Basics Of Javascript Injection

11/07/2011 22:59

JavaScript is a technique commonly used within websites and web-based applications. JavaScript can be used for all sorts of useful things and functions. But all this comes some additional security issues that have been designed and tested. JavaScript can be used not only for good purposes, but also an injection is a bad purposes.JavaScript elegant technique that allows you to edit site content without the site.This removal can be very useful when, for example, you must create a server by editing some sort of injection is a fun options.JavaScript The technology, which allows you to modify the contents of the site without leaving the site, download the page, or save the site on your desktop. It can be very useful when you need to replace the hidden data before sending to the server. Let's start with some basic information on the injection technique.

I. Fundamentals of Injection

Javascript injections are from the address bar of the page. If you want to use them, you need to completely empty the URL in the address bar. It means that the "http://" or anything else.

JavaScript is executed from the URL bar by using the javascript: protocol. In this tutorial I will only teach you the skeleton for help, but if you're a JavaScript guru, you can extend this support plain old JavaScript.

The two commands covered in this tutorial are the alert () and int (); commands. These are quite all that is required in many situations. Make your first JavaScript to make a simple window showing the first to go to any website and type in the address bar the following:

javascript: alert ('Hello, world ");

You should get a small dialog box that says "Hello, world." This will be changed later to have more practical applications.

You can also have more than one command executed at the same time:

javascript: alert ('Hello') alert ('World');

This brings up a box that says "Hello" and another that says 'World'.

II. Edit Cookies

First, make sure the site you visit has all the cookies by using this script:

javascript: alert (document.cookie);

This comes up all the cookies stored on site. You can edit the data, we use int () command.

javascript: void (document.cookie = "Field = myValue");

This command can modify the existing information or create entirely new value. Replace "Field" with either an existing field found with the alert (document.cookie) command, or add your own value. Then replace "myValue" with whatever you want the area to be. For example:

javascript: void (document.cookie = "Authorized = yes");

Would either make the field "authorized" or edit it to say "yes" ... Now if this means anything of value depends on the site you inject it.

It is also useful to cross an alert (document.cookie) at the end of the same line to see the effect your changes had.

III. Change in the way

Sometimes, to edit values ​​sent to a specific site via a form, you can download that html and edit it slightly, so that you can do whatever you want. Sometimes the site to see if you had to have given the site. To overcome this, we can only edit the form directly to the JavaScript. Note: The changes are only temporary, so the report does not attempt to confusion with the site through javascript injection like this.

All in the form of a web page (unless your name is not) is stored in the form [x] array ... where "X" is a number, in order from top to bottom, all the forms page. Please note that the forms start at 0, so the page would be very early form 0, and the second would be 1 and so on. For example:

<form action=”http://www.website.com/submit.php” method=”post”>

<input type=”hidden” name=”to” value=”admin@website.com”>

Note: Because this is the first form on the page, it is forms [0]

To say this form is used for email, for example vital server information to the site administrator. You can not download the script and edit the page, because it looks submit.php referer. You can check to see what the value of an item in a certain way is to use this script:

javascript: alert (document.forms [0] to.value.)

This is similar to the alert (document.cookie) above.

In this case, it will show an alert that says "admin@website.com"

So here's how to inject your e-mail in it. You can use pretty much the same technique as the cookies editing shown earlier:

javascript: void (. document.forms [0] = to.value "email@nhacks.com")

That would change the email on the form to be "email@nhacks.com".

You can then use the alert (); script to check your work. Or you can pair two of these commands in one line.

It will complete this post about JavaScript injection, which you can see all sorts of fun things can be done with these techniques. Use your imagination and with a little work, you can test your site and keep it safe from hackers.