WebApp Sec mailing list archives
Re: View and edit hidden HTML form fields (fwd)
From: sirkus <sirkus () sirkit net>
Date: 12 Jun 2003 10:12:50 -0500
Indeed. I certainly wasn't claiming any greatness on the part of the program, especially since we're not a Window's shop -- it doesn't particularly apply to me. My point was that while I may be comfortable with using Perl/LWP and regular expressions as a coder, these are things I use on a regular basis while doing assessments. However, for others (such as many who I work with that do not code) this provides a simple way to demonstrate various simple client-side state weaknesses. I would also agree that there are many other tools out there that do similar things (and much more.) Especially where actual assessments are the goal. I was just simply stating that for its intended purpose, it works, and integrates into IE as a side bar making it easy to tote around. (Again, For those who use IE... ) On Wed, 2003-06-11 at 17:01, Tim Greer wrote:
No doubt it looks slick. I've not attempted to run it (don't really have any need nor desire to). Though for desktop use, sure this would be a better solution. I'm not sure what you mean by "those who use LWP and regex" though? LWP is a Perl module and regex is short for "regular expression". I.e., s/<input[\s\n]+type\s*=[\s\n]*hidden[\s]+/<input type=text/igs; It would automatically transform hidden tags to text fields for every page. It would operate and look the same and any things that require a referer could be easily modified to work. I.e. surf with hidden tags shown as text fields. The script's wouldn't and couldn't know the difference. In other words, you could put it on a web site (or tun it locally--yes, if you had Perl and the LWP module installed locally) and surf such as that. Anyway, it's a trivial matter anyway. If a script is vulnerable to such things, it's pretty much a target that will get hit anyway. I suppose this tool, or the Perl solution (this would be about 4 lines or so of code, is why I mentioned it) would provide a bored person with a few minutes of fun. :-) -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting.
Current thread:
- View and edit hidden HTML form fields (fwd) bugtraq (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) Alex Russell (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) dan cuthbert (Jun 12)
- Re: View and edit hidden HTML form fields (fwd) Alex Lambert (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 12)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) George W. Capehart (Jun 14)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 11)
- RE: View and edit hidden HTML form fields (fwd) Jordi Molina (Jun 13)
- RE: View and edit hidden HTML form fields (fwd) hans (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) Alex Russell (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) riptide (Jun 17)
- <Possible follow-ups>
- RE: View and edit hidden HTML form fields (fwd) Oliver White (Jun 12)
- Re: View and edit hidden HTML form fields (fwd) MK Cheung (Jun 12)