WebApp Sec mailing list archives
Re: View and edit hidden HTML form fields (fwd)
From: "Tim Greer" <chatmaster () charter net>
Date: Wed, 11 Jun 2003 15:01:37 -0700
No doubt it looks slick. I've not attempted to run it (don't really have any need nor desire to). Though for desktop use, sure this would be a better solution. I'm not sure what you mean by "those who use LWP and regex" though? LWP is a Perl module and regex is short for "regular expression". I.e., s/<input[\s\n]+type\s*=[\s\n]*hidden[\s]+/<input type=text/igs; It would automatically transform hidden tags to text fields for every page. It would operate and look the same and any things that require a referer could be easily modified to work. I.e. surf with hidden tags shown as text fields. The script's wouldn't and couldn't know the difference. In other words, you could put it on a web site (or tun it locally--yes, if you had Perl and the LWP module installed locally) and surf such as that. Anyway, it's a trivial matter anyway. If a script is vulnerable to such things, it's pretty much a target that will get hit anyway. I suppose this tool, or the Perl solution (this would be about 4 lines or so of code, is why I mentioned it) would provide a bored person with a few minutes of fun. :-) -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting. ----- Original Message ----- From: "sirkus" <sirkus () sirkit net> To: <webappsec () securityfocus com> Sent: Wednesday, June 11, 2003 1:59 PM Subject: Re: View and edit hidden HTML form fields (fwd)
Sure...for those of us who use the LWP and regex. (or other tools.) But it looks like the point of this "sidebar" tool is to make the forms (and other elements) a quick browse, and provide the ability to change input fields easily while browsing. While I don't usually use IE for Web App Security Assessments, this is actually a slick tool for prodding around without too much effort. Beats the "View->source" recommendation made earlier for modifying input fields. Of course, I just downloaded it 5 mins ago... so add a grain or two of salt. On Wed, 2003-06-11 at 13:45, Tim Greer wrote:Why not just use Perl with the LWP module and a simple regex and run it
on
any site you wish, allowing you to alter the referer and browser,
fields,
etc. as well. -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting. ----- Original Message ----- From: <bugtraq () cgisecurity net> To: <webappsec () securityfocus com> Sent: Wednesday, June 11, 2003 9:23 AM Subject: View and edit hidden HTML form fields (fwd)This may be of interest to this list. - zenoDelivered-To: mailing list vuln-dev () securityfocus com Delivered-To: moderator for vuln-dev () securityfocus com Date: Mon, 9 Jun 2003 16:23:38 +0200 From: Richard van den Berg <richard () vdberg org> To: vuln-dev () securityfocus com, submissions () packetstormsecurity org Subject: View and edit hidden HTML form fields Message-ID: <20030609142338.GA14082 () vdberg org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i This might be the most trivial security tool ever written, but I
needed
it and could not find it. I used this as an opportunity to learn
some
IE/ALT/WLT/COM programming.. so don't expect a flawless tool. What it does is display HTML fill-out form fields (including hiddenones)in a table outside the normal browser view. Values can be edited and
are
inserted back in to the live HTML view of the browser. This makes it possible to research the behaviour of CGI scripts to unexpected form field values. http://www.vdberg.org/~richard/htmlbar.html Many thanks to Bjarke Viksoe who made the initial HtmlBar upon which I build. HtmlBar is an Internet Explorer 5+ plugin. Any feedback is appreciated. Sincerely, Richard van den Berg-- sirkus <sirkus () sirkit net>
Current thread:
- View and edit hidden HTML form fields (fwd) bugtraq (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) Alex Russell (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) dan cuthbert (Jun 12)
- Re: View and edit hidden HTML form fields (fwd) Alex Lambert (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 12)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) George W. Capehart (Jun 14)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 11)
- RE: View and edit hidden HTML form fields (fwd) Jordi Molina (Jun 13)
- RE: View and edit hidden HTML form fields (fwd) hans (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) Alex Russell (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) riptide (Jun 17)
- <Possible follow-ups>
- RE: View and edit hidden HTML form fields (fwd) Oliver White (Jun 12)
- Re: View and edit hidden HTML form fields (fwd) MK Cheung (Jun 12)