HTML Injection - Reflected (get) bWAPP

HTML Injection이란?

HTML Injection(Reflected)은 매개변수에 HTML 태그를 삽입하여 HTML 태그로 의도하지 않은 내용을 보여주거나 다른 사이트로 연결시킬 수 있다.

Reflected는 반사형이며 이는 사용자로 하여금 악의적인 HTML 태그를 삽입한 URL 링크 클릭을 유도하는 방법이다.

Get 방식은 클라이언트(사용자)가 서버에 데이터를 요청할 때 데이터를 URL뒤에 붙여서 보내는데 "?"를 사용하여 URL의 끝과 데이터 표현의 시작을 알린다.

http://localhost/bWAPP/htmli_get.php?firstname=bee&lastname=box&form=submit

데이터의 내용은 key와 value 쌍으로 이루어져 있는데 위의 URL의 키값은 firstname , lastname , form이고 벨류 값은 bee , box , submit이 된다.

Welcome bee box

위 사진처럼 First name에 bee Last name에 box를 넣으면 아래에 Welcome bee box라고 출력이 되는 것이 보인다.

vim /var/www/bWAPP/htmli_get.php

루트 권한을 얻고 (su -) 위 코드를 입력하여 htmli_get.php의 코드를 보았을 때 아래 사진과 같은 코드를 볼 수 있다.

htmli_get.php

위 코드는 만약 firstname이나 lastname이 공백일 경우 Please enter both fields...라고 출력을 하고 아닐 경우 Welcom firstnamelastname이라고 출력을 하는 내용이다.

First name : bee<h1>CLICK HERE</h1>
Last name : <a href="https://www.google.com"><img src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAkGBwgHBgkIBwgKCgkLDRYPDQwMDRsUFRAWIB0iIiAdHx8kKDQsJCYxJx8fLT0tMTU3Ojo6Iys/RD84QzQ5OjcBCgoKDQwNGg8PGjclHyU3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3N//AABEIAHkAyAMBIgACEQEDEQH/xAAbAAACAgMBAAAAAAAAAAAAAAADBAIFAAEGB//EAEIQAAECBAIGBgcECgMBAQAAAAECAwAEESESMQUTIkFRYQYycYGxwRQjM0JykaE0YtHwFRZSU3OCssLh8UNE0pIH/8QAGgEAAwEBAQEAAAAAAAAAAAAAAgMEBQEGAP/EACYRAAMAAgICAgICAwEAAAAAAAABAgMREiEEMUFREyIFYTKh8BT/2gAMAwEAAhEDEQA/APLDXEO6JD2JPMeBjW8d3jE0ghk8Cc6cjGq0Zuw6RRboNMr0HZBGxRxr4OzjxjWE6144QdnPhlE0pOJvds9m8waQqmDQKNN1AsrOkEI2FWHtRujSE1SO6ClFWxxxCGcehbrsYCDVXwDhwjaW8TjVKVp+MMpbopQ3YBTLhE0sgrar+zy5w1RsmeQSS16kW3n+kQ421RCrDduiaWhqAabzfuENstbCiLw1R0IyZRLVhTa6ClEkZchBNRVSAM6mGUNbDtuPgIyaealQhbqgATQCwJMdaU9sDm6fGRdDRCDb3jujFsVdVzTFT+slFhRl06ou4aYtoWjoZdxmaGtYXiQU/IwGLLjyPUsPNiy4e7QolqiE2qKQFxsK1ZAtjG7ti1S1sC26A6nZa+IecNcCpy9lY40aJ7BA1t9f4eHKLNxrIchA1sijvIeUDUDYzdFalsgmw37o2UUUmtadnKG9T16m97CI6o/tQDgasgm4jZctao3RBxAxqNRZItTnDa2zhVem+IOt7a6ith4wipGxZULTtpMDFsMNuIood3jAAKgUF/8AEBUlM0avjeO7EnxMZBANp+tjiTlTiYyFz0MFU9bvHjBkp9Qqw63kYEhJxd/nDCU+pVTOvLgYLRxsORV58poajlygoQoKbt7u4czGISVLeOdt/wDLDKUVU2PueZhsSTZKFW0ZV4DwhlLYwpt748IxtNvl5wyhFUD40xRx6EVY0lF1DfhG/lxiaUVU1woPOCpSEqcFLYBEsPsr1tx7YZKIqsChujYH5yEONo2DxtvgSE7P54Q4lOwrO8HronuxN9SWJZ9xVNkGgJzsI5GdddenJR5xw1UTRRwjeaZxd6Zmktl1bpogBYbbSbqoBUxzbzy1Lk3kWqSD92qjvHfGV5mXk+KNz+PwuVyfyV6QPRhRZCg8a3rui30XMvSWkXFoVVJG2ncRThFEy6otBopqS5i5E0Iyi4lVpM+4woBBULDIZRHgeq2aWedy0zv2wlxtK0XCk1EDDdUt8lX+RgHR9xXoplnOu3cdlYsEpsm3vV8Y9BFcp2eQy7xZHIm43y4QJxugX2ceUPuIt3QNbdS5UVt5QTORkK0tjEe+BFu1d97fOLAo2zQcYDgvTjXzjjRROQScaqhRIGcDcaGNYTQ2G7nDihixGgoD5wNxGJwkHMDxhFSURZSuoFR3eMLlNAn87os3WuqRwhJack2GXhCqksi9gCaOvAblA07zG4nk4/8AEPGMhGh7oWazAz/3DOE6lVCBt+UBYTicSOdPrDurTqVcdZvtugkjl0EoNY8VHd+ENNg+quOp+MDOc1YgUp4Q0gXbpfY7eMPhEmSgKUZc6Q02nZpTJxMRp1cs/KCsjZNf3oh+uieqHEAkqOVUjwieEbHYPOJJSKq5pHhEikbI5Qc+yGqIJTb88IJOPeiybjlQFBNgeMZZKaqUABmT2RTdJH5aek3ZdqZwuNJCyMknhWF+Rk4Q2hnjYvy5ZT9FGt1rWvPTLqn3C24TXZFKJsIQW8tb0nVTaAFKCdrLaPC8LNt+3BQbMuWvbZTECEiYkTntKBFSffO4XEeevK2etjEpFWykOV1guTz4xYtrYTpRxanUpCRWtOQinaPrQQKcBDT95yYNgcB8BAK9Dajb0ejdH5hibKVMOtqeFbBV1Jre0XoFk9seQSDT78xIpl1FK8RIXWmHauSdwj16UKVSzaQ8h5SaBS0KBqaRteFneRNNHl/5jxVhc1L3s0pNogtPXtu8oYUkWiCvetui4xZoTKdvLjACmnb/ALhw9bLOsBI26QRRFCQTXF2nxiK07fy8YPg645nxga04VHfYeMLaK5rsr3U0wn7vlFe8KHnQeEWrwFABTq+UJrQC4uoBtC6RZjoRA9Y8VA1qL98ZBlp23SDUVT4mMiZLtlXIRlB69PxecOqoW1A56znwhOV9sjftecPn2Kk9Ua3uyjiCyewyQU+k34524Q637mL9j8YUbt6VtbjuPKGmQaoAGad5POKI9EeUnTq23jwgrAGE8NaIFchJ50+kFlgSz/OId8EtPofSmhNvdEI6b0ojRUmlwpxuqs2jjn9BDky83Ky7z7oohtGI25RxfSeZM2xo2bUgYXG1UTwFbfSJ/Jz/AI4evYfg+N+bInX+JPT+lXJliYabcqG1oSab0kVrFNLvOJbcUFnZZSK3tn8oUQ6pKVottgA9gyg6kp9FdyrgRSo5n5RjXkq3ts9LjxRjnjK6LNlxqZlS0qiZoBwawg9UpSaHvOfKE5qWW3PSbS0KSsKVUEE++Tl+c402mqnyE4hqnOdNlF4eefE36GHUnGmqcZFa0coI49Uuz57muvRzaBR0JzvTKG1pxT0wlIrVs0y4CBysspb6bEpr9KG/0iyndUhx5thJugkrJqTbwhcw9DqtKtFnLNtSHReVmmDSYenA2p8ZpA2gBwBoe2LmV6Trb0MJ8oaW4HQ3q1DM3358845hcyP1TYlidr0rGBwoFDzhCTWpxLEuo7AmE0HbmYpWX8b/AF+iSsKyp8vs9elZhudaC2igOAAqaBuKisTULm26OBl9KpZYedLqg4tXpGIWoqhCAO4x18rpFbzzTMy2EOOsYwRliFARyzqO+NPD5KpaZ5vzf45w3eNdf96GSBtfSAkesHdDNLq5GALHrU86RcZ0sXI2XTT3jfvhd8ELVTh5iGj7N2x6xhaY67lDbDu7RAFcPsQcFCOw+MLLupdOA3Qy5ZQp3/OFsiqvAQNF0AF9Z7+XdzMZG1irjmyD1fExkTL2yorZW7yPjHjDSlkLDWQKiaDshSW9snhi84O4aPpN71haY60WKP8Asi1b3AoN0NNe0ReuwfOFEZzVBxtTmIaYstFL7By7TFGP0RZfkMTavPygst7HKu2IFcJHb5RF55yX0a460kKUlQIBNodVKZ2yZS7alEOkj6VyUxKJudXVRpls5fWOcPozkgwzOl7EU4katKTQC1yTyjb+lph5E42sJTVlKlKFK1wfnKK6cI1EmQajAsfUfjGHmzK65I3vF8d4oUsYbkNErV9qngfgb/8AUWKdC6OdZVSZnKYUipbbJ/qih0cMbwB3R6VofRjTkomoBqkZiFSkw8+Wsfyc1LdH5HVrAmZsgoWDVpuwIFfehqU0BI60AzkxY7GNlBFcdcsXGOi0pIiT0ZMPsIQp1CCUpO/L5nlEujcm9OaPS/PNJbcKzQYMNrHLdeo7oLU/RO82Vy6T6Oeb6MaNAtPzANBcy6PvffjU10a0a444r9KTOIpIp6Mnh8cde9o+XYSKjaUNlIFSrs+cB/RSVKKlJCK+71j84LU/Qv8A9GXe9nHfqtowNNo/S0zQVoTKpvf44X/V/Rkvtp0y8FBQIxSgzofvx3TuimQkgJsMo5DT0qhqoA94eBgXM/QceRkp63/oqjoPRgRT9NuEVH/UH/uOtS5oyYn9G62Y1apRdFlEuAVjEmg6/d3xwBGwob/8Rf6IQhWnENOuIQ0XE4lLKQEgLQST9YGa09IblVUttnoE7LmUmXmVqSuhstJsoQiu7gF8xlGm1tNz7rLD6Xmik4dW4lyoFSMrgiveByjSzVxNqE0Mb+HJzX9nmc+D8WTr0AvgUCTmfGBTAGJzfs+YggIwntMBmqjWFI9yDOx7EnhQA2/JhMm9eQ8IbUSdUTeqfMwj28B4QFMvhEVka12593xMZGlVxuU+74mMide2UP4KyUVV1BAoMQz7YI6rC6kmmasj2QlJzbSVoBVhoRc9sFfmW1LTRW8jLsiX8i+y1465ei7bNRM053w8xB2lKC29wwnxMVvpbKVTKFqvfIcxDDc6ylaDioMG9J5xTjyT9kWTFT+CyKjhHxeUU8xNnSBXJtXQl1OSqYqG5PBNRD/pbXVxXBHHhFNqESzsw5jVqFOhZw1qM6DsrA+TTcpS+vk74sSqbpd/Bbq0aytLiUlBxNJClUTU7OQqMootNSSJUSzaFbJbcN1A0y4Q7+lG3Jp1tClBlLQxKrdWxWnKKmemHJkNuOqBUUrsNwtblGfmrHrou8bHlmv2YLRyQmac5K849W0D9kR8IjynRv2t34v7o9W6OFC5dCcQrQWreF42c81PSK/pwDSRSk7Qxqp/8/5jOjh0omXPoGqUl1QLnpIV6o32hTrA045xLp9LOuq0YthwoKnFMnniAI8DFr0QKldG5JS+sQo/Uw1vrSEp8cKZYalLIUqpU4u6nFmqjy5DlGoK+aqpEW21OOJQgXUaCPvgjf7UDe6qo4XpKdo/F5Kj0HSMuppGtSpC2nDsLRkqmdt0eadLVkLVeBp9D8MtXo55xICFGv5wCLnRMs3M6TnGnphthnUrKnXBjSkApzA/N4o3HPUrINLEV/kEWLExqpyYKiCHRqlXzSpSQfxhS9mi56OiZ0HPyrLbzRkNJyZqpDiE6paAag4FjLvMK6MTNSXSBcp6S89LLaCkpdWFFCrbxbjl5RQ9H9LvSanGHXVplVL2qHqGirgeUdDogNia1rbzbjQSEpcFgQaGn0MW+NqqTlknmcpmla610WxJwqPM+MDmL6wX6sDMw2AoFxOZ97nA35hqrg1iK0G8RqVUr5MWMb36F1GzQ+75wkcrk/kQVcw0A1V1I9WMzSEnJhrc6jd73KFO517Lox19BCfWOXG7PtMZANciqyHE+7v7Y3E/5Eijg/o5yW9sjLPfBXetQnNZ8ojLI9ciooKi9eUEeQNZn/yKy7RGYkazfYRLtVzFTcjdTjBU4zhoD1RA2wAX6W/3BQohKL1tDIXYqx0FYdJwnOGEuJ1TlTUYxbjnCodIez3iGQUOMuVFBiFSK84qRBf9mnJVl9TyjS6KGiiPditn5UtBgBXWSqlTFssBpL6kqsUAAVNerCM8VLVKkXolWVfz8oRlla9DsF1v30V2jbTLpORVb5x10qHSVBBd9I1oCUMs+7QXxC9Y5ORCRiJsoOnf2R6n0amlNyicDhpTfE+L2UeRlUL0R6Qy0w7K6IWuXfo1MOawhBUQAhQQo0BpWg+cW/RqTUxoGSZcQ4y620ErQ4jCQrf3c4N6ev8AeD5RFU2tWbhA5QxS17M68yqeKRt32iq7jSCyUy1LrXr2UvNuIKFCpBAPAxY9HHdFoKzphUmlt6iWDMEYlqGYTXdcV7o6acn+jkm427OTEgyuhDallItyjlXrrQzB4tUle9HAzi28AQwjVy7SMDSK9VI84806YGi1CPc19JOigem5Zcxo1AcGILSoKS6KCtTSgNSbVqaVjxX/APSXZR2eK9HllUtSiVMEEE8+cBVdeinH4zi+TezjkuKXLuFRr1h8kCOh0boxE+9N655TYSoA4FZ3HHs+sczLpLrOrSKrUpVB/LHYaMC5YTet2VLVUAmu9Ig/HlVa5egvMtxj/X2FltD6OlVKUhsrXXrOKruMbcfAUlKaAYhTcIGia21347+RirL9XU394b+caDuIWpRmTGTI929jjr1zWhv/AHCApfxYyopqUgVtxMKrd26E3KuNfeESl1mi92yK9lTE9VstnHxQN/Nk4c2gcs7GFN4rDLxu1f8A4hW3IwoTeFMoj0MIIwKFBSo38zGRpo7B7R5xkc0fMAzZxIOdvCNP9e1ts+USY+3Ndo8IjNe2PxmBGfJEqotd8yfGJKcASmqvdgK+urtMC3d0fb0FxRYKmAHrVrURNU2sNu03LAuDzhFXt+8Rr978X4x9+SgPxSWYmVKceSQTRuoIBtsxsOFZYuQMBpUGEmPaO/wz4CJJyY/hnxj7k2DwSfRoUQ2teI4i4a0T2RdSGnHWJVdLhNLxQudRfxH+2Nt/ZXv5YD0FUqumdMz0pUSoEnqmJ/rQrXJSVEBSqE8NqOUluu7/AAVQJft0fEf6jHOTBXjxv0dKek7k1plqcexKSyQlttPuCiqAd9+2B6Y00qcm9Ukr1bDZCced7kn6fKOcZ6x+IeCok79qf+A+Aj7mxyhFvIaSQ06XDhW6g1bSRVPbzgE4Vzr7iglLLblynieIG6FNHeyV2Q851EQyVy7YvJbjpGpWWZYTUEqWmqsRPLhFkt6q3SF2pUZ32kxWI63cfCCjqjs/uTDV+vSJqXLuibT1VrGdzanI8IUS6NYmuWIZdsTa9o52nwVC0t7dr4x4iBqmMmEMLdSXW6ftnxjQephoc6CnG5gT32hP8Q+MRHWR2jxMDtjeK0HWraZ/hbqcIXKhGK6zH8KB745yZ8kMtHYVfeI3A2vZr7RGR1MFo//Z" border="0"></a>

First name과 Last name을 위 코드처럼 넣으면 아래 사진처럼 화면이 출력된다.

CLICK HERE

First name에서 <h1> 태그를 사용하여 제목을 사용하고 Last name에서 <a> 태그와 <img> 태그를 사용하여 이미지를 넣었다. 

구글 홈페이지

윗 사진의 해커 이미지를 클릭 시 href 속성을 이용하여 구글 홈페이지로 이동되게 하였다.

만약 구글이 아니라 악성파일을 다운로드 및 실행하는 사이트로 이동시킬경우 위험할 수 있다.

---

대응방안

대응방안은 Firstname과 Lastname변수의 값을 검증하고 만약 HTML 이스케이프 문자가 포함되어 있으면 replace를 사용하여 바꿔주는 방법이 있다.

$firstname = str_replace('<','&lt',$firstname);

위 코드를 htmli_get.php에 넣어서 다시 시도해 보도록 하겠다.

변환된 "<"

위 사진처럼 Firstname과 Lastname 둘 다 똑같은 값을 입력하였는데 Firstname에서만 <가 &lt로 변환이 된 것을 볼 수 있다.