HTML Injection Introduction

March 31, 2017 | Views: 8941

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

 

What is HTML injection?

As you know, HTML is used to design web pages. Yes, you’re right. But what happens if a developer forgets to sanitize the user input. What happens if developers don’t predict when a hacker use the application. Do you know what all could be done if this vulnerability exist? To inject you don’t even need a toolkit. You may deface the site, you may redirect the legit user to a malicious site. You may change the content or images by injecting your own HTML code. But to inject something you need to know the basics of HTML. HTML injection is a bit similar to XSS but the difference here is that you just use plain HTML for injection whereas in XSS you may use script tags with a chunk of JavaScript code.

There are few types of HTML injection. You may see it in bWAPP application which we’ve installed earlier. Don’t worry we will do few exercises a moment later

HTML Injection is categorized into four types:

1. Reflected – GET
2. Reflected – POST
3. Reflected – URL
4. Stored
Before that, I suggest that one to know about HTTP verbs. Without knowing HTTP basics it won’t be much interesting. Click here to know Basic concepts.
I’ll try to keep this interesting as much as I can. We will do few hacks in next articles. Be ready, launch your bee-box VMware and login to the bWAPP app. With this bWAPP, you can try all OWASP TOP 10 vulnerabilities.

I just want to share what I have learned which might help newbies. I’ll keep posting articles contributed to the community. If I am wrong or missed out anything then please let me. If I’m wrong I could be corrected.

HTML Injection – Reflected (GET)

Now you know what exactly is HTML injection from my previous article. It’s time to break some code. Once you login to bWAPP, you should see a dropdown ‘Choose your bug‘. Then select HTML injection- Reflected GET and click on Hack button.

HTML_GET
Okay, now examine the fields first name and last name also the URL once you input some text and click on ‘Go‘ button. You should have noticed that first and last name which you’ve entered has been displayed on the screen and URL has those characters in plain text as well. Isn’t it?

GET_01

Now, how do you know whether the form method is a ‘GET‘ or ‘POST‘?
Yes, I read your mind and you’re right. View the page source to know which method is being used. Right click & view page source. Now search for ‘Welcome’. You should see HTML form tag with method=GET. So this says when HTTP verb being used in a form, the user input would be displayed in the URL as well as on the screen.

GET_02

Okay, now it’s time to inject some HTML code in those fields.
Try with “<h2>Your Name</h2>” or “<marquee>HEHEHEHE</marquee>” excluding double quotes lol..!

GET_003

Cool, you’ve successfully injected your HTML code. You can deface your website, also you can dummy login screen where you can capture login details when user input their credentials.

GET_04
Examples: Try this in first name and last name
<a href=”http://itsecgames.com”><h1>Click Here</h1></a>
<h2>bWAPP</h2>

Interesting right? Now try the same exercise by selecting security level ‘Medium‘. Just insert any HTML code in those fields. It didn’t work, right?

GET_06

What happened here? Do you really think developer sanitized the user input and it’s safe from HTML vulnerability? Okay, now just copy your HTML code and encode URL by searching for encodeURL online in google and copy the encoded text. Paste the same in our application first, last name fields. Did it work now?

GET_07

Okay, try injecting by changing the security level to ‘high‘. I can give you one hint, input some text in first and last name field pre-pending with large space (ex:” test”) and notice what happens. You can still break the code. Hint:null character (Alt 255)

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
14 Comments
  1. @pavlo94 @crackersss have you tried using special character
    Windows – Alt key + 255 num or ALT + 0160
    Linux – CTRL + SHIFT + U+ 00A0

    Pass these in the parameters and see how system responds with SPACE key and above keys

  2. how can null character be used unable to find any way

  3. really getting stuck in high level . how can we bypass it.

  4. Any help in regards to the null character?

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel