This article is based on low level of Reflected (POST) HTML Injection. Bwapp is used here to demonstrate the HTML injection in POST parameters . Post parameters are different from GET Parameters. In GET parameters the information is sent via the URL but in POST, the information is sent with the body of the request. Mostly to manipulate the post request we have to use an interceptor such as Burpsuite.
Here at the low level of Bwapp, I don’t have to use Burp suite and it is working with the browser only.
I have posted about Reflected GET html injection here
Let’s do it:
The below form is asking for the first name and Last name. Now wherever you see the user input field, try every attack vector on it.
To check where the output is reflecting, I wrote on firstname and lastname fields.
The output is reflecting just below with the welcome text.
So now we test it with some HTML tags and see if it is reflecting it back or not.
It reflected the HTML input and hence it is vulnerable.
Now you can put a form here or an iframe of a malicious link and send it to the user. I wrote the following iframe code:
<iframe src=”http://anonhack.in” width=800 height=500></iframe>
You can see the output, the page is embedded with the iframe.
It is done without using burpsuite.