So i finally read about this topic.
I read about HTML Dom [btw why do they call it DOM] structure and knowing some basic javascript i understood how the injections work.
What i dont understand is why does it ACTUALLY work? Are those injections client side or server side. I assume they are client side. So why is it ok to change the value of a form for example through injection, but it wont work if you just simply edit t he html code?
And if you had a good link in mind about where i could learn about the prevention of these injections that would be just super.
javascript injections
- isapiens
- Fame ! Where are the chicks?!
- Posts: 533
- Joined: 05 May 2006, 16:00
- 17
- Location: Turn around
javascript injections
Fluoridation is the most monstrously conceived and dangerous communist plot we have ever had to face.
- n3rd
- Staff Member
- Posts: 1474
- Joined: 15 Nov 2005, 17:00
- 18
- Location: my own perfect world in ma head :)
- Contact:
I dont have allot of knowledge about java, but what I do know is that java can be client side, thus if u open the source of a webpage and u see java, and u where to save the source, edit it and remove the java, it could be possible for u to 1) get free items 2) get a longer username that isnt allowed with the java enabled. 3) create an even longer password or the password that u want but java would deny .
that are some of the things I encountered.
Evil plot to rule the world in white.
( under the wannabeblacks under us ) cheap webshops often have shitty protection and u can do -1 and +1 to pay 0.00 for an item
that are some of the things I encountered.
Evil plot to rule the world in white.
( under the wannabeblacks under us ) cheap webshops often have shitty protection and u can do -1 and +1 to pay 0.00 for an item
- isapiens
- Fame ! Where are the chicks?!
- Posts: 533
- Joined: 05 May 2006, 16:00
- 17
- Location: Turn around
fist of all java is not the same thing as javascript
If that was that easy everyone would steal stuff from ebay
Honestly man, your post doesnt contain any useful information. It doesnt really say anything about javascript injections either. Unless i am missing something in your post then i apologize in advance, otherwise dont post if you have no idea what you are talking about.
get free items
If that was that easy everyone would steal stuff from ebay
I think it would be much more practical to retrieve the password or the username instead of extending the lenght. I really dont see why you would wana do that.et a longer username that isnt allowed with the java enabled. 3) create an even longer password or the password that u want but java would deny
Honestly man, your post doesnt contain any useful information. It doesnt really say anything about javascript injections either. Unless i am missing something in your post then i apologize in advance, otherwise dont post if you have no idea what you are talking about.
Fluoridation is the most monstrously conceived and dangerous communist plot we have ever had to face.
- CommonStray
- Forum Assassin
- Posts: 1215
- Joined: 20 Aug 2005, 16:00
- 18
DOM stands for Document Object Model
its basically a model that represents HTML, XML and other formats supporting navigation in any direction, as well as arbitrary modding, to use it the document must already be read or parsed.
If you take the new tool Jikto that uses javascript embedded in a website to turn any surfers pc that visits the site into a drone that scans for vulnerabilities in other websites, stealthly, it wouldnt be extremely difficult to make modifications to make it extract data, which i believe the developer is working on and may release at Blackhat this summer (from what ive read) but as well why not make a modification that records keystrokes as the user enters them into login fields as well, as long as the browser window is open it would be working, scanning and recording
as for javascript manipulations on the fly...check out ParosProxy
its basically a model that represents HTML, XML and other formats supporting navigation in any direction, as well as arbitrary modding, to use it the document must already be read or parsed.
If you take the new tool Jikto that uses javascript embedded in a website to turn any surfers pc that visits the site into a drone that scans for vulnerabilities in other websites, stealthly, it wouldnt be extremely difficult to make modifications to make it extract data, which i believe the developer is working on and may release at Blackhat this summer (from what ive read) but as well why not make a modification that records keystrokes as the user enters them into login fields as well, as long as the browser window is open it would be working, scanning and recording
as for javascript manipulations on the fly...check out ParosProxy
-
- Fame ! Where are the chicks?!
- Posts: 291
- Joined: 14 Oct 2006, 16:00
- 17
- Location: Some hippy's van
- Contact:
Some sites that use php to include pictures that user upload can be suceptable to XSS exploits liek these. OF course a local file inclusion vulnerability is required.
The server parses the image on a lower level than visual. You see a JPEG isn't solid like a poloroid. At some point and time the server needs to parse the image as 1's and 0's or however they work. And they simply parse the php or javascript inside the picture. I tested with php a few months back and had it so one file would actually edit the index.php file. And another would restore it.
Surprisingly enough creating the local file inclusion vuln was harder than the php (which I don't even code in).
The server parses the image on a lower level than visual. You see a JPEG isn't solid like a poloroid. At some point and time the server needs to parse the image as 1's and 0's or however they work. And they simply parse the php or javascript inside the picture. I tested with php a few months back and had it so one file would actually edit the index.php file. And another would restore it.
Surprisingly enough creating the local file inclusion vuln was harder than the php (which I don't even code in).