Home page logo

pen-test logo Penetration Testing mailing list archives

RE: manipulating query strings
From: "Toni Heinonen" <Toni.Heinonen () teleware fi>
Date: Tue, 24 Feb 2004 22:42:26 +0200

Hello Group,


Given the Method is "POST", can I pass values to the Hidden 
Input fields

The hidden input fields don't differ from any other input field, except of course that if your browser is given a HTML 
form with fields, it doesn't show the hidden fields. So the hidden fields can be modified just like any other fields, 
and when your browser sends a form to the web server, it simply lists all fields with their values - it doesn't 
differentiate between hidden and visible.

using the URL. i.e URL manipulation ?

Well, basically no, because URL parameters are passed to the web server program/script in a wholly different way than 
POST variables. In basic CGI scripts, the URL parameters are passed as parameters to the main function of the program, 
and as environment variables, whereas post parameters are mostly passed to the program on it's standard input.

However, most web applications just use some library to get the parameters, so they won't know the difference. With 
perl and the standard CGI library, you just do param('field') and you can't tell, whether that field was passed as post 
data or as a URL parameter. The same seems to be for a sample ASP script I have here.

Whether you can OVERRIDE the POSTed parameters by URL parameters, I'd say generally no. I believe the default is, if 
the web application gets a field called "name" both as a POST data and as a URL parameter (script.asp?name=value) then 
the POSTed field overrides the URL field.

So, 1) it all depends on the web application and 2) most likely with defaults, you can't.

Are you trying cross-site scripting / XSS or the like?

If not, you can of course just take the HTML page with the form and save it to your hard drive, and change the hidden 
fields to something else with notepad, or just delete them and pass the values in the URL.

All and all, if you aren't trying to accomplish XSS then I'd say you should try perl's LWP (lib-www-perl) module: it's 
a simple library you can easily use to post any parameters you want and send arbitrary User-Agent versions etc., 
whatever suits your needs.

Toni Heinonen,
Teleware Oy


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]