JAVA SCRIPT INJECTION:- Summary:
JavaScript injection is a little technique that allows you to alter a
sites contents without actually leaving the site. This can be very
useful when say, you need to spoof the server by editing some form
options. Examples will be explained throughout. Using
JavaScript a user can modify the current cookie settings. This can be
performed with some basic JavaScript commands. To view the current
contents of your current cookies, use the following JavaScript command.
Put this in your browser’s URL bar. javascript:alert(document.cookie);
Contents:
- Injection Basics
- Cookie Editing
- Form Editing
I. Injection Basics:
JavaScript injections are run from the URL bar of the page you are
visiting. To use them, you must first completely empty the URL from the
URL bar. That means no http:// or whatever. JavaScript
is run from the URL bar by using the javascript: protocol.\ but if you
are a JavaScript guru, you can expand on this using plain old
JavaScript. The two commands
covered in this tutorial are the alert(); and void(); commands. These
are pretty much all you will need in most situations. For your first
JavaScript, you will make a simple window appear, first go to any
website and then type the following into your URL bar:
Code: javascript:alert(‘Hello, World’); You
should get a little dialog box that says “Hello, World”. This will be
altered later to have more practical uses. You can also have more than
one command run at the same time:
Code: javascript:alert(‘Hello’); alert(‘World’); This would pop up a box that said ‘Hello’ and than another that says ‘World’.
2. Cookie Editing First off, check to see if the site you are visiting has set any cookies by using this script:
Code: javascript:alert(document.cookie); This will pop up any information stored in the sites cookies. To edit any information, we make use of the void(); command.
Code: javascript:void(document.cookie=”Field = myValue”); This
command can either alter existing information or create entirely new
values. Replace “Field” with either an existing field found using the
alert(document.cookie); command, or insert your very own value. Then
replace “myValue” with whatever you want the field to be.
For example: Code: javascript:void(document.cookie=”Authorized=yes”); Would
either make the field “authorized” or edit it to say “yes”… now whether
or not this does anything of value depends on the site you are
injecting it on. It is also useful to tack an alert(document.cookie); at the end of the same line to see what effect your altering had.
3. Form Editing Sometimes,
to edit values sent to a given website through a form, you can simply
download that HTML and edit it slightly to allow you to submit what you
want. However, sometimes the website checks to see if you actually
submitted it from the website you were supposed to. To get around this,
we can just edit the form straight from JavaScript. Note: The changes are only temporary, so it’s not use trying to deface a site through JavaScript injection like this. Every
form on a given webpage (unless named otherwise) is stored in the
forms[x] array. where “x” is the number, in order from top to bottom, of
all the forms in a page. Note that the forms start at 0, so the first
form on the page would actually be 0, and the second would be 1 and so
on. Lets take this example:
Code:
<form action=”http://www.website.com/submit.php” method=”post”>
<input type=”hidden” name=”to” value=”admin@website.com”>
Note: Since this is the first form on the page, it is forms[0] Say
this form was used to email, say vital server information to the admin
of the website. You can’t just download the script and edit it because
the submit.php page looks for a referrer. You can check to see what
value a certain form element has by using this script.
Code: javascript:alert(document.forms[0].to.value) This
is similar to the alert(document.cookie); discussed previously. In this
case, It would pop up an alert that says “admin@website.com” So here’s how to Inject your email into it. You can use pretty much the same technique as the cookies editing shown earlier:
Code: javascript:void(document.forms[0].to.value=”xyz@xyz.com”) This
would change the email of the form to be “xyz@xyz.com”. Then you could
use the alert(); script shown above to check your work. Or you can
couple both of these commands on one line.
Other codes: javascript:alert(“XSS By Priyanshu”); javascript:alert(0); javascript:alert(document.forms[0].to.value=”something”) document.body.contentEditable=’true’;document.designMode=’on’;void0 To move things around on the webpage
Post a Comment