The cyber-criminal can apply the code to perform a wide variety of actions, such as stealing the victim session token or login credentials, performing arbitrary actions on the victim’s behalf, and logging their keystrokes.
Users can be forced to visit the malicious URL in various ways, like in a way to redirect or Cross Site Scripting that will be run from client-side.
- Injection Basics
- Cookie Editing
- Form Editing
1. Injection Basics:
You should get a little dialog box that says “Hello, World”. This will be altered later to have more practical uses. You can also have more than one command run at the same time:
This would pop up a box that said ‘Hello’ and than another that says ‘World’.
2. Cookie Editing
First off, check to see if the site you are visiting has set any cookies by using this script:
This will pop up any information stored in the sites cookies. To edit any information, we make use of the void(); command.
This command can either alter existing information or create entirely new values. Replace “Field” with either an existing field found using the alert(document.cookie); command, or insert your very own value. Then replace “myValue” with whatever you want the field to be.
Would either make the field “authorized” or edit it to say “yes”… now whether or not this does anything of value depends on the site you are injecting it on.
It is also useful to tack an alert(document.cookie); at the end of the same line to see what effect your altering had.
3. Form Editing
Every form on a given webpage (unless named otherwise) is stored in the forms[x] array. where “x” is the number, in order from top to bottom, of all the forms in a page. Note that the forms start at 0, so the first form on the page would actually be 0, and the second would be 1 and so on.
Lets take this example:
<form action="http://www.website.com/submit.php" method="post"> <input type="hidden" name="to" value="[email protected]">
Note: Since this is the first form on the page, it is forms
Say this form was used to email, say vital server information to the admin of the website. You can’t just download the script and edit it because the submit.php page looks for a referrers. You can check to see what value a certain form element has by using this script.
This is similar to the alert(document.cookie); discussed previously. In this case, It would pop up an alert that says “[email protected]”
So here’s how to Inject your email into it. You can use pretty much the same technique as the cookies editing shown earlier:
This would change the email of the form to be “[email protected]”. Then you could use the alert(); script shown above to check your work. Or you can couple both of these commands on one line.
Other cheat codes:
To move things around on the web-page.
Client side validation should not be relied upon. Additionally, server-side logic is essential.
To avoid possible JS Injection attacks, double quotes seem to be a quite common practice. There are several ways to encode the quotes for JS Injection.
This solution can be prevented by changing quotes to doubles but it is not a perfect.