Ethical Hacking(Bug Bounty)-HTML Injection Reflected Get

Hi, once again sorry it took so long but I’m back. Today we will be looking at one of the easy bugs HTML Injection. I’m assuming now you have got Bwapp working on your laptop whether on linux, windows or mac.

What is HTML Injection?

In layman terms HTML Injection is bypassing a website that has no protection of validated input and changing the content into what you want users to see by modifying but can only be done if the website is vulnerable. Bwapp is put into stages, easy, medium and hard.

Level: Easy

First, input a firstname and last name or anything else you want here, in my case I inputted a strong tag for John which is why it’s in bold.

At the page source, of the page above to show you the result.

Another method instead of inputting in the page, you can also input on the search bar and still receive the same output.

Level: Medium

After trying the same method done previously in the easy level you will start to notice that something has changed, the tag john is no longer bold, and when you get onto the page source something has changed from HTML text and it’s become HTML entities.

What is are HTML Entities?

Html entities are code that are reserved characters and used to display html code. They are a piece of text identified as &(ampersand) at the beginning and ;(semicolon) at the end. To find the error it is advisable to go to the source code as shown below. The source code is showing that it can be bypassed by using double character encoding more information about it here: https://owasp.org/www-community/Double_Encoding .

this is the file of the html bug you are looking at and where it is located, try to read the code and see what is different for the medium level.

you will require a url encoder software to continue this after copying the text john or whatever you chose from Bwapp.

After having clicked on the encode button you are left with this, copy it and go back to Bwapp.

Back in Bwapp here it’s quite simple just copy the encoded data you received into first name and wait for the results.

just like magic problem solved, onto the next one.

Level: Hard

Here, we are going to the source code location first just like we did in level medium.

first read the code to understand what it is asking you, so head over to function_external.php

Then let’s go to bwapp something isn’t working as h1 and h2 are not showing their size, let’s go the page source

Instead of Html entities showing up it is htmlspecialchars, so what if we used the URL encoder once more, would it work?

Below we are trying to change from htmlspecialchars to entities then to text in bwapp

What are HTML special chars?

It is a function that is used in php to block harmful html codes from being inputted into a site. https://www.1keydata.com/php-tutorial/htmlspecialchars.php

Apparently, the function xss_check 3 of htmlspecialchars bypasses the input value so it would not work as the characters are returned as UTF-8.

That’s all for now folks until next time