HTML Injection - Reflected (URL)

low

The application prints our current URL on the page.

Let's turn on the intercept in Burpsuite and reload the page.

We can change the Host: field to any value we want.

Host: getHacked

Let's turn off the intercept so that the request reaches to the server.

We have successfully performed HTML injection.