Hosting Provided By

RE: View and edit hidden HTML form fields

From: Dongen, Jeroen van <jvandongen(at)seneca.nl>
Date: Thu Jun 12 2003 - 02:48:20 EDT

Don't know if you guys already knew these: http://www.squarefree.com/bookmarklets/forms.html

They are little bits of javascript you can store as a bookmark in your browser - when selected the javascript is executed on the current page. Particularly usefull in this context:

show_hiddens (show and make editable all hidden fields)
undisable (enable all form elements)
remove_maxlength (guess ...)

Rgds,
Jeroen

-----Original Message-----
From: Tim Greer [mailto:chatmaster@charter.net] Sent: Thursday, June 12, 2003 12:02 AM
To: sirkus; webappsec@securityfocus.com
Subject: Re: View and edit hidden HTML form fields (fwd)

No doubt it looks slick. I've not attempted to run it (don't really have any need nor desire to). Though for desktop use, sure this would be a better solution. I'm not sure what you mean by "those who use LWP and regex" though? LWP is a Perl module and regex is short for "regular expression". I.e., s/<input[\s\n]+type\s*=[\s\n]*hidden[\s]+/<input type=text/igs; It would automatically transform hidden tags to text fields for every page. It would operate and look the same and any things that require a referer could be easily modified to work.

I.e. surf with hidden tags shown as text fields. The script's wouldn't and couldn't know the difference. In other words, you could put it on a web site (or tun it locally--yes, if you had Perl and the LWP module installed locally) and surf such as that. Anyway, it's a trivial matter anyway. If a script is vulnerable to such things, it's pretty much a target that will get hit anyway. I suppose this tool, or the Perl solution (this would be about 4 lines or so of code, is why I mentioned it) would provide a bored person with a few minutes of fun. :-)

--
Regards,
Tim Greer  chatmaster@charter.net
Server administration, security, programming, consulting.

----- Original Message ----- From: "sirkus" <sirkus@sirkit.net> To: <webappsec@securityfocus.com> Sent: Wednesday, June 11, 2003 1:59 PM Subject: Re: View and edit hidden HTML form fields (fwd)
> Sure...for those of us who use the LWP and regex. (or other tools.)
on
> > any site you wish, allowing you to alter the referer and browser,
fields,
> > etc. as well.
> > --
> > Regards,
needed
> > > > it and could not find it. I used this as an opportunity to learn
some
> > > > IE/ALT/WLT/COM programming.. so don't expect a flawless tool.
> > > >
are
> > > > inserted back in to the live HTML view of the browser. This makes it
> > > > possible to research the behaviour of CGI scripts to unexpected form
> > > > field values.
> > > >
Received on Thu Jun 12 08:12:22 2003

This message: [ Message body ]
Next message: dan cuthbert: "Re: View and edit hidden HTML form fields (fwd)"
Previous message: Gary Gwin: "IIS Virtual Directory Security"
In reply to sirkus: "Re: View and edit hidden HTML form fields (fwd)"
Next in thread: sirkus: "RE: View and edit hidden HTML form fields"
Reply: sirkus: "RE: View and edit hidden HTML form fields"
Reply: sirkus: "Re: View and edit hidden HTML form fields (fwd)"
Reply: Jordi Molina: "RE: View and edit hidden HTML form fields (fwd)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:52 EDT