All the information on this page is for educational purposes only. The owner of the blog, nor Blogger, nor anyone associated with this blog can be held liable for illegal activities brought by this blog

Monday, November 7, 2011

JavaScript Injections

JavaScript Injections

Ok, sorry it took so long to post this guys, but it's really difficult to balance college, work, running a blog, etc. Anyway, today we will discuss JavaScript injections and then also poisonous cookies.

Injection Basics

JavaScript injections are run from the URL bar of the page you are visiting. To use them you must first completely empty the URL from the URL bar. That means no http:// or whatever.

JavaScript is run from the URL bar using the javascript: protocol. I will only be showing you the basics of this, but if you already know javascript, you can expand on this using plain old javascript.

The two commands covered in this blog post are the alert(); and the void(); commands. These are pretty much all you will need in most situations. For your first JavaScript, you will make a simple window appear, first go to any website and then type the following into your URL bar:
javascript:alert('Hello, World');
You should get a little diagram box that says "Hello, World". This will be altered later to have more practical uses.

You can also have more than one command run at the same time:
javascript:alert('Hello'); alert('World');
This would pop up a box that said "Hello" and then another that says "World".

Cookie Editing

First off, check to see if the site you are visiting has set any cookies by using this script:
javascript:alert(document.cookie);
This will pop up any information stored in the site's cookies. To edit any information, we make use of the void(); command:
javascript:void(document.cookie="Field = myValue");
This command can either alter existing information or create entirely new values. Replace "Field" with either an existing field found using the alert(document.cookie); command, or insert your very own value. Then replace "myValue" with whatever you want the field to be. For example:
javascript:void(document.cookie="Authorized=yes");
Would either make the field "Authorized" or edit it to say "yes"... now whether or not this does anything of value depends on the site you are injecting it into.



Now its time for some...

Cookie Poisoning

A poisonous cookie is a user - edited cookie poisoned to perform a malicious attack. You can poison cookies with various different methods, e.g,  scripts, SQL injections .

Here I will show you an example using SQL injections:

javascript:void(document.cookie="pass=' or 1=1--");

This will bypass login and you will either see a list of usernames or log in.

Thanks
Hope you enjoyed this article

Techno Master 
Posted by Techno Master at 10:34 PM
Labels: , , ,

3 comments:

  1. AnonymousJanuary 17, 2013 at 3:01 PM

    So you can use cookie poisoning to gain access to a website?

    ReplyDelete
  2. Techno MasterJanuary 17, 2013 at 3:28 PM

    Depending on the level of security, yes

    ReplyDelete
  3. AnonymousJanuary 18, 2013 at 3:43 PM

    Cool. This is a very useful and informative site you got.

    ReplyDelete

Subscribe to: Post Comments (Atom)
 
Back To Top