Skip to main content

HTML Injection (Tryhackme and Owaspbwa)

Linux, Networking & Security are the domains of my interest.

HTML injection is a security vulnerability that allows an attacker to inject HTML code into web pages.

HTML injection is a security vulnerability that allows an attacker to inject HTML code into web pages.

What Is HTML Injection?

  • It’s a security vulnerability that allows an attacker to inject HTML code into web pages that are viewed by other users.
  • One of the easiest vulnerabilities to start your journey in WebSecurity.

How Does It Work?

Let’s look into a simple example of an application that outputs “Hello {name}” when you enter a name in its input field.

html-injection-tryhackme-owaspbwa

The application outputs “Hello Ashu!” on entering the name “Ashu” in the text field provided and this tells us that this application reflects what we input to the page.

Vulnerable code would look something like this

html-injection-tryhackme-owaspbwa
  • Now the question is whether or not the website will consider this injected HTML code as a separate code or just a normal text that we entered.
  • If it considers it to be a separate code then BOOM!!! The website is vulnerable to HTML injection.

Now let’s do some challenges on TryHackMe and OWASPBWA vulnerable machines.

Make sure to fire up your Burp Suite before moving ahead.

This is one of the ways we can inject an HTML code like here we did with the  tag.

This is one of the ways we can inject an HTML code like here we did with the tag.

1. TryHackMe (OWASP TOP 10 [Task 5])

If this is your first time working on TryHackMe, read my other article about it first.

Now let’s begin with our today’s challenge.

Note: Task 5 is actually for command execution but we can still use it for HTML Injection.

Let's type test in the 'Search user…' field and submit

Let's type test in the 'Search user…' field and submit

The user doesn't exist

The user doesn't exist

The user might not exist but we are hackers

html-injection-tryhackme-owaspbwa

Typing in <h1>TEST</h1> inside the input field and pressing enter would show the reflected code i.e. TEST in ‘header 1' format.

HTML code injected successfully.

html-injection-tryhackme-owaspbwa

Turn on the intercept and reload the page.

html-injection-tryhackme-owaspbwa

Let’s modify the User-Agent header to

<h1><u><em>HelloAshu</em></u></h1>

and forward the message

html-injection-tryhackme-owaspbwa

HOORRRAAAAHHHHH!!!! it’s changed.

Inside OWASP Multillidae II

Navigate to: OWASP Multillidae II →OWASP 2013 →A1 →HTMLi Via Cookie Injection →Capture Data

html-injection-tryhackme-owaspbwa
html-injection-tryhackme-owaspbwa
html-injection-tryhackme-owaspbwa

Our PHPSESSID is getting reflected on the webpage

Now you know what we can do with it. Don’t you?

here 5 means it will wait for 5 seconds before redirecting it to google.com

here 5 means it will wait for 5 seconds before redirecting it to google.com

better to turn the intercept off

html-injection-tryhackme-owaspbwa

To learn more on how to use META Tag to redirect your site look in the bonus resources section.

3. Advanced Example

  • We can create a fake page of login or exactly like the one that we are testing and then we can redirect the real page to the fake page & we can capture their username & password if it’s a login page.

Example 1 (HTML5 storage)

Navigate to: OWASP Multillidae II →OWASP 2013 →A1 →HTMLi Via DOM Injection →HTML5 Storage

html-injection-tryhackme-owaspbwa
html-injection-tryhackme-owaspbwa

If we “Add” our inputs it gets reflected on the page.

  • Nothing is intercepted for “Add New” but we can still try to inject our HTML codes into the fields
html-injection-tryhackme-owaspbwa
  • We can inject HTML only in the “Add key {$key} to Session storage” phrase.
html-injection-tryhackme-owaspbwa

Example 2 (Those “Back” buttons)

Navigate to: OWASP Multillidae II →OWASP 2013 →A1- Injection (Other)→HTML Injection (HTMLi) → Those “Back” Button

html-injection-tryhackme-owaspbwa

No input fields so what & where are we going to inject our HTML code??

html-injection-tryhackme-owaspbwa

We can intercept the back button’s request & see if the above lines are true.

html-injection-tryhackme-owaspbwa

Indeed it’s true but how is it going to help us as it’s not reflected on our page

Let’s look out for its HTML code. Hmm looks interesting !!!

html-injection-tryhackme-owaspbwa

Note: Changing the Referer to include the <h1> tag is not helping.

html-injection-tryhackme-owaspbwa
html-injection-tryhackme-owaspbwa

We won’t see any change on the current page

So let’s try to change the Referer URL to something else

Original code:
<a onlick=”document.location.href=’<h1>TEST</h1>’;”></a>
(not able to inject this into the current web page)

Changing the payload:
<a onlick=”document.location.href=’ “></a><h1>TEST</h1>’;”</a>

Injected code:
( “></a><h1>TEST</h1> )

html-injection-tryhackme-owaspbwa

BOOM!!! successfully injected HTML code

Comparison of Injected vs. Non-Injected HTML Code

html-injection-tryhackme-owaspbwa
html-injection-tryhackme-owaspbwa

Resources

  1. Using the META tag to redirect an HTML page
  2. OWASPBWA vulnerable machine
  3. OWASPBWA VM setup video

1. 30+ Standard Linux Commands for Beginner or Intermediate Users

2. Bug Bounty Hunting With Burp Suite (Intercept, Repeater & Intruder)

3. Broken Access Control (Tryhackme and Owaspbwa)

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2022 Ashutosh Singh Patel