Introduction
In this post walkthrough, We demonstrated to test web applications for HTML Injection. HTML Injection is a type of vulnerability that a penetration tester would look for when testing web applications. We used the BWAPP box from OWASP to demonstrate this vulnerability.
Skills Learned
- BWAPP
- OWASP
- HTML Injetion
Setting the Stage
First things first, I configured Burp Suite to intercept web requests. This means setting up my browser’s proxy settings to route all traffic through Burp Suite. This allows me to see and modify all the data being sent between my browser and the website.
With Burp Suite up and running, I started looking for vulnerable spots on the webpage. I used Burp’s interceptor to capture the GET requests and found that the “first name” and “last name” fields were perfect candidates for injection.
The Injection
To show you how it works, I started with a simple injection. I put a basic HTML tag, <p>hacker</p>
, into the “first name” field. When I submitted the form, the word “hacker” appeared on the page, confirming the vulnerability.
But I didn’t stop there. To show you the real power of this vulnerability, I injected some JavaScript: <script>alert(document.cookie)</script>
. This little snippet of code popped up an alert box displaying the user’s cookie, which could be used for more advanced attacks.
Phishing for Credentials
Now for the main event. I crafted a malicious HTML login form. The key here is that the form’s “action” was set to send any submitted data to a listener on my own machine.
I set up a couple of Netcat listeners on different ports to catch the stolen credentials. Then, I injected my malicious login form into the vulnerable fields on the webpage.
When a user came along and entered their login and password into my fake form, their credentials were sent directly to my Netcat listener. I was able to see their username and password in plain text. It’s a classic social engineering attack, and it works like a charm.
Technical Commands Used
Here are the commands I used in the terminal during this demonstration:
nc -lvp 3434
: This sets up a Netcat listener on port 3434.nc -lvp 3435
: This sets up another Netcat listener on port 3435.cd home
: This changes the current directory to the ‘home’ directory.nano html injection
: This opens a file named “html injection” in the Nano text editor, where I wrote the HTML code for my malicious form.