Basic Tutorial About Javascript Injection

Posted by in Questions & Answers

Javascript injection allows you to change websites behavior without refreshing or leaving it. It provides on spot interaction with the source code of website from browser window. Javascript script might come really handy when you are hacking basic websites. Javascript injection allows you to alter the form values before sending it to server.

In Javascript injection, javascript codes are injected from address bar of the browser window. In this tutorial we’ll go through the basics of javascript injection, if you are javascript expert then it might be below your knowledge. However freshers might find it interesting and informative.

To command any javascript code to your browser you must inform it that its javascript. It can be done by adding “Javascript:”(without quotes) just before your code.

Below is the sample code to input in your browser.

Javascript: alert("Welcome to HacksPC.com");

The above code is to be typed in browser address bar similar to image below:

After you complete the code, press enter, you’ll see the something similar to below:

In the code typed above, Javascript: is the protocol which you must type before initiating any javascript code snippet. Alert is just the javascript function that gives alert box on the screen. ; is the end of statement command that you have in every programming language, like C, C++, PHP etc.

To have more clear vision about statement end symbol, refer to following example,

javascript: alert("First message"); alert("second message"); alert("Third message");

It gives three separate windows with three different messages.

The alert() function is only used to get information from the website. For example to get form value, cookies etc.

Javascript:alert(document.cookie);

Above code example shows the cookies that are set in your browser by your current website.

This can be very useful if you are trying to hack basic websites. Cookies are set most in page login systems that might be helpful to get illegal access to the website’s administrator page.

For example in above image,  you can see username and password set in cookies section which was revealed with the help of javascript injection.

If the website is not strong enough you can modify the username to administrator’s username and gain full access to the website.

To change the cookie value you can follow the syntax similar to below:

javascript:void(document.cookie="Cookie_name=Cookie_value");

“void” in simple terms applies the function without refreshing the page. Literally, it means that the function won’t return any result.

javascript:void(document.cookie="username=user123"); alert(document.cookie);

The above code will change the cookie value and show the changed value.

You can change any cookie value by applying syntax like above.

To change multiple cookies following pattern will help.

javascript:void(document.cookie="username=user123"); void(document.cookie="password=pass123"); alert(document.cookie);

You can add multiple statements to do multiple tasks at once.

Changing cookie value allows you to confuse the website about your real details like username, log in status, and other dynamic values that are cookied.

Similarly you can change the form value and types. I’ll posting tutorial about form values using Javascript injection shortly. Meanwhile, you can practice with injections in several websites.

Hope this tutorial was informative.