The application outputs “Hello Ashu!” on entering the name “Ashu” in the text field provided and this tells us that this application reflects what we input to the page.Vulnerable code would look something like this

Now the question is whether or not the website will consider this injected HTML code as a separate code or just a normal text that we entered. If it considers it to be a separate code then BOOM!!! The website is vulnerable to HTML injection.

Now let’s do some challenges on TryHackMe and OWASPBWA vulnerable machines.

1. TryHackMe (OWASP TOP 10 [Task 5])

If this is your first time working on TryHackMe, read my other article about it first. Now let’s begin with our today’s challenge. Note: Task 5 is actually for command execution but we can still use it for HTML Injection. The user might not exist but we are hackers Typing in

TEST

inside the input field and pressing enter would show the reflected code i.e. TEST in ‘header 1’ format. HTML code injected successfully. Turn on the intercept and reload the page. Let’s modify the User-Agent header to and forward the message HOORRRAAAAHHHHH!!!! it’s changed.

Inside OWASP Multillidae II Navigate to: OWASP Multillidae II →OWASP 2013 →A1 →HTMLi Via Cookie Injection →Capture Data Our PHPSESSID is getting reflected on the webpage Now you know what we can do with it. Don’t you? better to turn the intercept off To learn more on how to use META Tag to redirect your site look in the bonus resources section.

3. Advanced Example

We can create a fake page of login or exactly like the one that we are testing and then we can redirect the real page to the fake page & we can capture their username & password if it’s a login page.

Example 1 (HTML5 storage)

Navigate to: OWASP Multillidae II →OWASP 2013 →A1 →HTMLi Via DOM Injection →HTML5 Storage If we “Add” our inputs it gets reflected on the page.

Nothing is intercepted for “Add New” but we can still try to inject our HTML codes into the fields

We can inject HTML only in the “Add key {$key} to Session storage” phrase.

Example 2 (Those “Back” buttons)

Navigate to: OWASP Multillidae II →OWASP 2013 →A1- Injection (Other)→HTML Injection (HTMLi) → Those “Back” Button No input fields so what & where are we going to inject our HTML code?? We can intercept the back button’s request & see if the above lines are true. Indeed it’s true but how is it going to help us as it’s not reflected on our page Let’s look out for its HTML code. Hmm looks interesting !!! We won’t see any change on the current page So let’s try to change the Referer URL to something else BOOM!!! successfully injected HTML code

Comparison of Injected vs. Non-Injected HTML Code

Resources

  1. 30+ Standard Linux Commands for Beginner or Intermediate Users
  2. Bug Bounty Hunting With Burp Suite (Intercept, Repeater & Intruder)
  3. Broken Access Control (Tryhackme and Owaspbwa) This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters. © 2022 Ashutosh Singh Patel

HTML Injection  Tryhackme and Owaspbwa  - 48HTML Injection  Tryhackme and Owaspbwa  - 67HTML Injection  Tryhackme and Owaspbwa  - 86HTML Injection  Tryhackme and Owaspbwa  - 88HTML Injection  Tryhackme and Owaspbwa  - 88HTML Injection  Tryhackme and Owaspbwa  - 81HTML Injection  Tryhackme and Owaspbwa  - 78HTML Injection  Tryhackme and Owaspbwa  - 96HTML Injection  Tryhackme and Owaspbwa  - 71HTML Injection  Tryhackme and Owaspbwa  - 38HTML Injection  Tryhackme and Owaspbwa  - 54HTML Injection  Tryhackme and Owaspbwa  - 23HTML Injection  Tryhackme and Owaspbwa  - 42HTML Injection  Tryhackme and Owaspbwa  - 85HTML Injection  Tryhackme and Owaspbwa  - 88HTML Injection  Tryhackme and Owaspbwa  - 88HTML Injection  Tryhackme and Owaspbwa  - 54HTML Injection  Tryhackme and Owaspbwa  - 60HTML Injection  Tryhackme and Owaspbwa  - 25HTML Injection  Tryhackme and Owaspbwa  - 62HTML Injection  Tryhackme and Owaspbwa  - 31HTML Injection  Tryhackme and Owaspbwa  - 54HTML Injection  Tryhackme and Owaspbwa  - 59HTML Injection  Tryhackme and Owaspbwa  - 51HTML Injection  Tryhackme and Owaspbwa  - 63HTML Injection  Tryhackme and Owaspbwa  - 27HTML Injection  Tryhackme and Owaspbwa  - 78HTML Injection  Tryhackme and Owaspbwa  - 18