Re: manipulating query strings
From: Karsten Johansson (ksaj_at_penetrationtest.com)
Date: 02/24/04
- Previous message: Markus Toman: "Re: manipulating query strings"
- Maybe in reply to: Vel: "manipulating query strings"
- Next in thread: Scovetta, Michael V: "RE: manipulating query strings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 Feb 2004 19:29:47 -0000 To: pen-test@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <006201c3fa45$4f84da60$419dacce@u3q6v1>
>Is there a way to send values to hidden fields ,
>
>i.e Input tags with type=hidden attribute a value from the URL if the action
>attribute on the FORM is ACTION ?
>
>e.g:
>
><FORM form1 ACTION= '/search/search.asp' METHOD=post>
>
><Input type=hidden name=serverName value=www.abc.com>
><Input type=hidden name=serverName value=www.def.com>
The "hard" way: copy the html file (or a simplified version of it), and edit the type=
The "easy" way: Use SPIKE proxy. Not only can you then modify those hidden tags at will, you can edit anything transmitted to/from the web server. There's also automated DoS and SQL insertion attacks for all of the inputs.
Karsten Johansson
www.PENETRATIONTEST.com
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Markus Toman: "Re: manipulating query strings"
- Maybe in reply to: Vel: "manipulating query strings"
- Next in thread: Scovetta, Michael V: "RE: manipulating query strings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
