This article is based on low level of Reflected (POST) HTML Injection. Bwapp is used here to demonstrate the HTML injection in POST parameters . Post parameters are different from GET Parameters. In GET parameters the information is sent via the URL but in POST, the information is sent with the body of the request. Mostly to manipulate the post request we have to use an interceptor such as Burpsuite.
Here at the low level of Bwapp, I don’t have to use Burp suite and it is working with the browser only.
I have posted about Reflected GET html injection here
Let’s do it:

The below form  is asking for the first name and Last name. Now wherever you see the user input field, try every attack vector on it.

html injection post method bwapp 2

To check where the output is reflecting, I wrote on firstname and lastname fields.

html injection post method bwapp 4

The output is reflecting just below with the welcome text.

So now we test it with some HTML tags and see if it is reflecting it back or not.

html injection post method bwapp

It reflected the HTML input and hence it is vulnerable.

Now you can put a form here or an iframe of a malicious link and send it to the user. I wrote the following iframe code:

<iframe src=”” width=800 height=500></iframe>

html injection post method bwapp 5

You can see the output, the page is embedded with the iframe.

It is done without using burpsuite.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: