Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: manipulating query strings

From: ma1ler_deamon <ma1ler_deamon () yahoo com>
Date: Tue, 24 Feb 2004 11:33:13 -0800 (PST)

 if a form is designed to accept POST variables, it may also accept
 those same variables passed in through the querystring. It may not
 it depends on how lazy the developer was when they made it and if
 they pulled the values from the global collections or the specific
 ones. 
 
 ie. foo = Request(bar) , vs foo = Request.QueryString(bar) etc

 you can manipulate hidden variables in a number of ways, you can use
 an intercept proxy which can be kinda overkill for this, or you can 
 use custom tools to do it right inside of your browser such as IE

 one integrated IE integrated tool I found was this

 http://sandsprite.com/Sleuth

 it does some stuff ok, some stuff I really like, check out the "Browser
 Extensions" package, it adds a new right click menu item to your 
 standard IE context menus that pops up a forms editor. I guess its an 
 eval version, but there is a free build of the main app as well.

 -md

__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: