RE: manipulating query strings

From: Nick Besant (Nick.Besant_at_ioko.com)
Date: 02/26/04

  • Next message: McNutt, Jacob: "RE: By passing surf control" 
    Date: Thu, 26 Feb 2004 09:01:37 -0000
To: <pen-test@securityfocus.com>

    You can do a lot of this with perl and LWP
    http://www.perl.com/pub/a/2002/08/20/perlandlwp.html?page=1 - you
    can create a POST request from scratch using this and manually
    create headers etc.

    A good tool is spike proxy (already mentioned I think),
    which I've successfully used for similar testing. Available
    GPL'd or commercially : http://www.immunitysec.com/spikeproxy.html
    This also provides additional testing functionality (if you're checking
    for XSS / other holes)

    Another commercial alternative would be something like
    Sleuth - http://www.sandsprite.com/Sleuth/about.html

    Nick Besant, ioko
    nick.besant@ioko.com - http://www.ioko.com

    > -----Original Message-----
    > From: Vel [mailto:vel@sympatico.ca]
    > Sent: Monday, February 23, 2004 12:43 PM
    > To: pen-test@securityfocus.com
    > Subject: manipulating query strings
    >
    >
    > Hello Group,
    >
    > Is there a way to send values to hidden fields ,
    >
    > i.e Input tags with type=hidden attribute a value from the URL if the
    > action
    > attribute on the FORM is ACTION ?
    >
    > e.g:
    >
    > <FORM form1 ACTION= '/search/search.asp' METHOD=post>
    >
    > <Input type=hidden name=serverName value=www.abc.com>
    > <Input type=hidden name=serverName value=www.def.com>
    >
    >
    > --------------------------------------------------------------
    > ----------
    > ---
    >
    > Given the Method is "POST", can I pass values to the Hidden
    > Input fields
    > using the URL. i.e URL manipulation ?
    > I know I can pass variables in URL to Server side script variables if
    > METHOD
    > is "GET".
    >
    > But how about POST method ?
    >
    > Thanks.
    >
    > Kumar.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: McNutt, Jacob: "RE: By passing surf control"