In this walk through, we will be going through the HTML Injection (Reflected-URL) vulnerability section from bWAPP Labs. We will be exploring and exploiting Reflected HTML Injection in displayed URL field on the page and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
Security: Low
- Setting the security level to Low.
- The application here is issuing a GET Request to the htmli_current.php page to display the current URL.
- Let’s see if we can append to the GET request and get an HTML injection on the page as it is displaying whatever the GET request is consisting from the call. If we can modify the request then we can control the response. So, i inserted a heading HTML tag after the htmlo_current_url request and got an output on the Page.
- Using the above technique, let’s exploit the application by popping up and alert with the below payload.
<script>alert("Hacked")</script>;
Security: Medium
- Setting the security level to Medium.
- No change can be seen the application’s functionality as per the intercepted request.
- Let’s test the HTML injection vulnerability by appending HTML heading tag after the URL.
- We didn’t get an appropriate response.
- I checked the source code and found out that the application is using a script tag with document.url in order to display the URL on the page. Let’s see what we can do with it.
<script>document.write(document.URL)</script>
- The HTML injection in medium level do not work in modern browsers did not get any workaround for this.
Also Read: bWAPP – Cross-Origin Resource Sharing (AJAX)
Conclusion:
So, we finally completed all the security levels for the bWAPP HTML Injection (Reflected-URL) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Reflected HTML Injection attacks can be mitigated by performing input sanitization on endpoints, whitelist the allowed characters in the input and using a WAF. Along with that, we can prevent data from any untrusted source to be dynamically written to the HTML document. On that note, i will take your leave and will meet you in next one with another bWAPP vulnerability writeup, till then “Keep Hacking”.