Penetration Testing mailing list archives
Re: manipulating query strings
From: Karsten Johansson <ksaj () penetrationtest com>
Date: 24 Feb 2004 19:29:47 -0000
In-Reply-To: <006201c3fa45$4f84da60$419dacce@u3q6v1>
Is there a way to send values to hidden fields , i.e Input tags with type=hidden attribute a value from the URL if the action attribute on the FORM is ACTION ? e.g: <FORM form1 ACTION= '/search/search.asp' METHOD=post> <Input type=hidden name=serverName value=www.abc.com> <Input type=hidden name=serverName value=www.def.com>
The "hard" way: copy the html file (or a simplified version of it), and edit the type=
The "easy" way: Use SPIKE proxy. Not only can you then modify those hidden tags at will, you can edit anything
transmitted to/from the web server. There's also automated DoS and SQL insertion attacks for all of the inputs.
Karsten Johansson
www.PENETRATIONTEST.com
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Current thread:
- manipulating query strings Vel (Feb 24)
- Re: manipulating query strings Eric Paynter (Feb 25)
- Re: manipulating query strings Ariel Martinez (Feb 26)
- RE: manipulating query strings Campbell Murray (Feb 25)
- Re: manipulating query strings Markus Toman (Feb 25)
- <Possible follow-ups>
- RE: manipulating query strings Kris Wilkinson (Feb 25)
- Re: manipulating query strings ma1ler_deamon (Feb 25)
- RE: manipulating query strings Toni Heinonen (Feb 25)
- Re: manipulating query strings morning_wood (Feb 26)
- Re: manipulating query strings Karsten Johansson (Feb 25)
- RE: manipulating query strings Scovetta, Michael V (Feb 25)
- Re: manipulating query strings marko (Feb 26)
- RE: manipulating query strings Nick Besant (Feb 26)
- Re: manipulating query strings Eric Paynter (Feb 25)