Penetration Testing mailing list archives
RE: manipulating query strings
From: "Campbell Murray" <security () headskills com>
Date: Tue, 24 Feb 2004 21:54:19 -0000
The method with which a form passes data specifies whether the variables, hidden or not, are passed via the query string or otherwise. What will determine whether you can manipulate hidden fields is the collection method in the target script. If, as is the case with .asp, a variable is defined by Var1=Request.Form("var1") then only this request method is used; likewise if the variable is defined Var1=Request.QueryString("var1") then only the querystring is called by the request. What is however very common in both PHP and ASP is to shortcut and just use a call to request a value without specifying a source e.g. Var1=Request("var1") In this instance appending to the querystring may well work. If however this does not work then creating a copy of the html form which you wish to manipulate and modifying the values yourself within the source code is a valid method; saving to the desktop and sending the modified form data to the target script using an absolute URL. This technique can also be guarded against if the developer has written their code properly. Hope this answers your question. Campbell Murray -----Original Message----- From: Vel [mailto:vel () sympatico ca] Sent: 23 February 2004 19:43 To: pen-test () securityfocus com Subject: manipulating query strings Hello Group, Is there a way to send values to hidden fields , i.e Input tags with type=hidden attribute a value from the URL if the action attribute on the FORM is ACTION ? e.g: <FORM form1 ACTION= '/search/search.asp' METHOD=post> <Input type=hidden name=serverName value=www.abc.com> <Input type=hidden name=serverName value=www.def.com> ------------------------------------------------------------------------ --- Given the Method is "POST", can I pass values to the Hidden Input fields using the URL. i.e URL manipulation ? I know I can pass variables in URL to Server side script variables if METHOD is "GET". But how about POST method ? Thanks. Kumar. ------------------------------------------------------------------------ --- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_pen-test_040219 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- manipulating query strings Vel (Feb 24)
- Re: manipulating query strings Eric Paynter (Feb 25)
- Re: manipulating query strings Ariel Martinez (Feb 26)
- RE: manipulating query strings Campbell Murray (Feb 25)
- Re: manipulating query strings Markus Toman (Feb 25)
- <Possible follow-ups>
- RE: manipulating query strings Kris Wilkinson (Feb 25)
- Re: manipulating query strings ma1ler_deamon (Feb 25)
- RE: manipulating query strings Toni Heinonen (Feb 25)
- Re: manipulating query strings morning_wood (Feb 26)
- Re: manipulating query strings Karsten Johansson (Feb 25)
- RE: manipulating query strings Scovetta, Michael V (Feb 25)
- Re: manipulating query strings marko (Feb 26)
- RE: manipulating query strings Nick Besant (Feb 26)
- Re: manipulating query strings Eric Paynter (Feb 25)