BWAPP HTML Injection (Reflected URL/Stored Blog)

BWAPP A1 - Injection

HTML Injection - Reflected URL:


Capture the header with burp suite and manipulate the header to inject the malicious code.

Burp Suite header

GET /bWAPP/htmli_current_url.php?<h2>dfbfd</h2> HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/bWAPP/htmli_current_url.php
Cookie: security_level=0; PHPSESSID=2rbsk7srls24vvk3m5gciudngv
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

In this level, there is no sanitization and the source code is

$url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];               


localhost/bWAPP/htmli_current_url.php#<h2>code injection</h2>

Note however, that some browsers may encode the < and > characters in the URL, causing the attack to fail. However there are other scenarios which do not require the use of these characters, nor embedding the code into the URL directly, so these browsers are not entirely immune to this type of attack either.

So, using IE old version will be a successfull attack and and the source code is

$url = "<script>document.write(document.URL)</script>";

Usually document.url, document.write, document.location comes under DOM XSS, if its not properly handled.
For more details about DOM based attacks, refer the first link in reference section.

HTML Injection - Stored Blog:


<a href='' >test</a>

Sample payload,

<iframe src="robots.txt"+height="200"+width="300"></iframe>

In this, we can try different payloads like creating a login template and that will redirect to your malicious website which will get the users credentials in URL GET parameter. After that, you can store the credential with a script and redirect the victim to the dashboard page. Like this, we can try a different type of payload.


In some cases, medium level and high level are the same. In this case,I have used some encoded payloads. It’s Sanatized properly.


Author: Mukhilan
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint polocy. If reproduced, please indicate source Mukhilan !