How to Use JavaScript Injections to Locally Manipulate the Websites You Visit

Oct 14, 2011 06:02 PM

JavaScript is one of the main programming languages that the Web is built on. It talks directly to your browser and exchanges information with it in ways that HTML simply cannot. With JavaScript, you are able to access browser cookies, website preferences, real-time actions, slideshows, popup dialogs and calculators, or you create entire web-based apps. The list goes on nearly forever.

We can use JavaScript ourselves—right now—in the web browser. Go ahead, type this into the address bar of your browser without a URL in it and press the enter key:

javascript:alert('Hello World!');

You will see a popup box that says "Hello World!". This is what's called a JavaScript injection. We took a bit of JavaScript and manipulated the Web in real-time. JavaScript injections can be used to do a number of things; You can check cookie contents, swap cookies, temporarily edit a webpage, modify web forms, and even do some malicious stuff.

In this Null Byte I'm going to be teaching you the bare bones of JavaScript injections and how to manipulate cookies and web form data.

Alert & Injection Chains

Let's start by using the example we used above and create a JavaScript alert.

javascript:alert('Hello World!');

Let's dissect that. "javascript" tells the browser we are using JavaScript, "alert" is calling the alert function and everything between "()" is the argument. In the argument, you see single quotes that indicate text strings. They can be interchanged with double quotes, just like in english, but they must be consistent. These rules are almost uniform when it comes to programming.

Let's chain commands. The semicolon is the indicator of command chains. Try this one out:

javascript:alert('Hello World!'); alert("Double quotes, and second alert");

Because JavaScript was already specified, we only need to call the alert function again.

Cookie Alerts & Cookie Modification

Now we are going to check if the webpage we are on uses cookies. Then we will see if we can edit the cookies to swap login sessions.

javascript:alert(document.cookie)

If you see a popup with lots of jumbles of letters and things like "PHPSESSID=", that means the website is storing cookies on your computer.

Let's edit something in this cookie.

javascript:void(document.cookie="__mvtVariantID=tacos");

In the picture above, you see that I had the "__mvtVariantID=" element. I use the JavaScript injection to modify it to the word "tacos". You'll see the new element at the bottom in the picture below. This also uses the "void" function, which voids an element with whatever information you want to put over it.

Now if I were logged in and had another member's cookie, I could swap our sessions using these techniques, effectively becoming that member.

Edit Web Forms

Sometimes you may want to edit a web form. A web form is when you have to "submit" something to a server, usually in logins or forgotten password forms. Let's say we have a forgot password form for some website, and this is the HTML code they used:

When using JavaScript to modify web forms, it labels them in numbers with the first web form being [0] and so on. For the example, this form will be [0]. Let's hack this form so it submits the user's password to us.

  javascript:void(document.forms[0].to.value="hackeremail@gmail.com")

This is basically saying "Void the documents first form, skip (to) and go to the value (value) and make it equal to my email".

That's it, those are the basics of JavaScript injections! If you learn JavaScript from the ground up, which I hope you do, you can do some pretty awesome hacks with it. Take care, and come visit me and friends in IRC!

Photo by hitthatswitch

Comments

No Comments Exist

Be the first, drop a comment!