Skip to main content

HTML Injection - Reflected (POST)

low

1

We are provided with two input fields to input the first and last name.

Let's provide the input and intercept the request in Burpsuite.

2

We can see that the request method is POST.

Let's input the following HTML tag:

First name: 
<h1>john</h1>

Last name: 
<h2>doe</h2>

3

 

medium

Let's intercept the request using Burpsuite.

4

As we can see, our input HTML characters have been URL encoded.

Let's forward the request to the Repeater encode the entire input including the name to check if that evades the security filter.

firstname=%3c%68%31%3e%6a%6f%68%6e%3c%2f%68%31%3e&lastname=%3c%68%32%3e%64%6f%65%3c%2f%68%32%3e&form=submit

6

We have successfully exploited the HTML injection vulnerability.