Main:
What if there are no unprotected search boxes or logins to inject through?
http://atom.smasher.org/links/
Go ahead visit the link, I swear it's not Rick. I was using Stumble Upon after completing one of the User Agent Switcher challenges. So this site shows me my IP Address and my OS and browser and quotes 1984 (Oh my, I'm SO scared). Big Brother? More like Oh Brother. And to prove it, I thought I would redesign the page a little.
There's no search boxes or logins, so how can we inject? Through the User Agent of course! Using FireFox's User Agent Switcher Add-On we can supply atom smasher's site with some code to run.
In FireFox:
Tools>User Agent Switcher>Options>Options
In the pop-up select "User Agents" on the left, then "Add...".
The desciption is local, name it whatever you'd like (I named mine "lolololol"). The "User Agent" field is where we inject our code. This site uses a simple HTML "p" tag followed by your User Agent.
By masquerading as a "[a href='http://www.hellboundhackers.org']Technology is awesome[/a]" machine I was able to represent hbh (albeit locally) while having a little fun.
Applications:
A lot of sites are privy to SQL injection, and probably HTML injection, but only through search boxes and logins, but what about User Agents? You may think that only sites like this one monitor User Agents, and that they aren't worth hacking. Take a look at HBH>Other>4 and 5.
I'm not nearly good enough at injection to hack HBH, but I am creative enough to check a new angle. Hopefully the Administrators patch up this hole before publishing this and someone more skilled than I tears it open.
Go ahead visit the link, I swear it's not Rick. I was using Stumble Upon after completing one of the User Agent Switcher challenges. So this site shows me my IP Address and my OS and browser and quotes 1984 (Oh my, I'm SO scared). Big Brother? More like Oh Brother. And to prove it, I thought I would redesign the page a little.
There's no search boxes or logins, so how can we inject? Through the User Agent of course! Using FireFox's User Agent Switcher Add-On we can supply atom smasher's site with some code to run.
In FireFox:
Tools>User Agent Switcher>Options>Options
In the pop-up select "User Agents" on the left, then "Add...".
The desciption is local, name it whatever you'd like (I named mine "lolololol"). The "User Agent" field is where we inject our code. This site uses a simple HTML "p" tag followed by your User Agent.
By masquerading as a "[a href='http://www.hellboundhackers.org']Technology is awesome[/a]" machine I was able to represent hbh (albeit locally) while having a little fun.
Applications:
A lot of sites are privy to SQL injection, and probably HTML injection, but only through search boxes and logins, but what about User Agents? You may think that only sites like this one monitor User Agents, and that they aren't worth hacking. Take a look at HBH>Other>4 and 5.
I'm not nearly good enough at injection to hack HBH, but I am creative enough to check a new angle. Hopefully the Administrators patch up this hole before publishing this and someone more skilled than I tears it open.
Posted by 
I'd say ok effort, but not worth many points if your example is a web page that can only be used in HTML injection. Didn't even explain the mechanics behind the actual injections.
