HTML Injection – Reflected (GET)


Now you know what exactly is HTML injection from my previous article. It’s time to break some code. Once you login to bWAPP, you should see a dropdown ‘Choose your bug‘. Then select HTML injection- Reflected GET and click on Hack button.

HTML_GET
Okay, now examine the fields first name and last name also the URL once you input some text and click on ‘Go‘ button. You should have noticed that first and last name which you’ve entered has been displayed on the screen and URL has those characters in plain text as well. Isn’t it?

GET_01

Now, how do you know whether the form method is a ‘GET‘ or ‘POST‘?
Yes, I read your mind and you’re right. View the page source to know which method is being used. Right click & view page source. Now search for ‘Welcome’. You should see HTML form tag with method=GET. So this says when HTTP verb being used in a form, the user input would be displayed in the URL as well as on the screen.

GET_02

Okay, now it’s time to inject some HTML code in those fields.
Try with “<h2>Your Name</h2>” or “<marquee>HEHEHEHE</marquee>” excluding double quotes lol..!

GET_003

Cool, you’ve successfully injected your HTML code. You can deface your website, also you can dummy login screen where you can capture login details when user input their credentials.

GET_04
Examples: Try this in first name and last name
<a href=”http://itsecgames.com”><h1>Click Here</h1></a>
<h2>bWAPP</h2>

Interesting right? Now try the same exercise by selecting security level ‘Medium‘. Just insert any HTML code in those fields. It didn’t work, right?

GET_06

What happened here? Do you really think developer sanitized the user input and it’s safe from HTML vulnerability? Okay, now just copy your HTML code and encode URL by searching for encodeURL online in google and copy the encoded text
Paste the same in our application first, last name fields. Did it work now?

GET_07

Okay, try injecting by changing security level to ‘high‘. I can give you one hint, input some text in first and last name field pre-pending with large space
(ex:”            test”) and notice what happens. You can still break the code.
hint:null character (Alt 255)
I hope you’ve enjoyed a bit. We will see other type of injections in next articles. By the way, never try these injections on the unauthorized applications

DISCLAIMER : THE INFORMATION PUBLISHED IN THIS ARTICLE IS FOR EDUCATIONAL PURPOSE ONLY. ANY MISUSE OF THIS INFORMATION WILL NOT BE THE RESPONSIBILITY OF THE AUTHOR OF THE WEBSITE. THIS IS JUST MY LEARNING EXPERIENCE AND EDUCATIONAL BLOG FOR PEOPLE WHO WOULD LEARN FROM MY EXPERIENCE
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s