Penetration Testing mailing list archives
RE: manipulating query strings
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Tue, 24 Feb 2004 13:34:53 -0500
You can do this through JavaScript only. You WANT to say something like:
<script language="javascript">
function bar() {
var fooForm = document.getElementById('foo');
fooForm.action = fooForm.serverName.value + fooForm.action;
}
</script>
<form id="foo" action="/search.asp" method="post" onsubmit="javascript:bar();">
<input type="hidden" name="serverName" value="www.server.com"/>
</form>
Just make sure you don't have another hidden form field named "action" in there,
or it will conflict, I believe.
You might also be able to work something in like:
<form action="javascript:expression(this.serverName.value)+'/search.asp')" ...
but I haven't tested that 2nd one.
Michael Scovetta
-----Original Message-----
From: Vel [mailto:vel () sympatico ca]
Sent: Monday, February 23, 2004 2:43 PM
To: pen-test () securityfocus com
Subject: manipulating query strings
Hello Group,
Is there a way to send values to hidden fields ,
i.e Input tags with type=hidden attribute a value from the URL if the action
attribute on the FORM is ACTION ?
e.g:
<FORM form1 ACTION= '/search/search.asp' METHOD=post>
<Input type=hidden name=serverName value=www.abc.com>
<Input type=hidden name=serverName value=www.def.com>
---------------------------------------------------------------------------
Given the Method is "POST", can I pass values to the Hidden Input fields
using the URL. i.e URL manipulation ?
I know I can pass variables in URL to Server side script variables if METHOD
is "GET".
But how about POST method ?
Thanks.
Kumar.
---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.
Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_pen-test_040219
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Current thread:
- manipulating query strings Vel (Feb 24)
- Re: manipulating query strings Eric Paynter (Feb 25)
- Re: manipulating query strings Ariel Martinez (Feb 26)
- RE: manipulating query strings Campbell Murray (Feb 25)
- Re: manipulating query strings Markus Toman (Feb 25)
- <Possible follow-ups>
- RE: manipulating query strings Kris Wilkinson (Feb 25)
- Re: manipulating query strings ma1ler_deamon (Feb 25)
- RE: manipulating query strings Toni Heinonen (Feb 25)
- Re: manipulating query strings morning_wood (Feb 26)
- Re: manipulating query strings Karsten Johansson (Feb 25)
- RE: manipulating query strings Scovetta, Michael V (Feb 25)
- Re: manipulating query strings marko (Feb 26)
- RE: manipulating query strings Nick Besant (Feb 26)
- Re: manipulating query strings Eric Paynter (Feb 25)
