RE: manipulating query strings

From: Scovetta, Michael V (Michael.Scovetta_at_ca.com)
Date: 02/24/04

  • Next message: Don Parker: "Re: loose source routed IP packets" 
    Date: Tue, 24 Feb 2004 13:34:53 -0500
To: "Vel" <vel@sympatico.ca>, <pen-test@securityfocus.com>

    You can do this through JavaScript only. You WANT to say something like:

    <script language="javascript">
      function bar() {
        var fooForm = document.getElementById('foo');
        fooForm.action = fooForm.serverName.value + fooForm.action;
      }
    </script>

    <form id="foo" action="/search.asp" method="post" onsubmit="javascript:bar();">
      <input type="hidden" name="serverName" value="www.server.com"/>
    </form>

    Just make sure you don't have another hidden form field named "action" in there,
    or it will conflict, I believe.

    You might also be able to work something in like:

    <form action="javascript:expression(this.serverName.value)+'/search.asp')" ...

    but I haven't tested that 2nd one.

    Michael Scovetta

    -----Original Message-----
    From: Vel [mailto:vel@sympatico.ca]
    Sent: Monday, February 23, 2004 2:43 PM
    To: pen-test@securityfocus.com
    Subject: manipulating query strings

    Hello Group,

    Is there a way to send values to hidden fields ,

    i.e Input tags with type=hidden attribute a value from the URL if the action
    attribute on the FORM is ACTION ?

    e.g:

    <FORM form1 ACTION= '/search/search.asp' METHOD=post>

    <Input type=hidden name=serverName value=www.abc.com>
    <Input type=hidden name=serverName value=www.def.com>

    ---------------------------------------------------------------------------

    Given the Method is "POST", can I pass values to the Hidden Input fields
    using the URL. i.e URL manipulation ?
    I know I can pass variables in URL to Server side script variables if METHOD
    is "GET".

    But how about POST method ?

    Thanks.

    Kumar.

    ---------------------------------------------------------------------------
    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

    Protect your network with the comprehensive security solution that
    integrates six applications for ease of use and lower TCO.

    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.

    Download 30-day evaluation at:
    http://www.securityfocus.com/sponsor/Astaro_pen-test_040219
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Don Parker: "Re: loose source routed IP packets"

    Relevant Pages

    • manipulating query strings
      ... Is there a way to send values to hidden fields, ... I know I can pass variables in URL to Server side script variables if METHOD ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Pen-Test)
    • RE: WebDav Worm?
      ... I've seen the exact same pattern from 7 different source IPs in the ... All source IPs appear to be DSL or cable modem, ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Incidents)
    • RE: Life After CISSP?
      ... Subject: Life After CISSP? ... The contents of this email and any attachments to it may contain ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Security-Basics)
    • Re: pen testing & obfuscated shell code
      ... sleds) is that there are at least 2 ways of producing the same opcodes on Intel systems. ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Pen-Test)
    • RE: Preventing OS Detection
      ... Once you've gotten your network packets tweaked so ... If I go to http://uptime.netcraft.com and enter my website, ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Focus-Microsoft)