Re: manipulating query strings

From: Markus Toman (m.toman_at_sec-consult.com)
Date: 02/25/04

Next message: Karsten Johansson: "Re: manipulating query strings"

Previous message: christophstrizik_at_yahoo.com.au: "loose source routed IP packets"
In reply to: Vel: "manipulating query strings"
Next in thread: Karsten Johansson: "Re: manipulating query strings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 25 Feb 2004 15:57:03 +0100
To: pen-test@securityfocus.com

The HTTP header sent by the browser contains the POST-Variables.
There are many ways to change the value in hidden fields.

i.e.:
- Save the Page, change the source, change form action from
'/search/search.asp' to 'http://>/search/search.asp' and the
hidden field values to what ever you like.

- Write a prog or use telnet and send the HTTP header yourself

- Try Firefox with the Live HTTP headers plugin. you can capture
outgoing http requests, modify them and send again..
http://www.mozilla.org/products/firefox/
http://texturizer.net/firefox/extensions/#livehttpheaders

Vel wrote:

>Hello Group,
>
>Is there a way to send values to hidden fields ,
>
>i.e Input tags with type=hidden attribute a value from the URL if the action
>attribute on the FORM is ACTION ?
>
>e.g:
>
><FORM form1 ACTION= '/search/search.asp' METHOD=post>
>
><Input type=hidden name=serverName value=www.abc.com>
><Input type=hidden name=serverName value=www.def.com>
>
>
>---------------------------------------------------------------------------
>
>Given the Method is "POST", can I pass values to the Hidden Input fields
>using the URL. i.e URL manipulation ?
>I know I can pass variables in URL to Server side script variables if METHOD
>is "GET".
>
>But how about POST method ?
>
>Thanks.
>
>Kumar.
>
>
>---------------------------------------------------------------------------
>Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
>Protect your network with the comprehensive security solution that
>integrates six applications for ease of use and lower TCO.
>
>Firewall - Virus protection - Spam protection - URL blocking - VPN
>- Wireless security.
>
>Download 30-day evaluation at:
>http://www.securityfocus.com/sponsor/Astaro_pen-test_040219
>----------------------------------------------------------------------------
>
>
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Karsten Johansson: "Re: manipulating query strings"

Previous message: christophstrizik_at_yahoo.com.au: "loose source routed IP packets"
In reply to: Vel: "manipulating query strings"
Next in thread: Karsten Johansson: "Re: manipulating query strings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]