RE: View and edit hidden HTML form fields (fwd)

Hi all.

I think that the application is good for checking out if it is any hidden field in the form that stores sensible information.

I have to say, too, that, in many ways, this kind of "programming error" has been checked by anyone that works with dynamic web application. Ç

At this time, I have a lot of questions regarding the storage of session variables in many languages (coldfusion i.e.) I checked if Internet Explorer store them on a cookie, but I haven't found them yet.

Anyone knows where these variables are stored on client side? It's there any program like this one that allows to check the content of session variables instead of hidden fields in html forms?

Thanks in advance

PS: Excuse me for my bad English, I think I have to practice a little more :)
-----Mensaje original-----
De: sirkus [mailto:sirkus@sirkit.net]
Enviado el: jueves, 12 de junio de 2003 17:13 Para: webappsec@securityfocus.com
Asunto: Re: View and edit hidden HTML form fields (fwd)

  Indeed. I certainly wasn't claiming any greatness on the part of the program, especially since we're not a Window's shop -- it doesn't particularly apply to me. My point was that while I may be comfortable with using Perl/LWP and regular expressions as a coder, these are things I use on a regular basis while doing assessments. However, for others (such as many who I work with that do not code) this provides a simple way to demonstrate various simple client-side state weaknesses.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  I would also agree that there are many other tools out there that do similar things (and much more.) Especially where actual assessments are the goal. I was just simply stating that for its intended purpose, it works, and integrates into IE as a side bar making it easy to tote around. (Again, For those who use IE... )

On Wed, 2003-06-11 at 17:01, Tim Greer wrote:
> No doubt it looks slick. I've not attempted to run it (don't really
have any
> need nor desire to). Though for desktop use, sure this would be a
better
> solution. I'm not sure what you mean by "those who use LWP and regex"
expression".
> I.e., s/<input[\s\n]+type\s*=[\s\n]*hidden[\s]+/<input type=text/igs;
It
> would automatically transform hidden tags to text fields for every
page. It
> would operate and look the same and any things that require a referer
could
> be easily modified to work.
and
> couldn't know the difference. In other words, you could put it on a
web site
> (or tun it locally--yes, if you had Perl and the LWP module installed
> locally) and surf such as that. Anyway, it's a trivial matter anyway.
If a
> script is vulnerable to such things, it's pretty much a target that
will get
> hit anyway. I suppose this tool, or the Perl solution (this would be
about 4
> lines or so of code, is why I mentioned it) would provide a bored
person
> with a few minutes of fun. :-)
Received on Fri Jun 13 17:43:19 2003