A1 – HTML Injection – Reflected (GET) (Level: Low/Medium)

Hello Cyberman,
The content of this article will be on HTML injection. It is an old type of vulnerability. However, it is still effective.

What Is This HTML Injection?

HTML is a markup language. It is used on all websites. To give a simple example: It is used to define the location, shape and properties of buttons on a website.

HTML injection also serves to include HTML codes that the programmer has not defined on the page. It’s a malicious vulnerability, and it’s still common today, and it’s quite an old one.

Let’s try to explain with examples on our bWAPP vulnerable machine.


HTML Injection Detection

HTML Injection usually occurs on the page where information is input and output.For example: There is a search section on the page, when you type “s4msecurity” in this section, the system searches for the parts where the word “s4msecurity” is mentioned and gives the search result. “Articles with the word s4msecurity.” Imagine it outputs something like.

If the attacker enters html codes in the search section and the output is supported by html codes, it means it exists in this section.

Let start!


Consider a field where username and surname information is entered as in the picture above. 

The output will be like the picture above. Now let’s embed HTML codes, for example using the “<h1>” header tag.

The output of the picture above will not be the same, the “S4m” part will be written in bold, the “security” part will be normal.

As you can see, the “S4m” part turned out to be large. Well, now we’ve identified this vulnerability.

What can be done with this vulnerability?

  • By manipulating users, their information can be stolen. 
  • You can embed code in the system with various JavaScript scripts and run the system according to you.
  • You can open a backdoor to the system by uploading various files with JavaScript.

In summary, you can do anything as long as your HTML knowledge and WEB knowledge are enough.

There are various solutions for this vulnerability in programmers. For example: For HTML characters, such as deleting characters such as “<“,”>” when processing into the system, or encrypting the URL with a character. 

Let’s set the bWAPP level from low to medium.

Difficulty Level: Medium

Now, when we enter the same HTML codes, an output like the one below welcomes us.

Never back down! Just, deep think! Some values seem to have been changed in the URL address section, which can be seen in the picture above.

 Look at the picture above. Looking carefully inside the white area, it can be seen that it has changed to “<h1>S4m<%2Fh1>”.

A simple search on the internet will reveal what it is. This URL is Encoded. See for detailed information. There are plenty of URL Encode/Decode tools on the internet.

I typed and encoded “<h1>S4m</h1>” into an Encode/Decode tool I found on the internet, and the result was: “%3Ch1%3ES4m%3C%2Fh1%3E”.
I’m found web tools: https://www.url-encode-decode.com/ 

Now, try again.

When you log in again as in the picture above, the output will be as it was originally.


Excellent. In order to prevent this, some sites can make the method of the forms “POST” instead of “GET” in the URL address section. And this is not a problem. BurpSuite is with us. 🙂 You can find out what it is with a little search on the internet.

Have a nice day with lots of informatics 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *