Re: View and edit hidden HTML form fields (fwd)

["Tim Greer" <chatmaster () charter net>]

From: "sirkus" <sirkus () sirkit net>
To: <webappsec () securityfocus com>
Sent: Thursday, June 12, 2003 8:12 AM
Subject: Re: View and edit hidden HTML form fields (fwd)


>   Indeed. I certainly wasn't claiming any greatness on the part of the
> program, especially since we're not a Window's shop -- it doesn't
> particularly apply to me. My point was that while I may be comfortable
> with using Perl/LWP and regular expressions as a coder, these are things
> I use on a regular basis while doing assessments.  However, for others
> (such as many who I work with that do not code) this provides a simple
> way to demonstrate various simple client-side state weaknesses.

I actually don't see how this reveals any weaknesses. Just seeing the fields
or arguments/values passed to a script/program doesn't really mean anything.
It can save a lame 'web site form based' cracker some effort, but that's
about it.

>   I would also agree that there are many other tools out there that do
> similar things (and much more.) Especially where actual assessments are
> the goal.  I was just simply stating that for its intended purpose, it
> works, and integrates into IE as a side bar making it easy to tote
> around. (Again, For those who use IE...  )

Sure, it looks sort of neat for what it is. For a Windows desktop. Of
course, my opinion is two things; Installing a program someone else wrote
that I don't see the source to, is not going to happen. Secondly, using IE,
you already have enough problems to not be wasting your time with silly
tools like this. :-)
--
Regards,
Tim Greer  chatmaster () charter net
Server administration, security, programming, consulting.