The two most widely used injection commands are alert(); and void();. These commands will get you through most situations. For our first injection script we will open an alert box. Open the web browser of your choice and delete everything from the address bar. Go to any website you wish and type the following code in the empty address bar.
What we have done is told the browser to send an alert box with some string text. Although very simple this is a great little trick you will see its power later in this post.
In this code injection you will see three different alert windows pop up one after the other.
This code is very similar to the code we learned in the basics section. What it does is open an alert box that outputs the cookie file information for the current site. With this little piece of code you should start to see the power of the alert command.
Now that we have seen what data the cookie has in it, let’s change some things. On the site I used when I executed the code above I got “PHPSESSID=5b391ba8c4969af84eb426d469abba1”. The follow code is the code I used to change my cookie value. Depending on your cookie you may need to edit the code or the following code will just be appended to the end of the cookie.
In the code above the PHPSESSID value is changed to hacked and then an alert box is output showing the change to the cookie.
Let’s say you find a site that has restricted access to several pages. You check the cookie from the site to see if it is doing anything. The cookie outputs this: loggedIn=no. If you change that value to yes you could get access to the restricted pages without logging like a normal user. The following code changes the cookie value and displays the new value:
Let’s start with a very common example. You find a website that has a form with hidden form elements. The website code looks something like the code below.
As you can see from the code above we have some HTML code that has a form that posts data to a submit.php on the hackablesite.com server. This form has a hidden price field. I don’t know about you but $1,000 seems like a lot of money. I am not greedy I think $10 is a fair price. Below you will find the code I used to change this value. Enter the following code into your empty address bar.