag name. 5. Directly in CSS.
Each of these locations have their own form of escaping and filtering.

See Also

Plugin Details

Severity: Medium

ID: 113212

Type: remote

Family: Injection

Published: 3/31/2022

Updated: 3/31/2022

Scan Template: api, full, pci, scan

Risk Information


Risk Factor: Low

Score: 3.5


Risk Factor: Low

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: Tenable


Risk Factor: Medium

Base Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS Score Source: Tenable

Reference Information

CWE: 74

OWASP: 2010-A1, 2013-A1, 2017-A1, 2021-A3

WASC: Improper Input Handling

CAPEC: 10, 101, 108, 120, 13, 135, 14, 24, 250, 267, 273, 28, 3, 34, 42, 43, 45, 46, 47, 51, 52, 53, 6, 64, 67, 7, 71, 72, 76, 78, 79, 8, 80, 83, 84, 9


HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10


OWASP ASVS: 4.0.2-5.2.5

PCI-DSS: 3.2-6.5.1