Welcome Hunters,
So Today i'am going to show you how to hunt for HTML Injection in a Web Application.
let's Continue,
What is HTML Injection?
So according to OWASP HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. This vulnerability can have many consequences, like disclosure of a user's session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.
In simple words HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.
Impact Of HTML Injection
➤ It can allow attacker to modify the page.
➤ DOM can be load there.
Steps To Find HTML Injection
➤ Find an input Parameter either GET based or POST based.
➤ If your input Reflect back to you on web page there may be HTML i.
➤ Execute any HTML code, if you succeed to execute any HTML code there. Then there is HTMLi
How To Attack
➤ You need to find some vulnerable columns on the target website. We can use burp-suite – spider the website find out the parameters on the target website.
➤ input a word over there if its reflect back then thers a chance of HTMLi. Means that you have to find any input field and you have to try any word if your word refecting back to you so then there may be HTML Injection
➤ As we find out the vulnerable input here so we will try to inject HTMLi codes to effect the webpage.
➤ <h1> you have bin hacked by Geekyworld</h1>
➤ <h1></h1> - are the headers of the body in HTML code or its use for managing the web interface
|
How To Hunt For HTML Injection (HTMLi) Practical Demonstration |
➤ GET BASE Through URL cat=1 place 1 by hello
So it will reflect on the web page.We can try this to effect the web page.
➤ <h1> you have bin hacked by Cybersecbroo</h1>
➤ POST base – Through comment field
So we will try to inject the HTMLi code in the Name & Comment field if its reflect back the variables so we will try the SCRIPT So it will reflect on the web page.
We can try this to effect the web page.
➤ <h1> you have bin hacked by Cybersecbroo</h1>
|
How To Hunt For HTML Injection (HTMLi) Practical Demonstration |
|
How To Hunt For HTML Injection (HTMLi) Practical Demonstration |
So this was the practical demonstration of how to hunt for HTML Injection i hpoe you will enjoy this and it will help to hunt vulnerability more quickly.
If you find any error or mistake please let me know in the commant box as well as you can send me your query by contacts us section
Thank you Happy Hunting,
Follow Us on
Facebook: Cybersec_broo
Instagram: Cybersec_broo
0 Comments: