Javascript injection technique

This tutorial is going to teach you the basics of Javascript Injections. They are fairly simple if you know Javscript already. This is in a way a type of hacking. You can do many many things with this, such as, alter form values, alter cookies, set cookies, gain access to restricted pages, and as I said, much much more.

Hello World! is the easiest thing you can do. It doesn't effect a page, but it deffinatly gets you an understanding of how this is going to work. First of all, all Javascript Injections are preformed in the URL Bar (Address Bar). So go to any website you want, It doesn't really matter at all. Then, type in the URL Bar:

javascript:alert('Hello World!');

Now, let me explain what this does

javascript: This lets the browser you are using know that you are about to enter some sort of a Javascript command.

alert: This will make a little box pop up with the infor you wished to see. In our case. "Hello World"

('Hello World!'): This will be what is displayed in out alert box. Don't forget the quotes, otherwise it won't work properly.

;: As with almost every single Scripting/Programming language, you need to remember this at the end of almost every line of code. It won't work right without it.

If you did all that right, after you hit the enter button, you would have gotten a pop-up box displaying "Hello World".

Working With Cookies

This, can be a tiny bit more difficult to understand at first. And it still is for me, because I am sucky when it comes to Javascript. So I won't be the best at explaining every bit of this. But if you follow right, you should get it. Now, as before, go to any website you wish. For this tutorial, I will be using Tizag.com. Clear your address bar, and type:

Code:

javascript:alert(document.cookie);

If you did that right, depending on the website, you should get a bunch of jumbled leters and things, or something along those lines. This can very quite a bit from website to website. Lets break this up though and go over what everything does. (I'm only going to go over the new bits, if you forgot what the first bits were, go back up and read about it.

(document.cookie) This will display the cookies that that website has set. Notice that there aren't any quotes around it? If there were, it would just display "document.cookie" in your little pop-up box, because it reads it as plain text.

Now lets add some cookies to a page. On that same webpage, view the cookies, using the previous method, and remember what they are, because we are going to add to that. Here is the script:

Code:

javascript:void(document.cookie = "Access = Granted");

Nothing will happen; or so it seems. After you hit enter again, clear that, and view the cookies again. If you did it right, you will see either at the begginning or the end of the cookie contents, "Access=Granted". This is one of those ways you can get past like, say, a forum ban. They just set it so that you couldn't get in anymore. Now, I'm not saying it will work, because, it probly won't, becuase most forum software's are way more secure that that, using PHP IP Blocks and such. But I'm not going to bother going over that. Now, lets go over what we just did.

void: This is just one of those things I am not to clear about. I would say what I think it is, but I don't want to make a fool of myself.

(document.cookie = "Access = Granted"): This gets into the cookies, and then adds the cookie saying that Access is granted. (Just an example, you could use anything.)

Alter Forms

Sometimes, to edit values sent to a given website through a form, you can download the html and edit it slightly to allow you to submit what you want. However, sometimes the website checks to see if you actually submitted it from the website you were supposed to. To get around this, we can just edit the form straight from javascript. Note: The changes are only temporary, so it's no tuse trying to deface a site through javascript injection like this.

Every form on a given webpage (unless named otherwise) is stored in the forms[x] array... where "x" is the number, in order from top to bottom, of all the forms in a page. Note that the forms start at 0, so the first form on the page would actually be 0, and the second would be 1 and so on. Here is a sample form which we will alter:

Code:

And now, here is the Javascript Injection we will use to alter the values of the form.

Code:

javascript:alert(document.forms[0].to.value)

Now, without having to read the source code and find out all the form information, just do that, and it will display the first forms information on the page you are trying to tweak.

Code:

javascript:void(document.forms[0].to.value="email@nhacks.com")

Now that you have the information stored in the forms, you need to change it to your likings. In our case, we changed the e-mail to something that suited us. Because, lets pretend that for some reason, this form was sending vital information about a major website. Now it will send it all to the e-mail we just put in.