From the previous article we came to know how to find and exploit HTML injection with HTTP verb ‘GET‘. Now we will inject with method ‘POST‘. Pass some values in first name and last name and click on ‘Go’. There’s no much difference in the exploits but notice the URL here, there are no parameters being passed in URL. Whereas in GET method we could see parameters with values in the URL. You can try the examples shown in article HTML Injection with GET.
Here I am using Burp suite an interceptor, to modify the request parameters being sent from the client to server. Well you can download free version on burp suite from here. You also need to install Java before installing Burp. Don’t worry about the usage, burp suite website also has pretty good documentation with examples including configuring with browser. I am using pro version of it. You can also buy pro version, it is not so expensive. I am not covering much on burp suite here. May be i’ll post few articles exclusively on Burp later. Coming back to our bWAPP application.
I have configured Burp proxy with my Firefox browser. And I have turned on the interceptor in ‘Proxy‘ tab of Burp suite. Now enter text in first and last name fields and click on ‘Go‘. Since we’ve an interceptor, this request doesn’t go to the server unless we forward the request. Before sending the request to the server I just want to modify the values in the parameters
Now pass your injection in the fields. First Name: Dollar
Notice that we’ve injected our HTML in the POST form. You can inject anything to trick others.
<a style=”font-size: 14px; text-decoration: none; margin: 0 auto; background: #69a229; color: white; font-weight: 400; border: 1px solid #457a04; border-radius: 4px; display: inline-block;” href=”http://itsecgames.com” target=”_blank”><span style=”display: inline-block; padding: 10px 34px;”>Click here to win IPhone99</span></a>
By the above example, possible attacks could be
a) Malicious user sends invitations with a HTML injection
b) Victim thinks that’s a button from the application itself
c) Victims browser gets hijacked
Don’t wait for what you wish to see, think about several ways to break the code. Now lets try Burp suite features to break the application code
Enter the text in the first and last names, click on ‘Go’
<b>this is first name</b>
<b>this is last name </b>
Nothing happened right? Why don’t use Burp interceptor and modify the values in the parameter. If you got burp pro version then go to decoder tab, else you can also online Encode url. Now paste the text in the decoder tab, click on Encode as ‘URL’ and again encode the encoded text.
Copy the double encoded text and replace with values in the first and last name parameters. Now forward the request to the server. You should see the injected HTML on the screen successfully.
HTML Injection – Reflected (URL)
Similar to injection with POST , this is quite simple to exploit. I am using IE to attack with an exploit. This may not work in other browsers