Text and Value Injection

tv-injection

Text Injection is to inject text into a website and overwrite the original content.
Value Injection is to inject a custom value to edit what a website says, not the same as text injection but can be used for a similar purpose.
These are NOT vulnerabilities, but can be used to deceive people, it might be best to use JS to circumvent this issue.
Popular platforms are usually not affected by these issues.

Here's an example of how text injection can be done:
Let's take "example.com" and repurpose the link to take in text, let's say it's an error, so let's set the text input to "err", the page takes this value from the URL and puts it on the page, even if you reload, it'll show up the same way every time:
example.com/?err=

Cool, now let's add error text to it:
example.com/?err=Operation+Failed

Now that we have a base, let's edit it to say whatever we want!
example.com/?err=Text+Injection+Test

Nice! You have just done some easy text injection.

Here's what value injection looks like:
Let's get "example.com" and add a "val" variable to it and make the website display a number from 1-10, so "val=1", "val=2", etc, are all possible combinations, or we could possibly go out of those initial boundaries if it lets us.
example.com/?val=

Nice, now let's add a random value to it:
example.com/?val=7

Epic, now let's make it our own value:
example.com/?val=10

Nice! Now let's see how far we could push the boundaries of value injection.

Let's try a number outside of what's possible, like these:
example.com/?val=11
example.com/?val=10000
example.com/?val=-10000

Let's try turning this into a text injection attack by assuming the website just displays the value:
example.com/?val=I+just+injected+text+into+a+number

Epic! You have now learnt the power of value injection and the ways it can be misused.

This is for website owners to let them know that these could be abused in order to scam or confuse people into believing things.
Please update your websites!