Re: manipulating query strings
From: ma1ler_deamon (ma1ler_deamon_at_yahoo.com)
Date: 02/24/04
- Previous message: Mike Hoskins: "Re: question regarding nessus plug-in 10595 DNS AXFR"
- Maybe in reply to: Vel: "manipulating query strings"
- Next in thread: Toni Heinonen: "RE: manipulating query strings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 Feb 2004 11:33:13 -0800 (PST) To: pen-test@securityfocus.com
if a form is designed to accept POST variables, it may also accept
those same variables passed in through the querystring. It may not
it depends on how lazy the developer was when they made it and if
they pulled the values from the global collections or the specific
ones.
ie. foo = Request(bar) , vs foo = Request.QueryString(bar) etc
you can manipulate hidden variables in a number of ways, you can use
an intercept proxy which can be kinda overkill for this, or you can
use custom tools to do it right inside of your browser such as IE
one integrated IE integrated tool I found was this
it does some stuff ok, some stuff I really like, check out the "Browser
Extensions" package, it adds a new right click menu item to your
standard IE context menus that pops up a forms editor. I guess its an
eval version, but there is a free build of the main app as well.
-md
__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Mike Hoskins: "Re: question regarding nessus plug-in 10595 DNS AXFR"
- Maybe in reply to: Vel: "manipulating query strings"
- Next in thread: Toni Heinonen: "RE: manipulating query strings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
