.png)
11 months ago
88 BOOK THIS SPACE FOR AD
ARTICLE AD
I understand that you have already read several blogs on HTML injection, but this one is not solely focused on HTML injection. Instead, it discusses the negligence of developers and how you can include this aspect as a test case during testing.
I was about to test a web application, and for that, I initiated the signup process, which typically appears as shown in the screenshot below.
I attempted to inject HTML tags into the First Name and Last Name fields, but the application did not allow it. Another common approach is to intercept the request using Burp Suite and inject the payload, but that was also blocked. I also experimented with various encoding methods, but none of them proved successful.
Then, upon careful observation of the request body, I noticed an additional parameter named “name” that was being sent in the request body. This parameter was a combination of the First Name and Last Name fields. (Please refer to the screenshot below for clarification.)
Now, I attempted to directly inject my HTML tags into the “name” parameter instead of the First Name and Last Name fields. Surprisingly, there was no sanitization applied to the “name” parameter, and the application accepted the payload successfully.
I received a confirmation email from the application, and the payload I injected successfully executed in the email body.
Things to catch:
1- Sanitization and encoding should be implemented for every parameter that can be controlled by the user.
2- Always try to experiment with the extra parameter that appears in the proxy tool.
3. Think out of the box
Bengali (Bangladesh) · 
English (United States) ·