HTML Injection - Reflected (GET)
Last updated
Last updated
We are provided with two input fields to enter the first and last name.
Let's give it some random name and see what happens.
Looks like our input is reflected back on the screen.
HTML injection is a type of injection when the user is able to enter arbitrary HTML code in a web page. This allows us to modify the contents of the page.
Let's input the following HTML tag:
Let's try inserting the same input as before.
This time the input is not treated as HTML code.
We can intercept the request in Burpsuite to check how out input is being treated.
As we can see the input is URL encoded. We can also check this out in the Decoder
.
We can bypass the security filter using double URL encoding as suggested in this OWASP document.
Let's forward the request to the Repeater
so that we can make modifications.
We can now provide the double encoded string as the input.
As we can see the name is now treated as an h1
element. This means we have successfully performed URL injection.