Penetration Testing mailing list archives

RE: manipulating query strings

From: "Toni Heinonen" <Toni.Heinonen () teleware fi>
Date: Tue, 24 Feb 2004 22:42:26 +0200

Hello Group,


Hello,

Given the Method is "POST", can I pass values to the Hidden 
Input fields


The hidden input fields don't differ from any other input field, except of course that if your browser is given a HTML 
form with fields, it doesn't show the hidden fields. So the hidden fields can be modified just like any other fields, 
and when your browser sends a form to the web server, it simply lists all fields with their values - it doesn't 
differentiate between hidden and visible.

using the URL. i.e URL manipulation ?

Well, basically no, because URL parameters are passed to the web server program/script in a wholly different way than
POST variables. In basic CGI scripts, the URL parameters are passed as parameters to the main function of the program,
and as environment variables, whereas post parameters are mostly passed to the program on it's standard input.

However, most web applications just use some library to get the parameters, so they won't know the difference. With
perl and the standard CGI library, you just do param('field') and you can't tell, whether that field was passed as post
data or as a URL parameter. The same seems to be for a sample ASP script I have here.

Whether you can OVERRIDE the POSTed parameters by URL parameters, I'd say generally no. I believe the default is, if
the web application gets a field called "name" both as a POST data and as a URL parameter (script.asp?name=value) then
the POSTed field overrides the URL field.

So, 1) it all depends on the web application and 2) most likely with defaults, you can't.

Are you trying cross-site scripting / XSS or the like?

If not, you can of course just take the HTML page with the form and save it to your hard drive, and change the hidden
fields to something else with notepad, or just delete them and pass the values in the URL.

All and all, if you aren't trying to accomplish XSS then I'd say you should try perl's LWP (lib-www-perl) module: it's
a simple library you can easily use to post any parameters you want and send arbitrary User-Agent versions etc.,
whatever suits your needs.

--
Toni Heinonen,
Teleware Oy

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

manipulating query strings Vel (Feb 24)
- Re: manipulating query strings Eric Paynter (Feb 25)
  - Re: manipulating query strings Ariel Martinez (Feb 26)
- RE: manipulating query strings Campbell Murray (Feb 25)
- Re: manipulating query strings Markus Toman (Feb 25)
- <Possible follow-ups>
- RE: manipulating query strings Kris Wilkinson (Feb 25)
- Re: manipulating query strings ma1ler_deamon (Feb 25)
- RE: manipulating query strings Toni Heinonen (Feb 25)
  - Re: manipulating query strings morning_wood (Feb 26)
- Re: manipulating query strings Karsten Johansson (Feb 25)
- RE: manipulating query strings Scovetta, Michael V (Feb 25)
- Re: manipulating query strings marko (Feb 26)
- RE: manipulating query strings Nick Besant (Feb 26)