The application outputs “Hello Ashu!” on entering the name “Ashu” in the text field provided and this tells us that this application reflects what we input to the page.Vulnerable code would look something like this
Now the question is whether or not the website will consider this injected HTML code as a separate code or just a normal text that we entered. If it considers it to be a separate code then BOOM!!! The website is vulnerable to HTML injection.
Now let’s do some challenges on TryHackMe and OWASPBWA vulnerable machines.
1. TryHackMe (OWASP TOP 10 [Task 5])
If this is your first time working on TryHackMe, read my other article about it first. Now let’s begin with our today’s challenge. Note: Task 5 is actually for command execution but we can still use it for HTML Injection. The user might not exist but we are hackers Typing in
TEST
inside the input field and pressing enter would show the reflected code i.e. TEST in ‘header 1’ format. HTML code injected successfully. Turn on the intercept and reload the page. Let’s modify the User-Agent header to and forward the message HOORRRAAAAHHHHH!!!! it’s changed.2. Injecting the Cookie Field and Redirecting the Page
Inside OWASP Multillidae II Navigate to: OWASP Multillidae II →OWASP 2013 →A1 →HTMLi Via Cookie Injection →Capture Data Our PHPSESSID is getting reflected on the webpage Now you know what we can do with it. Don’t you? better to turn the intercept off To learn more on how to use META Tag to redirect your site look in the bonus resources section.
3. Advanced Example
We can create a fake page of login or exactly like the one that we are testing and then we can redirect the real page to the fake page & we can capture their username & password if it’s a login page.
Example 1 (HTML5 storage)
Navigate to: OWASP Multillidae II →OWASP 2013 →A1 →HTMLi Via DOM Injection →HTML5 Storage If we “Add” our inputs it gets reflected on the page.
Nothing is intercepted for “Add New” but we can still try to inject our HTML codes into the fields
We can inject HTML only in the “Add key {$key} to Session storage” phrase.
Example 2 (Those “Back” buttons)
Navigate to: OWASP Multillidae II →OWASP 2013 →A1- Injection (Other)→HTML Injection (HTMLi) → Those “Back” Button No input fields so what & where are we going to inject our HTML code?? We can intercept the back button’s request & see if the above lines are true. Indeed it’s true but how is it going to help us as it’s not reflected on our page Let’s look out for its HTML code. Hmm looks interesting !!! We won’t see any change on the current page So let’s try to change the Referer URL to something else BOOM!!! successfully injected HTML code
Comparison of Injected vs. Non-Injected HTML Code
Resources
- 30+ Standard Linux Commands for Beginner or Intermediate Users
- Bug Bounty Hunting With Burp Suite (Intercept, Repeater & Intruder)
- Broken Access Control (Tryhackme and Owaspbwa) This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters. © 2022 Ashutosh Singh Patel
