1. Home
  2. Training Library
  3. Programming
  4. Programming Courses
  5. A Practical Introduction to HTML Injection

Stored HTML Injection



The course is part of this learning path

Start course
1h 34m

This course explores HTML injection, stored HTML injection, and other types of attacks in order to begin carrying out some web pen testing in a practical way. 

Intended Audience

This course is intended for anyone who wants to learn the necessary skills to become an ethical hacker and/or a bug bounty hunter.


We recommend that this course be taken as part of our Web Penetration Testing & Bug Bounty Hunting learning path.


Hi, within this lecture, we're going to cover other types of HTML Injections. We have already covered Reflected GET and said the Reflected POST is the same thing, so I'm not going to spend so much time in here but I'm just going to show you so that it won't hang on your mind or something like that. I'm going to say Atil here and Sam in here as usual. If I say go it will display the result back to us like that. So, what's different over here? So, let me go to Burp Suite and just run the intercept, okay? I'm going to turn the intercept on and if I do the same thing one more time. So, Atil Sam something like that. If I say 'Go' it will intercept this request and as you can see it's doing a POST request right now. So, it's not a GET request, it's a POST request. So, as I said before, the difference between GET and POST is not very crisp or it's actually very understandable in real examples or in a real life coding but you can interchangeably use them depending on the situation. For example, in this case we can do either a POST request or a GET request. If I want to write something in a database then I would definitely go for POST, but as you can see in this case we can go for POST and we can go for GET depending on how our backend behaves. So, if I forward that I can see the same result in here, okay? So, if I want to test this for HTML vulnerabilities or HTML Injection vulnerabilities then I would have done the same thing, right? I can come over here and I can just take this h1 thing and put it over there or if it doesn't work I can just go and try something else. So, I'm going to turn this intercept off because it's intercepting this GitHub as well. Okay, I cannot do anything. I'm going to copy this and go back to my bWAPP and paste it and for the last name I'm just going to say Sam and hit 'Go' and here we go, it works. So, as you can see there is the same kind of injection over here even though it's a POST it really doesn't matter. So, we have covered GET and we have covered POST. So, one of the differences over here, we cannot see the parameters in the URL as you can see, but we have seen them in the Burb Suite, okay? So, this is one of the differences. So, depending on your choice you can code it anywhere if you're a web developer, okay? But it really doesn't change the fact that your site might be vulnerable to HTML injection. So, let's move to the Stored. As you can see this is a Blog post, I believe, or a Blog page, something like that, okay? We have covered the Reflected and GET and POST, now I'm inside the Stored Blog. So, I believe we have a text area in here like we have seen in the elements when we deal with the HTML and over here remember we have done this, okay? And it got shown to us but later on when we come back, as you can see nothing happens. If we don't do it, if we don't write alert in here, nothing will happen because it won't get stored. It's going to be reflected if you can just send this link to anyone then it will be run on their computer as we're doing it right now. They're going to see the same thing. If you just copy this link and send it to someone. And of course you cannot do that without asking permission or this is just a test. So, just don't do this. But in real life, hackers can come over here and search for a link shortener, something like bitly.com, so in order to not raise any suspicion, they can just shorten their links, okay? Let me do that for you. I'm going to go for bitly.com. I have copied that URL, I'm going to paste it in here, okay? So, it's just sending the parameters as we have seen, I'm going to make it shortened and I'm going to copy this link, okay? And pretend that I have sent it to some friends and then they just hit on this link, it will be opened on their computer and it will be shown something like this. So, it's how hackers exploit this vulnerability. Of course they don't show alert dialogs, they try to attack with something called beef browser exploits framework, or something like a cookie stealing attack, but Stored is much more dangerous because we can store the attacks in here. So, whenever somebody visits that page without even clicking on a link or something, they will be just exposed to that attack. So, what do I mean by that? Let me show you. So, as you can see this is just a post page. If I submit this, I can see this as a command in here. I don't know, maybe it's a chat page. So, let me try to come back, let me come over here and just hack and as you can see we can still see because it's already in the database right now. So, whoever comes to this page will see this, right? So, it's a classic chat page or classic blog page, something like that. So, if I try to inject some HTML code in here, something like this, let's see if this works or not. So, let me submit this and here we go, it works. So, maybe if I can just do some injection over here with pure HTML maybe we can do this as well, right? Maybe you can come over here and paste this thing and just submit this and here we go. Now we chose. Now see what happens when somebody visits that page from scratch. If I say hack, here we go. I see this thing one more time. So, anybody visiting this page will be exposed to this attack. So, it is very, very severe. It's really malicious in this case. So, if you find a Stored HTML injection bug then of course it will work much more than a Reflected injection bug and you will get a bigger bounty hopefully, I don't know, it's supposed to be that way and it happens all the time but it depends on the procedures of that related company, right? So, if you say delete from here, you can delete every post that you already did over there so that you can have a nice page over there. So, we have seen the difference between Stored and Reflected as well. So, what we can do over here, we can try to increase the complexity of our attack. For example, we're going to learn something about  iframe HTML. So, let me show you what an  iframe is because we're going to be dealing with  iframe injections all the time. So,  iframe is basically a frame. So, let me go into one of the websites. You don't have to do that by the way, I'm just opening some website to show you what is an  iframe, okay? So, it's an HTML structure. If we see this, yes.  iframe is defined with  iframe tag like this. It's not a self closing tag, you have to close this and if you just provide a source like an attribute over here, it will be displayed in a frame. So, it's basically a frame like you can just provide any source like an URL, like an HTML page, anything you want. You can change the style, you can change the pixels, you can give it a name, you can give the real link like that. And of course we can try to see how it looks like because since we can already inject something over here, why not inject an  iframe, right? So, by the way this is a very valid test and trial over here because sometimes h1 doesn't work but  iframe works. So, if h1 doesn't work for you, it doesn't necessarily mean that you don't have HTML injection in that page. So, let me find a URL as we did before. So, I'm going to go for Metallica over here so we need an image URL. So, I'm going to say copy image location. Let me see if I copied the right thing. 'Yeah, here we go. Just find any image, any Metallica image or any image that you want, maybe your favorite band. Then for SRC, I'm going to give this, okay? And that's it actually, so just give the SRC. Just make sure you put quotation marks over here before closing the tag and then just close the tag with something like this,  iframe. So, let's see if this works or not. If I submit this as you can see it displays the image and it's inside of a frame, okay? It's inside of a frame. So, what does this mean? So, why do I want to inject a frame in here, right? So, again this is one of the good tests that we can test for when we are testing for HTML Injection, okay? So, they generally block these things so maybe they blocked all the headings but they forgot to block the  iframe. So, rather than this, I can just come over here. Rather than providing a regular URL, I can just provide my own IP address. Right? Even though this is a local IP address, since we are in the local network, it really doesn't matter. So, let me show you very quick. So, I'm going to write http//: over here, which is my IP address, and I'm going to put a colon over here and just provide that port. So, port is some kind of a gate that we receive the connection between computers or between services. Okay? So, it really doesn't matter what you use in this case but there are some common ports like 443, 80, 22, 23. So, we try to avoid those, because it's already in use in many servers or in many services. So, rather than that, we just come up with something random. Something like 1234, 4444, 5555. So, it's a way, it's a gate to receive connection from somewhere and in this case, I'm just going to try and receive connection from this website to my own Kali Linux. Okay? So, I'm going to say 4545. And if it doesn't work for you, you can just always try with something else. And I'm going to put a test over here like a test folder. Okay? And just close the double quotation mark. And I'm going to change the height  and with attributes as well. I'm going to give it 00 to make it invisible. Okay? So, nothing will be shown in the entry over here in the block entry but this code will get run, right? So, make sure you write exactly the same with me. So, I changed the SRC to be my own Kali Linux IP address. Of course, you can just write your own and I have put 4545 over here. I've changed the height and width attributes to make this invisible. So, what it will do, it will try to send connection to that IP address. And in the Kali Linux as a hacker machine, I'm going to try and listen for that incoming connection. If it succeeds, then I can hack into that website. So, let me show you what I mean. I'm going to clear this. There is a tool called, a very cool tool called NetCat. So, it comes already pre-installed in Kali Linux. All you have to do is just write nc, that stands for Netcat. Okay? And by using Netcat, we can just handle the incoming connections and we can do so much more than that but we generally want to handle, manage the incoming connections and in order to do that, you can just write -nvlp. Okay? This will listen for ports and you have to specify the port, obviously. And the port in this case, 4545. Okay? Because I have specified it to be so. So, if you have chosen any other port, make sure you change it in here as well. So, hit 'Enter' and it will start listening and come over here and just submit this. Now, It's submitted. Nothing appears in here. It looks like a perfectly empty spot or empty blog post but as you can see, we managed to gather the IP address of this sender so we didn't do much, okay? We just gathered the IP address. In this case, we're not going to hack into the server of this web application. We're going to do that as well in the upcoming lectures, okay? Where we can actually find a way to execute any command on the target server. But right now, it's just sending me a connection and I can see where it's coming from. So, I can see the IP address of all the visitors for example. So, it's a big bug for this website, okay? It's a big secret or flaw for this website because this website is bound by the log to protect this kind of information about the visiting users. Okay? So, as you can see, it actually responds and it actually forwards the IP addresses to us. So, this is kind of techy and maybe you don't come across with stored HTML injections very much. But again, this is the most popular vulnerability. Like injections are the most popular program vulnerability for so long right now. So, it's not so rare as well. Okay, obviously you're going to find a lot of reflected ones but maybe you can find stored ones if you're very careful as well. So, let's stop here and continue within the next lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.