Results 1 to 8 of 8

Thread: How to use Javascript to Change Pages

  1. #1
    Senior Member
    Join Date
    Sep 2003
    Posts
    500

    How to use Javascript to Change Pages

    (note this isn't for illegal activities, it is for education and maybe to help future developers to see errors in their design...basically just a header to make sure my thread isn't flamed )

    Okay so today we are going to learn how to use javascript to dynamically change web page content. First a small example:

    Go to your url bar and type

    javascript:alert(document.cookie)
    and low and behold there is your cookie data for this site! Now here comes the cool thing, you can do is actually enter any information you want into that cookie. All you have to do is void the original data and then place your own data in there. For example, I am going to change my userid:

    javascript:void(document.cookie="bbuserid=1")
    My user ID is now 1. Lets just say that there is a site that doesn't compare info in the cookie, it only compares data entered into the log in form....hey it can happen.

    Next, you can actually change content of the page itself. I am only going to list one example, but it is a very handy example: altering Forms.

    Every form on a page (unless otherwise named) is labled forms[0]-forms[x] where x is the last form on the page (btw x is a variable that represents a number...not x).

    To access each form just

    javascript:alert(document.forms[0])
    and you will probobly reacieve an alert saying "[object]." So what you do is look for a field in that form; how about the forms action?

    javascript:void(document.forms[1].action="GET")
    That form has now reversed its purpose.

    For more info, read a book! And feel free to post other ideas or add to this.
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

  2. #2
    When I try this, all I get in return is this site popping up:

    http://www.steadysearch.com/search?p...20script:alert(document.cookie)

    Perhaps I am missing something?

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    Hey! I was working on making a tutorial out of this ;P

    I guess it is fair that you got done before me though. Besides, mine is about 10x bigger and 10x more involving

    pooh sun tzu - Make sure there is no space in the javascript:alert(document.cookie) I realized that AO spaced that out as a precaution against CSS (Cross Site Scripting) attacks when I originally tried it in that post we all happily talked about securing HTML source code... Anyways, no space. And it does work.

    -Tim_axe


    edit: ? It didn't space it... javascript:alert(document.cookie)
    edit2: Okay, it only spaces when it is in the URL tags, since only those are links...

    Edit3: So it was void()... Thanks, that was something I needed to figure out for my write-up. Expect to see mine sometime 2 weeks from now... I'm a little bit slow at these things...

  4. #4
    Senior Member
    Join Date
    Sep 2003
    Posts
    500
    Pooh, not
    http://www.antionline.com javascript:alert(document.cookie)
    I meant go to the url bar, delete anything in there and then type in
    javascript:alert(document.cookie)
    You don't actually enter the url because you are changing the page loaded on your computer right now. Do you understand? If not then feel free to PM or make another post.

    And Tim, I hope to see it sometime. There is much more that you can do and I was just showing the basics. Sorry I didn't put in ten times more effort
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

  5. #5
    Senior Member
    Join Date
    Nov 2003
    Posts
    107
    Lansing_Banda,

    What security threat does this pose? I tried some stuff out on my own site and that's pretty neat, but could someone actually do something malicious with this since JavaScript is all dealt with locally?
    Is there a sum of an inifinite geometric series? Well, that all depends on what you consider a negligible amount.

  6. #6
    Senior Member
    Join Date
    Sep 2003
    Posts
    500
    Yes they can. If you can grap someone's cookie info, you can place it in yours (aka an md5ed password means jack **** if you just place that in your cookie). You can change the architecture of forms to post somewhere else (for example, I could change the post id here to post in the addicts forum instead of general chat) or you could change the method from post to get (so you could acutally pull a file out of their server). You can make hidden parts of forms visible.

    Just use your imagination man.
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

  7. #7
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    Very true, and I may have returned a little bit late, but this is the underlying basics of XSS (Cross Site Scripting, I've mistakenly acronymed it CSS I think).

    It is a huge concern to message boards where hundreds or thousands or hundreds-of-thousands or so people view, click, and post. In those cases, instead of only doing this in the browser address bar, it can be done through posts. For example, on an insecure message board (I think AO has been secured pretty well after all of my poking around), someone could insert code that could steal any information you can get by typing stuff into your address bar.

    Infact, the most recent example of Lansing_Banda's post in my mind that deals directly with AntiOnline, was my most recent access method into the AO Addicts forum! Yes, I now have over 275 Posts so I can officially access it now, but I can give a run down of how I tackled this problem.

    First, I needed to get information on who viewed the forum. There happens to be a javascript that is used to find this information out. This javascript was the one used to show who replied to a post. This javascript is called with an argument that is set by the server which is the post-id number. I quickly made that connection, and found a thread id for a post in Addicts. From there, I could call that javascript, which would ask the server who posted in that thread-id. It just so happened that at the time the server code for that part didn't check to see if that person was an addict or not (via cookies, I'd assume). So, I got to see everyone who posted to addicts. I judged correctly, that the code didn't check addict status anyways, so I used it from there to list all posts by a user in that thread-id, and a check for over 275 posts was not made.

    And that right there is how real-to-life this is. So don't think that "it's only javascript, what can it do?" It can do a lot, provided the server end is misconfigured in some small way. And I have proven it.

    Again, great post Lansing_Banda. And I guess that this just shows that something in you imagination can come true.


    *Note to whom concerned: It has been patched quite a while back. --> http://www.antionline.com/showthread...hreadid=251149

    And for everyone else wondering what my last post there was about --> Just goes to show that it was patched up pretty well. I used *similar* methods to change all of the variables around but the forum rejected them as it should have. ::

  8. #8
    Thanks guys for the info. But i still have one question. If those aer the basics. where can i get more advaced tutorials??

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •