Javascript Injection

Javascript injection is a fun technique that allows you to change a websites content without leaving the site, reloading the page, or saving the site to your desktop. Javascript injection can be very useful when you need to change hidden data before you send it to the server. Let’s start with some basic injection techniques.

Javascript Injection Basics

Javascript injections are run from the address bar of the browser. To start remove everything from the address bar.  That means delete the http:// and any website information in the address bar.

Javascript injection code is executed in the empty address bar using the javascript: protocol. In this tutorial we will  go over the basics of javascript injection. If you are a Javascript expert this might be below you but a refresher is always good.

The two most widely used injection commands are alert(); and void();. These commands will get you through most situations. For our first injection script we will open an alert box. Open the web browser of your choice and delete everything from the address bar. Go to any website you wish and type the following code in the empty address bar.

Code:  javascript: alert(“You’ve been hacked”);

What we have done is told the browser to send an alert box with some string text. Although very simple this is a great little trick you will see its power later in this post.

With the javascript: protocol you can run as many commands as you want. Enter the following code in your empty browser address bar to test more than one javascript injection command.

Code:  javascript: alert(“You’ve”); alert(“been”); alert(“hacked”);

In this code injection you will see three different alert windows pop up one after the other.

Cookie Hacking

Cookie hacking or editing can be very fun and can open a lot of doors. First we need to open a browser window and go to a site that uses cookies. Not sure if the site is using cookies here is some code that will let you know if the site is using cookies. Type the following code in a empty address bar.

Code:  javascript: alert(document.cookie);

This code is very similar to the code we learned in the basics section. What it does is open an alert box that outputs the cookie file information for the current site. With this little piece of code you should start to see the power of the alert command.

Now that we have seen what data the cookie has in it, let’s change some things. On the site I used when I executed the code above  I got “PHPSESSID=5b391ba8c4969af84eb426d469abba1″. The follow code is the code I used to change my cookie value. Depending on your cookie you may need to edit the code or the following code will just be appended to the end of the cookie.

Code:  javascript: void(document.cookie=”PHPSESSID = hacked”); alert(document.cookie);

In the code above the PHPSESSID value is changed to hacked and then an alert box is output showing the change to the cookie.

Notice the void command after the javascript declaration. Void is used to return a null value so the browser will not be able to load a new page. Cookie editing can open many doors in the following example you will see how you could hack your way into a website with poor authorization.

Let’s say you find a site that has restricted access to several pages. You check the cookie from the site to see if it is doing anything. The cookie outputs this: loggedIn=no. If you change that value to yes you could get access to the restricted pages without logging like a normal user. The following code changes the cookie value and displays the new value:

Code:  javascript: void(document.cookie=”loggedIn=yes”); alert(document.cookie);

Form Hacking

Form hacking can be achieved several ways a lot of the time you can save the webpage to your desktop and edit the HTML. Once edited you can submit the form from your desktop to the web sever. Many web developers have wised up to this and have added checks to there code for this kind of submitting. That it when javascript injection can come in very handy.

Let’s start with a very common example. You find a website that has a form with hidden form elements. The website code looks something like the code below.

Code:  <form action=”http://www.hackablesite.com/submit.php” method=”post”>
<input name=”price” type=”text” value=”1000″ />

As you can see from the code above we have some HTML code that has a form that posts data to a submit.php on the hackablesite.com server. This form has a hidden price field. I don’t know about you but $1,000 seems like a lot of money. I am not greedy I think $10 is a fair price. Below you will find the code I used to change this value. Enter the following code into your empty address bar.

Code:  javascript: void(document.forms[0].price.value= 10); alert(document.forms[0].price.value);

 In the above code we change the price field using javascript to access the value of the hidden field and setting that value to 10. An alert box is then opened to output to make sure the value has been changed. This attack can be used on more than hidden fields it can be used on select menus and any other form items.

That completes this post about javascript injection as you can see all kinds of fun things can be done with these techniques. Use your imagination and with a little work you can test your site and keep it secure from malicious hackers.

I began programming in C++ when I was in college. Odd for a business major, but hey I am a Dork. After college I got a job as System Administrator. As a System Administrator I was in charge of web administration. My journey as a PHP web developer had begun. Since that time I have gained an in depth knowledge of CSS, Javascript, XML and MySQL. With changes and advances to technology I have also began learning AJAX. I started Blue Fire Development to do freelance work in my spare time.

Posted in Hacking
6 comments on “Javascript Injection
  1. Dan says:

    This will only work on the most basic of websites. Why don’t you speak about avoiding filters?

    Any decent website will remove the word ‘script’ from your input.

  2. Necris says:

    avoiding filters is easy, ever heard of google?

    yes, ‘script’ will be removed from imput on even semi-decent websites which is why the author is teaching javascript injection, did you read the article? jeez…

  3. Michal says:

    keep up the good work!
    ;)

  4. Dan says:

    Good job. This tutorial is good, but a bit basic, I would be more interested in learning more about preventing hacking attempts using callback functions in the httpRequest object.

  5. Sri says:

    contents are good… but any other references where we can get advanced idea about injections both Javascript and DB

  6. Don says:

    Thanx. It was just what i needed to know as a beginner. Great presentation style.

1 Pings/Trackbacks for "Javascript Injection"