Re: manipulating query strings
From: morning_wood (se_cur_ity_at_hotmail.com)
Date: 02/26/04
- Previous message: Chris.McNab_at_trustmatta.com: "Re: loose source routed IP packets"
- In reply to: Toni Heinonen: "RE: manipulating query strings"
- Next in thread: Eric Paynter: "Re: manipulating query strings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <pen-test@securityfocus.com> Date: Wed, 25 Feb 2004 23:10:43 -0800
mabey graphically this clarifies things...
the below does work with a GET
---------- snip ----------
<form method="POST" action="http://www.geobytes.com/IpLocator.htm?GetLocation">
<input type="hidden" name="cid" value="0">
<input type="hidden" name="c" value="">
<input type="hidden" name="Template" value="iplocator.htm">
<h3>IP Address to locate:<input type="text" name="ipaddress" size="15"
value=""> <input type="submit" value="Submit">
---------- snip ---------------
you change the "POST" to a "GET", it does not load
http://www.geobytes.com/IpLocator.htm?GetLocation?cid=0&c=&Template=iplocator.ht
m&ipaddress=0.0.0.0
yet,
-------- snip ----------
<FORM METHOD="GET" ACTION="http://www.cracks.spb.ru"
ENCTYPE="application/x-www-form-urlencoded">
<INPUT TYPE="hidden" NAME="page" VALUE="0">
Search cracks:
<INPUT TYPE="text" NAME="ss" VALUE="" SIZE=15>
<INPUT TYPE="submit" NAME="Search" VALUE="Search">
<BR></FORM>
--------- snip ----------
the above does work with a GET
so you can have an accept / deny rule based on the "METHOD"
obviously cracks.spb.ru accepts any "METHOD" while geobytes.com
only accepts a "POST" METHOD. "hidden" tags are only client based
and the server script has no way to tell if it ( the info submitted )
was "hidden" or not.
hope this helps,
Donnie Werner
http://exploitlabs.com
>The hidden input fields don't differ from any other input field, except of
course that if your browser is given a HTML form with >fields, it doesn't show
the hidden fields. So the hidden fields can be modified just like any other
fields, and when your browser >sends a form to the web server, it simply lists
all fields with their values - it doesn't differentiate between hidden and
visible.
>
>Whether you can OVERRIDE the POSTed parameters by URL parameters, I'd say
generally no. I believe the default is, if the >web application gets a field
called "name" both as a POST data and as a URL parameter (script.asp?name=value)
then the >POSTed field overrides the URL field.
>
>So, 1) it all depends on the web application and 2) most likely with defaults,
you can't.
>
>If not, you can of course just take the HTML page with the form and save it to
your hard drive, and change the hidden fields to >something else with notepad,
or just delete them and pass the values in the URL.
>
>All and all, if you aren't trying to accomplish XSS then I'd say you should try
perl's LWP (lib-www-perl) module: it's a simple >library you can easily use to
post any parameters you want and send arbitrary User-Agent versions etc.,
whatever suits your >needs.
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Chris.McNab_at_trustmatta.com: "Re: loose source routed IP packets"
- In reply to: Toni Heinonen: "RE: manipulating query strings"
- Next in thread: Eric Paynter: "Re: manipulating query strings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
