Home page logo

pen-test logo Penetration Testing mailing list archives

Re: manipulating query strings
From: Karsten Johansson <ksaj () penetrationtest com>
Date: 24 Feb 2004 19:29:47 -0000

In-Reply-To: <006201c3fa45$4f84da60$419dacce () u3q6v1>

Is there a way to send values to hidden fields ,

i.e Input tags with type=hidden attribute a value from the URL if the action
attribute on the FORM is ACTION ?


<FORM form1 ACTION= '/search/search.asp'  METHOD=post>

<Input type=hidden name=serverName value=www.abc.com>
<Input type=hidden name=serverName value=www.def.com>

The "hard" way:  copy the html file (or a simplified version of it), and edit the type=

The "easy" way:  Use SPIKE proxy.  Not only can you then modify those hidden tags at will, you can edit anything 
transmitted to/from the web server.  There's also automated DoS and SQL insertion attacks for all of the inputs.

    Karsten Johansson


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]