RE: manipulating query strings

From: Toni Heinonen (Toni.Heinonen_at_teleware.fi)
Date: 02/24/04

Next message: Chuck Fullerton: "Penetration Testing and the OSSTMM Seminar"

Previous message: Travis Schack: "Re: question regarding nessus plug-in 10595 DNS AXFR"
Maybe in reply to: Vel: "manipulating query strings"
Next in thread: morning_wood: "Re: manipulating query strings"
Reply: morning_wood: "Re: manipulating query strings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 24 Feb 2004 22:42:26 +0200
To: "Vel" <vel@sympatico.ca>, <pen-test@securityfocus.com>

> Hello Group,

Hello,

> Given the Method is "POST", can I pass values to the Hidden
> Input fields

The hidden input fields don't differ from any other input field, except of course that if your browser is given a HTML form with fields, it doesn't show the hidden fields. So the hidden fields can be modified just like any other fields, and when your browser sends a form to the web server, it simply lists all fields with their values - it doesn't differentiate between hidden and visible.

> using the URL. i.e URL manipulation ?

Well, basically no, because URL parameters are passed to the web server program/script in a wholly different way than POST variables. In basic CGI scripts, the URL parameters are passed as parameters to the main function of the program, and as environment variables, whereas post parameters are mostly passed to the program on it's standard input.

However, most web applications just use some library to get the parameters, so they won't know the difference. With perl and the standard CGI library, you just do param('field') and you can't tell, whether that field was passed as post data or as a URL parameter. The same seems to be for a sample ASP script I have here.

Whether you can OVERRIDE the POSTed parameters by URL parameters, I'd say generally no. I believe the default is, if the web application gets a field called "name" both as a POST data and as a URL parameter (script.asp?name=value) then the POSTed field overrides the URL field.

So, 1) it all depends on the web application and 2) most likely with defaults, you can't.

Are you trying cross-site scripting / XSS or the like?

If not, you can of course just take the HTML page with the form and save it to your hard drive, and change the hidden fields to something else with notepad, or just delete them and pass the values in the URL.

All and all, if you aren't trying to accomplish XSS then I'd say you should try perl's LWP (lib-www-perl) module: it's a simple library you can easily use to post any parameters you want and send arbitrary User-Agent versions etc., whatever suits your needs.

-- 
Toni Heinonen,
Teleware Oy
---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Chuck Fullerton: "Penetration Testing and the OSSTMM Seminar"

Previous message: Travis Schack: "Re: question regarding nessus plug-in 10595 DNS AXFR"
Maybe in reply to: Vel: "manipulating query strings"
Next in thread: morning_wood: "Re: manipulating query strings"
Reply: morning_wood: "Re: manipulating query strings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]