HTML Injection Reflected – POST

April 2, 2017 | Views: 8547

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

From the previous article, we came to know how to find and exploit HTML injection with HTTP verb ‘GET‘. Now we will inject with method ‘POST‘. Pass some values in: first name and last name, and click on ‘Go’. There’s not much difference in the exploits, but notice the URL here, there are no parameters being passed in URL. Whereas in the GET method we could see parameters with values in the URL. You can try the examples shown in article HTML Injection with GET.


Here I am using Burp suite an interceptor, to modify the request parameters being sent from the client to server. Well, you can download the free version of burp suite from here. You also need to install Java before installing Burp. Don’t worry about the usage, burp suite website also has pretty good documentation with examples including configuring your browser. I am using the pro version of it. If you choose to purchase the pro version, it is not very expensive. I am not covering much on burp suite here. Maybe I will post a few articles exclusively on Burp later. Coming back to our bWAPP application.

I have configured Burp proxy with my Firefox browser. And I have turned on the interceptor in ‘Proxy‘ tab of Burp suite. Now enter text in first and last name fields and click on ‘Go‘. Since we have an interceptor, this request doesn’t go to the server unless we forward the request. Before sending the request to the server I just want to modify the values in the parameters


Now pass your injection in the fields. First Name: Dollar
Notice that we’ve injected our HTML in the POST form. You can inject anything to trick others.
<a style=”font-size: 14px; text-decoration: none; margin: 0 auto; background: #69a229; color: white; font-weight: 400; border: 1px solid #457a04; border-radius: 4px; display: inline-block;” href=”; target=”_blank”><span style=”display: inline-block; padding: 10px 34px;”>Click here to win IPhone99</span></a>

By the above example, possible attacks could be

a) Malicious user sends invitations with HTML injection
b) Victim thinks that’s a button from the application itself
c) Victims browser gets hijacked

Once you inject the above code, you will see it on your screen till the current session is dead. And you see nothing in the URL. This is major difference between GET and POST injections. You may wonder why did we use Burp Suite though this exploit could be done manually without using a tool. The reason is that, using burp you can easily bypass the javascript validations. Okay, just change the Security level from ‘low‘ to ‘medium‘. Try all your exploits without burp suite.

Don’t wait for what you wish to see, think about several ways to break the code. Now lets try Burp suite features to break the application code
Enter the text in the first and last names, click on ‘Go’
<b>this is first name</b>
<b>this is last name </b>


Nothing happened right? Why don’t we use Burp interceptor and modify the values in the parameter? If you got the pro version, then go to the decoder tab, else you can also do it online Encode URL. Now paste the text in the decoder tab, click on Encode as ‘URL’ and again encode the encoded text.


Copy the double encoded text and replace with values in the first and last name parameters. Now, forward the request to the server. You should see the injected HTML on the screen successfully.


HTML Injection – Reflected (URL)

Similar to injection with POST, this is quite simple to exploit. I am using IE to attack with an exploit. This may not work in other browsers<h1>XSS DOM</h1>


Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Hi, great article!
    But could you explain why the double encoding worked?


  2. great help thanks for helping me out in it, but how did you figure out for that double encoding will work in the medium level , i tried to look at the source code but it is exactly simple to the other we have in easy , so how to check weather to use double url encode or single. btw thanks for the ind blowing article looking forward for your reply.

  3. Good job. /*burps/* LOL +10

  4. Does thid affect everyone that enters the web page?

    • Hi, You’re are referring to which command? It depends on the application. Most commonly this is user specific. Check my other article on Stored HTML injection which also make an impact on Other users

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?