Penetration Testing mailing list archives
Re: manipulating query strings
From: ma1ler_deamon <ma1ler_deamon () yahoo com>
Date: Tue, 24 Feb 2004 11:33:13 -0800 (PST)
if a form is designed to accept POST variables, it may also accept those same variables passed in through the querystring. It may not it depends on how lazy the developer was when they made it and if they pulled the values from the global collections or the specific ones. ie. foo = Request(bar) , vs foo = Request.QueryString(bar) etc you can manipulate hidden variables in a number of ways, you can use an intercept proxy which can be kinda overkill for this, or you can use custom tools to do it right inside of your browser such as IE one integrated IE integrated tool I found was this http://sandsprite.com/Sleuth it does some stuff ok, some stuff I really like, check out the "Browser Extensions" package, it adds a new right click menu item to your standard IE context menus that pops up a forms editor. I guess its an eval version, but there is a free build of the main app as well. -md __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- manipulating query strings Vel (Feb 24)
- Re: manipulating query strings Eric Paynter (Feb 25)
- Re: manipulating query strings Ariel Martinez (Feb 26)
- RE: manipulating query strings Campbell Murray (Feb 25)
- Re: manipulating query strings Markus Toman (Feb 25)
- <Possible follow-ups>
- RE: manipulating query strings Kris Wilkinson (Feb 25)
- Re: manipulating query strings ma1ler_deamon (Feb 25)
- RE: manipulating query strings Toni Heinonen (Feb 25)
- Re: manipulating query strings morning_wood (Feb 26)
- Re: manipulating query strings Karsten Johansson (Feb 25)
- RE: manipulating query strings Scovetta, Michael V (Feb 25)
- Re: manipulating query strings marko (Feb 26)
- RE: manipulating query strings Nick Besant (Feb 26)
- Re: manipulating query strings Eric Paynter (Feb 25)