1. Home
  2. Training Library
  3. Programming
  4. Programming Courses
  5. A Practical Introduction to HTML Injection

iFrame Injection



The course is part of this learning path

Start course
1h 34m

This course explores HTML injection, stored HTML injection, and other types of attacks in order to begin carrying out some web pen testing in a practical way. 

Intended Audience

This course is intended for anyone who wants to learn the necessary skills to become an ethical hacker and/or a bug bounty hunter.


We recommend that this course be taken as part of our Web Penetration Testing & Bug Bounty Hunting learning path.


Hi. Within this lecture, we're going to continue focusing on the iFrame vulnerability. So, within the previous one, we have found a lot of webpages over here on websites or some kind of folders or files that are hidden from us. Maybe they are not necessarily hidden, but if there is some hidden page, we can find this using this DirBuster or we can just sit in the Burp Suite in some points. If you have a pro-version, obviously you can find it from there as well. So, for example, let me try to find, there was something called evil folder but it seems that I cannot find that. Let me see if that I have looked at the right place. So, it says that, it starts with evil and it goes something like the Server.jar. So, what is the problem? The problem is, it starts with evil not bWAPP. So evil, for example. And we can see all the files and folders. Since I have specified not bWAPP as the URL it's, tested against not just the bWAPP, so this is why we are getting that error. So, here we go. So, back to our iFrame Injection, why did I do all of this stuff? First of all, we wanted to learn about DirBuster because it's a mandatory thing for us to learn when we go with the weapon testing. But if we go to source of this page like that, we can see something interesting in here. So in the iframe, as you may find the iframe itself, iframe HTML code from here. So, there must be some kind of iframe because in the iframe section, first of all, and it's showing us the iframe of something. Let me find it. Let me search for it with Control F. Let me search for iframe and here we go. Yes, right. Just right there. How could I not see it? As you can see, the source is the robots.txt.

So, this is what's going on in here. It's showing the robots.txt inside of this iframe to us. So, it's showing the iframe, it's using the iframe in order to show some URL back to us. So, what can I do is, if I found any of different webpages or a different some hidden files or something like that. Okay, let me go to iFrame injection one more time. I can see it's showing the robots.txt here. So, if I found something interesting but if I cannot go to that directly from the URL, maybe I can just go to that file from this iframe. Right? So, this happens. They just use iFrame for these purposes all the time. So, if I want to, I can delete this robots.txt and I can just replace it with any file or folder or something like that in here like images, for example. And it could not be found. So, let me try like this. Yeah it couldn't be found again. So maybe, we want to omit the bWAPP and just try the images itself. So, this was one of the things that we have found. I've misspelled the bWAPP. It has to be in capital letters in W-A-P-P, and here we go. Now we see this.

Maybe we couldn't see that in regular URL in the browser. And in fact, we could see that I believe. If I go to Images, it works here as well because it's extremely bucky. But if we couldn't get it from there, maybe you could have got it from here as well. So, this is one of the things that you should look for. And in order to find the hidden files and folders again, you can use DirBuster. You can take a look at the Burp Suite in order to find the interacted files and folders and take something from there and try to display it. If you find a suitable vulnerability like this, you can use DIRB or any other tools that you may like. But I generally use DirBuster and works fine. All it does is it takes so much time, but if you use something less like a small word-list, it will take so much less, obviously.

And if you go to this iFrame Injection one more time, it will display the robots.txt as usual. So, let me go to Proxy and turn the Intercept on, and let's see how this looks like in Burp Suite. So, I'm going to open the iFrame Injection one more time and say 'Hack'. Here we go. Now, we see the requests that is made in order for us to see this. So, over here we see that, this is a POST request and if I forward this, I get this iframei.php. Let me forward this as well. I'm looking for the regular parameters. Here you go. This is the one that I'm looking for. Of course, you can get multiple requests like this. You have to forward until you find what you're looking for. So, I'm looking for this. I see the parameters in here, like robots.txt, width and height. We even can change the width and height from here.

However, we're not here for that. We're going to do some more advanced stuff. For example, what I'm going to do? I'm going to close this iframe tag and I will inject so much more in it. So, how I'm going to do that. I'm going to come over here and just put a quotation mark and try to close this tag. So, I'm going to close it like that and just say iframe. So, this may work or this may not work, but it's very short. So, I'm going to give an H1 in here, just to test this. And between the H1 and the other H1, I can just put whatever I want. So, I'm trying to do some sort of an HTML injection in here again, as well.

So, I'm going to say 'hello html' and I'm going to close the H1 tag. So, this may work or this may not work, we're going to see it. So I believe, we aren't supposed to just do some spaces between them. So, I'm going to say 'hellohtml' like together. And I'm going to forward this request and see what happens if I come over here. And here you go. It got injected. So, we've found an iFrame Injection and also we found some kind of HTML Injection here, as well. Right? So, it broke something. So, if we see something like width and height over there as well, but it worked. So, you can change the requests like that. Okay. This was the main thing rather than the HTML thing and also, you can use DirBuster to discover some kind of files and folders that may be hidden from you. So, that's it. We're going to stop here and continue within the next section.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.