Penetration Testing mailing list archives
Re: manipulating query strings
From: Markus Toman <m.toman () sec-consult com>
Date: Wed, 25 Feb 2004 15:57:03 +0100
Hi The HTTP header sent by the browser contains the POST-Variables. There are many ways to change the value in hidden fields. i.e.:- Save the Page, change the source, change form action from '/search/search.asp' to 'http://<whatever>/search/search.asp' and the hidden field values to what ever you like.
- Write a prog or use telnet and send the HTTP header yourself- Try Firefox with the Live HTTP headers plugin. you can capture outgoing http requests, modify them and send again..
http://www.mozilla.org/products/firefox/ http://texturizer.net/firefox/extensions/#livehttpheaders Vel wrote:
Hello Group, Is there a way to send values to hidden fields , i.e Input tags with type=hidden attribute a value from the URL if the action attribute on the FORM is ACTION ? e.g: <FORM form1 ACTION= '/search/search.asp' METHOD=post> <Input type=hidden name=serverName value=www.abc.com> <Input type=hidden name=serverName value=www.def.com> --------------------------------------------------------------------------- Given the Method is "POST", can I pass values to the Hidden Input fields using the URL. i.e URL manipulation ? I know I can pass variables in URL to Server side script variables if METHOD is "GET". But how about POST method ? Thanks. Kumar. --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_pen-test_040219 ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- manipulating query strings Vel (Feb 24)
- Re: manipulating query strings Eric Paynter (Feb 25)
- Re: manipulating query strings Ariel Martinez (Feb 26)
- RE: manipulating query strings Campbell Murray (Feb 25)
- Re: manipulating query strings Markus Toman (Feb 25)
- <Possible follow-ups>
- RE: manipulating query strings Kris Wilkinson (Feb 25)
- Re: manipulating query strings ma1ler_deamon (Feb 25)
- RE: manipulating query strings Toni Heinonen (Feb 25)
- Re: manipulating query strings morning_wood (Feb 26)
- Re: manipulating query strings Karsten Johansson (Feb 25)
- RE: manipulating query strings Scovetta, Michael V (Feb 25)
- Re: manipulating query strings marko (Feb 26)
- RE: manipulating query strings Nick Besant (Feb 26)
- Re: manipulating query strings Eric Paynter (Feb 25)