Jump to content
Ras

Javascript Injection

Recommended Posts

Posted

This Tutorial is for informational purposes only and i have no responsibility if anyone uses it for illegal purposes.

Using JavaScript Injection the user can alter things in a website without having to leave it or save the page in his PC.This

is done using the address bar from his browser.

The syntax of the commands looks like this:

javascrit:alert(#command#)

For example if you want to see an alert inside the http://www.example.com site,type the URL in the adress bar and when the

page loads,delete the URL and type javascrit:alert("Hello World") as a new URL.This way an alert will show up saying

Hello World.

However, with this technique someone can alter almost everything in a page.For example an image.Lets suppose that there is an image

with the site's logo.By viewing the source of the page (This can be done by going to View-Source) we find this piece of HTML code:

hello.gif

So there is an image named "hi" and the source of it is "hello.gif".We want to change this to bye.jpeg that is stored on our site http://www.mysite.com

So the full URL of our image is http://www.mysite.com/bye.jpeg

Using JavaScript Injection we type in the adress bar:

javascript:alert(document.hi.src="http://www.mysite.com/bye.jpeg")

You will see an alert saying http://www.mysite.com/bye.jpeg and after that the image will be changed.Notice though that those

changes are temporary!If you refresh the page or enter it again your changes will be lost,because you dont alter the site in the server

but in your PC.

Using the same way we can view or change the value of variables.For example we find this piece of code in the site's source:

<SCRIPT LANGUAGE="JavaScript">

var a="test"

</SCRIPT>

This means that the variable with the name a has the value "test".In order to view the value of the variable we would type:

javascript:alert(a)

and in order to change it from test to hello:

javascript:alert(a="hello")

However Javascript Injection is mostly used in changing form's attributes.Thats the piece of code we have:

<form name="format" action="send.php" method="post">

<input type="hidden" name="mail" value="someone@somewhere.com">

<input type="text" name="name">

<input type="submit" value="submit"></form>

We want the form to be sent to our mailbox and not to someone@somewhere.com

This can be done by this command:

javascript:alert(document.format.mail.value="me@hacker.com")

As you have noticed by now we always use a hierarchy in the items we edit:

We start from the bigger to the smaller:

1)We started with document

2)we typed the name of the object we wanted to alter (for example document.hi.src) or the item in which it belonged and then the

name of it (for example document.format.mail.value)

3)Lastly we ended in the attribute of the item we wanted to change (for example its source: document.hi.src, or its value: document.format.mail.value)

4)We separated the words using dots (.)

5)When we wanted to change an attribute we used the equal sign (=) and the new attribute.

*NOTE:We use "" when the new attribute is a character string (for example: document.format.mail.value="me@hacker.com")

If we wanted it to be the value of a variable we wouldnt used the "".For example we want to change the variable a's value to

the value of variable b.We would type javascript:alert(a=B)

However most items in a page have no name.For example:

<form action="send.php" method="post">

<input type="hidden" name="mail" value="someone@somewhere.com">

<input type="text" name="name">

<input type="submit" value="submit"></form>

In this code the form's name is missing.Using all the above, the command would look like this:

javascript:alert(document. .mail.value="me@hacker.com")

In this case we will have to count all the forms to find out the form's number.I will use an example:

<form action="send.php" method="post">

<input type="text" name="name">

<input type="submit" value="submit"></form>

<form action="send.php" method="post">

<input type="hidden" name="mail" value="someone@somewhere.com">

<input type="text" name="name">

<input type="submit" value="submit"></form>

<form action="send.php" method="post">

<input type="text" name="name">

<input type="submit" value="submit"></form>

In this code we see 3 forms,but the one we are interested in is the second.So the number of the form we want is 2.

We must not forget that we start counting from number 1.We say 1,2,3,4... However in JavaScript the counting starts from

number 0.it goes 0,1,2,3 etc

So the actual number of the form is number 1 not 2.In general find the number of the form and take out one (number-1).

We will use this number to fill in the gap in our command:

javascript:alert(document.forms[1].mail.value="me@hacker.com")

Like this you can change images or links that have no name.To do that just change "forms" to the type of item you want to change:

For Images it would be javascript:alert(document.images[3].src="#the url of the picture you want#")

For links it would be javascript:alert(document.links[0].href="http://www.undug.net/#the url you want#")

Lastly,we can use this technique to edit cookies.

The command is the following and was written by Dr_aMado from triviasecurity.net,but i altered it a bit so that it shows the cookie before the user edits it.

Just copy-paste this line to the adress bar:

javascript:alert(window.c=function a(n,v,nv){c=document.cookie;c=c.substring(c.indexOf(n)+n.length,c.length);c=c.substring(1,((c.indexOf(";")>-1) ? c.indexOf(";") : c.length));nc=unescape©.replace(v,nv);document.cookie=n+"="+escape(nc);return unescape(document.cookie);});alert('The cookie is: "'+document.cookie+'"');alert(c(prompt("The name of the cookie:",""),prompt("Change this value:",""),prompt("with this:","")));

As a conclusion,i must stress that the changes are made only on the user's side!It's like saving the site in your PC and then modifying it.However,

using this technique you can trick a page (for example with cookies) or pass the reference security of a page.For example some pages check from

where the user sends the data.Specifficaly if the data from http://www.test.com/form.php was sent to http://www.test.com/check.php, check.php possibly

would check if the data was sent from the form in http://www.test.com/form.php Except for that,if you manage to enter your own JavaScript code in a page,

using something like this technique you will be able to alter pictures and staff like that permanently!However you need further knowledge than the one

which is provided here.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...