Follow us on Twitter!
Don't judge the unknown - Grindordie
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 29
Guests Online: 26
Members Online: 3

Registered Members: 82903
Newest Member: Piriformis
Latest Articles

javascipt injection tutorials

Arrow Image covers all the methods and uses of javascript injection.



This article is NOT written by me, it was originaly writen by Zspacejc but as it can be applied to so many of the HBH challenges i felt it would be good to share it with the community

Javascript Injection


Summary: Javascript injection is a nifty little technique that allows you to alter a sites contents without actually leaving the site. This can be very usefull when say, you need to spoof the server by editing some form options. Examples will be explained throughout.

Contents:
I. Injection Basics
II. Cookie Editing
III. Form Editing


I. Injection Basics

Javascript injections are run from the URL bar of the page you are visiting. To use them, you must first completly empty the URL from the URL bar. That means no http:// or whatever.

Javascript is run from the URL bar by using the javascript: protocol. In this tutorial I will only teach you the bare bones of using this, but if you are a Javascript guru, you can expand on this using plain old javascript.

The two commands covered in this tutorial are the alert(); and void(); commands. These are pretty much all you will need in most situations. For your first javascript, you will make a simple window appear, first go to any website and then type the following into your URL bar:

Code:
javascript:alert(\'Hello, World\');

You should get a little dialog box that says \"Hello, World\". This will be altered later to have more practical uses.

You can also have more than one command run at the same time:

Code:
javascript:alert(\'Hello\'); alert(\'World\');

This would pop up a box that said \'Hello\' and than another that says \'World\'.

II. Cookie Editing

First off, check to see if the site you are visiting has set any cookies by using this script:

Code:
javascript:alert(document.cookie);

This will pop up any information stored in the sites cookies. To edit any information, we make use of the void(); command.

Code:
javascript:void(document.cookie=\"Field = myValue\");

This command can either alter existing information or create entirely new values. Replace \"Field\" with either an existing field found using the alert(document.cookie); command, or insert your very own value. Then replace \"myValue\" with whatever you want the field to be. For example:

Code:
javascript:void(document.cookie=\"Authorized=yes\");

Would either make the field \"authorized\" or edit it to say \"yes\"... now wheter or not this does anything of value depends on the site you are injecting it on.

It is also usefull to tack an alert(document.cookie); at the end of the same line to see what effect your altering had.

III. Form Editing

Sometimes, to edit values sent to a given website through a form, you can simply download that html and edit it slightly to allow you to submit what you want. However, sometimes the website checks to see if you actually submitted it from the website you were supposed to. To get around this, we can just edit the form straight from javascript. Note: The changes are only temporary, so it\'s no tuse trying to deface a site through javascript injection like this.

Every form on a given webpage (unless named otherwise) is stored in the forms[x] array... where \"x\" is the number, in order from top to bottom, of all the forms in a page. Note that the forms start at 0, so the first form on the page would actually be 0, and the second would be 1 and so on. Lets take this example:

Code:
<form action=\"http://www.website.com/submit.php\" method=\"post\">
<input type=\"hidden\" name=\"to\" value=\"admin@website.com\">

Note:Since this is the first form on the page, it is forms[0]

Say this form was used to email, say vital server information to the admin of the website. You can\'t just download the script and edit it because the submit.php page looks for a referer. You can check to see what value a certain form element has by using this script:

Code:
javascript:alert(document.forms[0].to.value)
This is similar to the alert(document.cookie);

discussed previously. In this case, It would pop up an alert that says \"admin@website.com\"

So here\'s how to Inject your email into it. You can use pretty much the same technique as the cookies editing shown earlier:

Code:
javascript:void(document.forms[0].to.value=\"email@nhacks.com\")

This would change the email of the form to be \"email@nhacks.com\". Then you could use the alert(); script shown above to check your work. Or you can couple both of these commands on one line.

once again, full credit to Zspacejc.

Enjoy

Comments

What_A_Legendon February 20 2007 - 16:40:38
I believe I used this article when I first started out to, to help me on a HTS mission Shock Oh the memories Pfft
minermonkon February 20 2007 - 16:47:29
yeah its the one i always use as a reference Pfft i just noticed the other javascript tutorial is the same as this (some edits) but with out credits Shock
0X702CHon February 20 2007 - 16:55:17
No one uses these nowadays. Get FF install Firebug, and Web developer and you can edit every single piece of a site. Also for viewing/editing the cookies I recommend using bookmarks and/or Add'n'edit cookies
AbSoRbon February 20 2007 - 19:53:03
That might be ideal, but it's still a good idea to actually learn how to do it yourself aswell, and you shouldn't discourage learning this way, or encourage getting a program to do it for you, becuase then you're not learning (think i've used that enough times) as much. :happy:
JohnDoeon February 20 2007 - 19:54:17
Totaly agree with 0X072CH. No use of js injections Pfft. good article tho
minermonkon February 20 2007 - 20:05:14
@0X702CH + JohnDoe - i can understand your point of view and value it. I still think its good to know how things work, its all well and good using other programs to do it for you but its always better to be in the know (as AbSoRb said better then i have Smile)
only_samuraion February 20 2007 - 20:51:46
yea. i say that programs are great as long as you have or are planning on learning how they work.
I-O-W-Aon February 23 2007 - 14:31:48
its always better to do things by hand with out the use for programmes anyone can get an add on to tell them summin but ppl tht do it this way know tht they made the script to tell them it gives you a much better appreciation and understanding of how things work when you've gotta put the effort into getting it to work instead of clicking some button Good Artical
god_peeton July 11 2008 - 12:41:00
gd article ..
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.