Penetration Testing Report

Full Name: Shubham Singh

Program: HCPT
Date:16.02.2025

Introduction
This report documents the procedures and results of a Black Box security assessment
conducted on the "HTML Injection & XSS Labs" from Hacktify week {1} Labs. The report
outlines identified vulnerabilities, associated risks, and recommended mitigation strategies
to enhance the security posture of the applications tested..

1. Objective
The objective of the assessment was to uncover vulnerabilities in the Week {1} Labs and
provide a final security assessment report comprising vulnerabilities, remediation strategy
and recommendation guidelines to help mitigate the identified vulnerabilities and risks
during the activity.

2. Scope
This section defines the scope and boundaries of the project.

Application {HTML INJECTION}, {Cross Site Scripting}

Name

3. Summary
Outlined is a Black Box Application Security assessment for the Week {1} Labs.

Total number of Sub-labs: {17} Sub-labs

High Medium Low

{6} {5} {6}

High - Six Sub-labs with hard difficulty level

Medium - Five Sub-labs with Medium difficulty level

Low - Six Sub-labs with Easy difficulty level

 1. {HTML INJECTION}
1.1. { HTML's are easy!}
Reference Risk Rating
{ HTML's are easy!} Low
Tools Used
Manual testing with browser dev tools
Vulnerability Description
Improper handling of HTML input in the search box allows HTML tags like <h1> to be rendered, leading
to potential XSS or injection attacks.
How It Was Discovered
Manual testing by inputting <h1>Cat</h1> in the search box and observing the unfiltered HTML render.

Vulnerable URLs
https://labs.hacktify.in/HTML/html_lab/lab_1/index.php
Consequences of not Fixing the Issue
Potential for XSS attacks, content manipulation, and damage to reputation.
Suggested Countermeasures
Implement input validation, output encoding, use a WAF, and apply a Content Security Policy (CSP).
References
OWASP XSS Prevention Cheat Sheet, OWASP HTML Injection

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability
 1.2. {Let me Store them!}
Reference Risk Rating
{Let me Store them!} Low
Tools Used
Manual test
Vulnerability Description
The user profile page is vulnerable to Stored XSS, as it fails to sanitize user input properly, allowing
attackers to inject and store malicious HTML/JavaScript( "/><h1>Hacked by Cat</h1>" ), which
executes when the page is loaded, leading to potential session hijacking, data theft, or defacement.
How It Was Discovered
Manual Analysis "/><h1>Hacked by Cat</h1>"
Vulnerable URLs
https://labs.hacktify.in/HTML/html_lab/lab_2/index.php
Consequences of not Fixing the Issue
vulnerability can lead to session hijacking, data theft, account takeover, website defacement, phishing
attacks, and reputational damage, potentially compromising user security
Suggested Countermeasures
Implement input validation, output encoding, and Content Security Policy (CSP).
References
OWASP XSS Prevention Cheat Sheet

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability of the lab
 1.3. {File Names are also vulnerable! }
Reference Risk Rating
File Names are also vulnerable! Medium
Tools Used
Kali linux and Manual testing.
Vulnerability Description
The file upload functionality allows the upload of .html files without proper validation, enabling
attackers to upload and execute malicious web shells, phishing pages, or defacements.
How It Was Discovered
Manual Analysis : Uploaded a .txt file containing <h1>Hacked by Cat</h1>
The file was accepted and its content was displayed in the response, revealing
stored HTML injection vulnerability.
Vulnerable URLs
labs.hacktify.in/HTML/html_lab/lab_3/html_injection_3.php
Consequences of not Fixing the Issue
Attackers can upload and execute malicious scripts, leading to website defacement, data exfiltration,
remote code execution (RCE), and complete system compromise.
Suggested Countermeasures
Restrict allowed file types (only allow images, PDFs, etc.).
Implement MIME type validation to verify actual file content.
Store uploaded files outside the web root and serve them securely.
Sanitize filenames to prevent directory traversal attacks
References
OWASP Unrestricted File Upload Guide
OWASP File Upload Security Best Practices

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability of the lab.
 1.4. {File Content and HTML Injection a perfect pair!}
Reference Risk Rating
{File Content and HTML Injection a perfect High
pair!}
Tools Used
Manual testing
Vulnerability Description
The application improperly handles file uploads, allowing users to upload .txt files containing HTML
content, which is later rendered in the response. This leads to Stored HTML Injection or Reflected File
Content Disclosure, which can be exploited for defacements, phishing, or data leaks.
How It Was Discovered
Manual Analysis : Uploaded a .txt file containing <h1>Hacked by Cat</h1>
The file was accepted and its content was displayed in the response, revealing stored HTML injection
vulnerability.
Vulnerable URLs
https://labs.hacktify.in/HTML/html_lab/lab_4/html_injection_4.php
Consequences of not Fixing the Issue
Attackers can inject malicious scripts, leading to defacements, phishing attacks, and browser-based
exploitation.
Sensitive data leaks may occur if users upload confidential files that are later revealed in raw format.
Suggested Countermeasures
Attackers can inject malicious scripts, leading to defacements, phishing attacks, and browser-based
exploitation.
Sensitive data leaks may occur if users upload confidential files that are later revealed in raw format.
References
OWASP File Upload Security
OWASP XSS Prevention Cheat Sheet

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability of the lab.
 1.5. {Injecting HTML using URL}
Reference Risk Rating
{Injecting HTML using URL} Medium
Tools Used
Manual testing.
Vulnerability Description
The application is vulnerable to HTML Injection via URL parameters, allowing attackers to inject and
render arbitrary HTML code on the webpage. This can lead to defacement attacks, phishing, and social
engineering risks.
How It Was Discovered
Manual Analysis Modified the URL parameter in
https://labs.hacktify.in/HTML/html_lab/lab_5/html_injection_5.php?=
Injected the payload: ?=%3Ch1%3EHacked%20by%20Cat%3C/h1%3E
The injected HTML was rendered on the webpage, confirming the vulnerability.
Vulnerable URLs
https://labs.hacktify.in/HTML/html_lab/lab_5/html_injection_5.php
Consequences of not Fixing the Issue
What will be the consequences if the vulnerability is not patched?
Suggested Countermeasures
Attackers can modify displayed content.
References
OWASP HTML Injection Guide
OWASP XSS Prevention Cheat Sheet

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability of the lab.
 1.6. {Encode IT! }
Reference Risk Rating
{Encode IT! } High
Tools Used
Manual testing.
Vulnerability Description
The application is vulnerable to HTML Injection via the search parameter, allowing attackers to inject
and render arbitrary HTML code in the search results. This can lead to defacement attacks, phishing,
and social engineering risks.
How It Was Discovered
Manual Analysis ?=%3Ch1%3EHacked%20by%20Cat%3C/h1%3E
Vulnerable URLs
https://labs.hacktify.in/HTML/html_lab/lab_6/html_injection_6.php
Consequences of not Fixing the Issue
Users might see misleading or malicious content.
Suggested Countermeasures
Sanitize all user input before rendering it in the HTML response.
Encode special characters (e.g., <, >, ", ') to prevent them from being executed.
Use Content Security Policy (CSP) to restrict inline scripts.
Implement input validation to allow only expected values (whitelisting approach).
Use output encoding (e.g., htmlspecialchars() in PHP).
References
OWASP HTML Injection Guide
OWASP XSS Prevention Cheat Sheet

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability of the lab
 2. {Cross Site Scripting(XSS)}
2.1. {Let's Do IT! }
Reference Risk Rating
{Let's Do IT!} Low
Tools Used
Manual Testing (Injecting JavaScript payloads in URL parameters)
Vulnerability Description
The application does not sanitize user input before rendering it in the webpage.
This allows an attacker to inject JavaScript code using URL parameters.
Example payload: %3CImg%20Src=//X55.is%20OnLoad=import(src)%3E When injected into the
email parameter, the browser
executes the script, confirming an XSS vulnerability.
How It Was Discovered
Manual Analysis: Entering XSS payloads directly in the URL and checking for script execution.
Vulnerable URLs
https://labs.hacktify.in/HTML/xss_lab/lab_1/lab_1.php?email=%3CImg%20Src=//X55.is%20OnL
oad=import(src)%3E
Consequences of not Fixing the Issue
Session Hijacking – Attacker can steal users' session cookies.
Phishing Attacks – Injected scripts can display fake login forms.
Malware Distribution – Users can be redirected to malicious websites.
Defacement Attacks – Attackers can alter the website's content
Suggested Countermeasures
Use a Web Application Firewall (WAF) to filter out malicious requests.
References
OWASP XSS Prevention Cheat Sheet
Mozilla XSS Guide

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability of the lab
 2.2. {Balancing is Important in Life!}
Reference Risk Rating
{Balancing is Important in Life!} Low
Tools Used
Manual Testing (Injecting JavaScript payloads in URL parameters)
Vulnerability Description
The application does not sanitize user input before rendering it in the webpage.
This allows an attacker to inject JavaScript code using URL parameters.
Example payload : x"><script>alert(document.domain)</script>
When injected into the email parameter, the browser executes the script, confirming an XSS
vulnerability.
How It Was Discovered
Manual Analysis: Entering XSS payloads directly in the URL and checking for script execution.
Vulnerable URLs
https://labs.hacktify.in/HTML/xss_lab/lab_2/lab_2.php?email
Consequences of not Fixing the Issue
Session Hijacking – Attacker can steal users' session cookies.
Phishing Attacks – Injected scripts can display fake login forms.
Malware Distribution – Users can be redirected to malicious websites.
Defacement Attacks – Attackers can alter the website's content
Suggested Countermeasures
Use a Web Application Firewall (WAF) to filter out malicious requests.
References
OWASP XSS Prevention Cheat Sheet
Mozilla XSS Guide

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability of the lab
 2.3. {XSS is everywhere!}
Reference Risk Rating
{XSS is everywhere!} Medium
Tools Used
Manual Testing (Injecting JavaScript payloads in URL parameters)
Vulnerability Description
The application does not sanitize user input before rendering it in the webpage.
This allows an attacker to inject JavaScript code using URL parameters.
Example payload: <? foo="><script>javascript:alert(1)</script>">@gmail.com When injected into
the email parameter, the browser executes the script, confirming an XSS vulnerability.
How It Was Discovered
Manual Analysis: Entering XSS payloads directly in the URL and checking for script execution.
Vulnerable URLs
https://labs.hacktify.in/HTML/xss_lab/lab_3/lab_3.php
Consequences of not Fixing the Issue
Session Hijacking – Attacker can steal users' session cookies.
Phishing Attacks – Injected scripts can display fake login forms.
Malware Distribution – Users can be redirected to malicious websites.
Defacement Attacks – Attackers can alter the website's content
Suggested Countermeasures
Use a Web Application Firewall (WAF) to filter out malicious requests.
References
OWASP XSS Prevention Cheat Sheet
Mozilla XSS Guide

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability
 2.4. {Alternatives are must!!}
Reference Risk Rating
{Alternatives are must!} Medium
Tools Used
Manual Testing (Injecting JavaScript payloads in URL parameters)
Vulnerability Description
The application does not sanitize user input before rendering it in the webpage.
This allows an attacker to inject JavaScript code using URL parameters.
Example payload: "><script>prompt ("Cat")</script> When injected into the email parameter, the
browser executes the script, confirming an XSS vulnerability.
How It Was Discovered
Manual Analysis: Entering XSS payloads directly in the URL and checking for script execution.
Vulnerable URLs
https://labs.hacktify.in/HTML/xss_lab/lab_4/lab_4.php
Consequences of not Fixing the Issue
Session Hijacking – Attacker can steal users' session cookies.
Phishing Attacks – Injected scripts can display fake login forms.
Malware Distribution – Users can be redirected to malicious websites.
Defacement Attacks – Attackers can alter the website's content
Suggested Countermeasures
Use a Web Application Firewall (WAF) to filter out malicious requests.
References
OWASP XSS Prevention Cheat Sheet
Mozilla XSS Guide

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability
 2.5. {Developer hates scripts!}
Reference Risk Rating
{ Developer hates scripts!} High
Tools Used
Manual Testing (Injecting JavaScript payloads in URL parameters)
Vulnerability Description
The application does not sanitize user input before rendering it in the webpage.
This allows an attacker to inject JavaScript code using URL parameters.
Example payload: "><svgonload=alert(1)>@gmail.com When injected into the email parameter,
the browser executes the script, confirming an XSS vulnerability.
How It Was Discovered
Manual Analysis: Entering XSS payloads directly in the URL and checking for script execution.
Vulnerable URLs
https://labs.hacktify.in/HTML/xss_lab/lab_5/lab_5.php
Consequences of not Fixing the Issue
Session Hijacking – Attacker can steal users' session cookies.
Phishing Attacks – Injected scripts can display fake login forms.
Malware Distribution – Users can be redirected to malicious websites.
Defacement Attacks – Attackers can alter the website's content
Suggested Countermeasures
Use a Web Application Firewall (WAF) to filter out malicious requests.
References
OWASP XSS Prevention Cheat Sheet
Mozilla XSS Guide

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability
 2.6. {Change the Variation!}
Reference Risk Rating
{Change the Variation!} High
Tools Used
Manual Testing (Injecting JavaScript payloads in URL parameters)
Vulnerability Description
The application does not sanitize user input before rendering it in the webpage.
This allows an attacker to inject JavaScript code using URL parameters.
Example payload: "><svgonload=alert(1)>@gmail.com When injected into the email
parameter, the browser executes the script, confirming an XSS vulnerability.
How It Was Discovered
Manual Analysis: Entering XSS payloads directly in the URL and checking for script execution.
Vulnerable URLs
https://labs.hacktify.in/HTML/xss_lab/lab_6/lab_6.php
Consequences of not Fixing the Issue
Session Hijacking – Attacker can steal users' session cookies.
Phishing Attacks – Injected scripts can display fake login forms.
Malware Distribution – Users can be redirected to malicious websites.
Defacement Attacks – Attackers can alter the website's content
Suggested Countermeasures
Use a Web Application Firewall (WAF) to filter out malicious requests.
References
OWASP XSS Prevention Cheat Sheet
Mozilla XSS Guide

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability
 2.7. {Encoding is the key?
Reference Risk Rating
{Encoding is the key?} Medium
Tools Used
Manual Testing (Injecting JavaScript payloads in URL parameters)
Vulnerability Description
The application does not sanitize user input before rendering it in the webpage.
This allows an attacker to inject JavaScript code using URL parameters.
Examplepayload:
%2522%253E%253Csvg%2520onload%253Dalert%25281%2529%253E%2540gmail.com
When injected into the email parameter, the browser executes the script, confirming an XSS
vulnerability.
How It Was Discovered
Manual Analysis: Entering XSS payloads directly in the URL and checking for script execution.
Vulnerable URLs
https://labs.hacktify.in/HTML/xss_lab/lab_7/lab_7.php
Consequences of not Fixing the Issue
Session Hijacking – Attacker can steal users' session cookies.
Phishing Attacks – Injected scripts can display fake login forms.
Malware Distribution – Users can be redirected to malicious websites.
Defacement Attacks – Attackers can alter the website's content
Suggested Countermeasures
Use a Web Application Firewall (WAF) to filter out malicious requests.
References
OWASP XSS Prevention Cheat Sheet
Mozilla XSS Guide

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability
 2.8. {XSS with File Upload (file name)
Reference Risk Rating
{ XSS with File Upload (file name)} High
Tools Used
Manual Testing (Injecting JavaScript payloads in URL parameters)
Vulnerability Description
. Cross-Site Scripting (XSS) vulnerability exists in the email input field of the newsletter
subscription and file upload features. This allows an attacker to inject malicious JavaScript code,
leading to unauthorized script execution in the victim's browser
How It Was Discovered
Step 1: upload the file.
Step 2: capture the request in burp.
Step 3: change the name “><img src =q onerror=prompt(1)>
Step 4: forward the request and refresh.
Vulnerable URLs
https://labs.hacktify.in/HTML/xss_lab/lab_8/lab_8.php
Consequences of not Fixing the Issue
Unauthorized access to user data.
Session hijacking through cookie theft.
Defacement of the website.
Phishing attacks using malicious script injection.
Possible exploitation of other vulnerabilities due to JavaScript execution.
Suggested Countermeasures
Use a Web Application Firewall (WAF) to filter out malicious requests.
References
OWASP XSS Prevention Cheat Sheet
Mozilla XSS Guide

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability
 2.9. {XSS with File Upload (File Content)}
Reference Risk Rating
{ XSS with File Upload (File Medium

Content)
Tools Used
Manual File Upload Testing
Vulnerability Description
The vulnerability exists in the file upload functionality, where an attacker can upload a file
containing malicious JavaScript code. When the file is accessed, the script executes in the victim's
browser, leading to a Stored Cross-Site Scripting (XSS) attack.
How It Was Discovered
Method: Manual Analysis
Uploaded an .html file containing an XSS payload:
: I upload a file which contain <script>alert('Hacked by cat');</script>
The uploaded file was accessible via a direct URL and executed in the browser, confirming the XSS
vulnerability.
Vulnerable URLs
https://labs.hacktify.in/HTML/xss_lab/lab_9/lab_9.php
Consequences of not Fixing the Issue
Account Hijacking: If an attacker injects malicious scripts, they can steal session cookies.
Data Theft: Attackers can manipulate or exfiltrate sensitive user information.
Suggested Countermeasures
Restrict Allowed File Types:
Only allow file types that do not support scripting, such as .jpg, .png, .pdf. Prevent .html, .js, .php,
and other executable file types.
References
OWASP XSS Prevention Cheat Sheet
File Upload Security

proof of Concept
 2.10. {Stored Everywhere!}
Reference Risk Rating
{Stored Everywhere!} Low
Tools Used
Manual Testing
Vulnerability Description
Stored Cross-Site Scripting (XSS) occurs when an attacker injects malicious JavaScript code into input fields
(e.g., first name, last name) during user registration. The script is stored in the application's database and
executed when another user (or the attacker) views the affected data.
In this case, you successfully injected an XSS payload in the First Name or Last Name fields. Upon logging in, the
script executed, confirming a Stored XSS vulnerability.
How It Was Discovered
I write in First Name "><svg/onload=alert(1)> and resister account ,, then after
login XSS will be execute.

Vulnerable URLs
https://labs.hacktify.in/HTML/xss_lab/lab_1
Consequences of not Fixing the Issue
Attackers can steal session cookies using document.cookie.
Suggested Countermeasures
Reject inputs containing <script>, <iframe>, or event handlers like onerror, onload.
References
OWASP XSS Prevention Cheat Sheet
Stored XSS Guide

Proof of Concept
 2.11. {DOM's are love!}
Reference Risk Rating
{DOM's are love!} High
Tools Used
Manual testing
Vulnerability Description
DOM-Based Cross-Site Scripting (XSS) occurs when malicious JavaScript is executed on the client-side
due to insecure handling of user input within the DOM. This vulnerability allows attackers to
manipulate web pages dynamically without modifying server-side stored data.
How It Was Discovered
The browser executed the injected script due to improper handling of input in the DOM

First in parameter I entered my name then I found that its execute then I upload payload <img
src=q onerror=prompt(document.cookie)>

Vulnerable URLs
https://labs.hacktify.in/HTML/xss_lab/lab_11/lab_11.php
Consequences of not Fixing the Issue
Attackers can steal authentication cookies and impersonate users.
Suggested Countermeasures
Avoid injecting untrusted user input directly into the DOM.
References
OWASP DOM XSS Prevention
Google XSS Prevention Guide
DOMPurify Library

Proof of Concept
This section contains the proof of the above vulnerabilities as the screenshot of the
vulnerability of the lab