HTML Injection Reflected – POST


From the previous article we came to know how to find and exploit HTML injection with HTTP verb ‘GET‘. Now we will inject with method ‘POST‘. Pass some values in first name and last name and click on ‘Go’. There’s no much difference in the exploits but notice the URL here, there are no parameters being passed in URL. Whereas in GET method we could see parameters with values in the URL. You can try the examples shown in article HTML Injection with GET.

Source_POST.png

Here I am using Burp suite an interceptor, to modify the request parameters being sent from the client to server. Well you can download free version on burp suite from here. You also need to install Java before installing Burp. Don’t worry about the usage, burp suite website also has pretty good documentation with examples including configuring with browser. I am using pro version of it. You can also buy pro version, it is not so expensive. I am not covering much on burp suite here. May be i’ll post few articles exclusively on Burp later. Coming back to our bWAPP application.

I have configured Burp proxy with my Firefox browser. And I have turned on the interceptor in ‘Proxy‘ tab of Burp suite. Now enter text in first and last name fields and click on ‘Go‘. Since we’ve an interceptor, this request doesn’t go to the server unless we forward the request. Before sending the request to the server I just want to modify the values in the parameters

Burp_POST001

Now pass your injection in the fields. First Name: Dollar
Notice that we’ve injected our HTML in the POST form. You can inject anything to trick others.
Examples:
Hey..!
<a style=”font-size: 14px; text-decoration: none; margin: 0 auto; background: #69a229; color: white; font-weight: 400; border: 1px solid #457a04; border-radius: 4px; display: inline-block;” href=”http://itsecgames.com&#8221; target=”_blank”><span style=”display: inline-block; padding: 10px 34px;”>Click here to win IPhone99</span></a>

By the above example, possible attacks could be
a) Malicious user sends invitations with a HTML injection
b) Victim thinks that’s a button from the application itself
c) Victims browser gets hijacked

Once you inject the above code, you will see it on your screen till the current session is dead. And you see nothing in the URL. This is major difference between GET and POST injections. You may wonder why did we use Burp Suite though this exploit could be done manually without using a tool. The reason is that, using burp you can easily bypass the javascript validations. Okay, just change the Security level from ‘low‘ to ‘medium‘. Try all your exploits without burp suite.

Don’t wait for what you wish to see, think about several ways to break the code. Now lets try Burp suite features to break the application code
Enter the text in the first and last names, click on ‘Go’
<b>this is first name</b>
<b>this is last name </b>
Fail001

Nothing happened right? Why don’t use Burp interceptor and modify the values in the parameter. If you got burp pro version then go to decoder tab, else you can also online Encode url. Now paste the text in the decoder tab, click on Encode as ‘URL’ and again encode the encoded text.

DoubleEncode_001

Copy the double encoded text and replace with values in the first and last name parameters. Now forward the request to the server. You should see the injected HTML on the screen successfully.

PasteDE.png
Success.png

HTML Injection – Reflected (URL)

Similar to injection with POST , this is quite simple to exploit. I am using IE to attack with an exploit. This may not work in other browsers

http://192.168.1.103/bWAPP/htmli_current_url.php#<h1>XSS DOM</h1>

IE

DISCLAIMER : THE INFORMATION PUBLISHED IN THIS ARTICLE IS FOR EDUCATIONAL PURPOSE ONLY. ANY MISUSE OF THIS INFORMATION WILL NOT BE THE RESPONSIBILITY OF THE AUTHOR OF THE WEBSITE. THIS IS JUST MY LEARNING EXPERIENCE AND EDUCATIONAL BLOG FOR PEOPLE WHO WOULD LEARN FROM MY EXPERIENCE
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s