bWAPP - HTML Injection (Reflected-URL)

bWAPP – HTML Injection (Reflected-URL)

In this walk through, we will be going through the HTML Injection (Reflected-URL) vulnerability section from bWAPP Labs. We will be exploring and exploiting Reflected HTML Injection in displayed URL field on the page and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

HTML Injection (Reflected-URL)

Security: Low

  • Setting the security level to Low.

Security level Low

  • The application here is issuing a GET Request to the htmli_current.php page to display the current URL.

HTML Injection (Reflected-URL)

Burpsuite intercept

  • Let’s see if we can append to the GET request and get an HTML injection on the page as it is displaying whatever the GET request is consisting from the call. If we can modify the request then we can control the response. So, i inserted a heading HTML tag after the htmlo_current_url request and got an output on the Page.

Payload

HTML Injection confirmed

  • Using the above technique, let’s exploit the application by popping up and alert with the below payload.

<script>alert("Hacked")</script>;

Payload

Hacked pop up alert

Security: Medium

  • Setting the security level to Medium.

Security level medium

  • No change can be seen the application’s functionality as per the intercepted request.

Burpsuite intercept

  • Let’s test the HTML injection vulnerability by appending HTML heading tag after the URL.

Burpsuite intercept payload

  • We didn’t get an appropriate response.

HTML Injection - Reflected (URL)

  • I checked the source code and found out that the application is using a script tag with document.url in order to display the URL on the page. Let’s see what we can do with it.

Page source code

<script>document.write(document.URL)</script>

Payload

HTML Injection confirmed

  • The HTML injection in medium level do not work in modern browsers did not get any workaround for this.

Also Read: bWAPP – Cross-Origin Resource Sharing (AJAX)

Conclusion:

Conclusion

So, we finally completed all the security levels for the bWAPP HTML Injection (Reflected-URL) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Reflected HTML Injection attacks can be mitigated by performing input sanitization on endpoints, whitelist the allowed characters in the input and using a WAF. Along with that, we can prevent data from any untrusted source to be dynamically written to the HTML document. On that note, i will take your leave and will meet you in next one with another bWAPP vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top