Javascript Injection |A Closer Look

Posted by in Questions & Answers

If you are directly linked to here then you might probably have missed my previous tutorial about the basics of javascript injection. If you have already read my previous post then let’s summarize what I tutored you last time.
I introduced you with javascript injection from how should it begin and it’s basic rules. I also demonstrated some of the basic things you can do with javascript injection in address bar. Now today in this tutorial, I’ll guide you through the window where you’ll get more closer vision in javascript injection and it’s prevailing uses. OK, now let’s begin with the tutorial.

Besides changing cookies (in my previous tutorial), you can change other things as well. One of them is changing form values.

Consider the following text field in a money transfer form:

<form action=”submit.php” method=”post”>

<input name=”amount” type=”hidden” value=”1? />

</form>

Assume that above code is the source code extract from a form which sends $1 to your account every time the form is submitted. Lets say that you want to receive $100, how would you do that? The problem in this form is that this form remains invisible since its type is set hidden and neither can you change the value of the invisible field.

By using javascript injection technique you can change the form value easily.

For example to change the value of the above form, you can inject following javascript code:

Javascript: void(document.forms[0].amount.value="100");

The value of the input named amount will change to 100 by applying above injection. The syntax to change form is,

The Green colored text must contain numerical value, the numerical value is the form number where 0 means the first form and 1 means the second form. The orange colored text must contain the name of the input type. For example, in the above form we’ve input name of first form as amount. The blue colored form contains the value to be kept in the input form.

Have a look at following image demo:

You have the form that cannot be modified directly but it is visible.

Now when you look at the source code, you’ll see that it is disabled and you cannot edit the value of this form. This is where you’ll plan and study for javascript injection. Find which form is it, first second or third. If it is first then you must input 0 in the forms[#]. Find out the name of the form and enter the value you want.

Now after everything is planned and fixed, you’ll prepare the javascript injection code and inject it from your browser’s address bar.

Now alert box will show up, this will confirm that the javascript injection went successfully.

Now when you press OK button, you’ll have the form value changed eventually.

In this way you can change the form value easily.

And for some extra fun you can change the title of the website by using following code:

Javascript: alert(document.title = "title name");

This will change the title of the website.

For example,

In Google.com, javascript: alert(document.title); will load the following alert bod.

And when you inject page title javascript injection, you’ll get following result.

Hope you had fun reading this tutorial.