# HTML Injection

Occurs when you can inject HTML, but not Javascript for whatever reason.

### Steal Cookies

I haven’t tested this, but HTML5 allows for `<img>` tags with CORS cross-origin use-credentials. This would allow you to steal cookies if you have a website that accepts CORS-with-credentials requests and logs the cookies.

### Steal Credentials

You can try to [phish](https://heinosass.gitbook.io/leet-sheet/web-app-hacking/user-attacks/phishing) for credentials.