RE: View and edit hidden HTML form fields (fwd)

["Jordi Molina" <warper () eresmas com>]

Hi all.

I think that the application is good for checking out if it is any
hidden field in the form that stores sensible information. 

I have to say, too, that, in many ways, this kind of "programming error"
has been checked by anyone that works with dynamic web application. Ç

At this time, I have a lot of questions regarding the storage of session
variables in many languages (coldfusion i.e.) I checked if Internet
Explorer store them on a cookie, but I haven't found them yet.

Anyone knows where these variables are stored on client side? It's there
any program like this one that allows to check the content of session
variables instead of hidden fields in html forms?



Thanks in advance 


PS: Excuse me for my bad English, I think I have to practice a little
more :)
-----Mensaje original-----
De: sirkus [mailto:sirkus () sirkit net] 
Enviado el: jueves, 12 de junio de 2003 17:13
Para: webappsec () securityfocus com
Asunto: Re: View and edit hidden HTML form fields (fwd)

  Indeed. I certainly wasn't claiming any greatness on the part of the
program, especially since we're not a Window's shop -- it doesn't
particularly apply to me. My point was that while I may be comfortable
with using Perl/LWP and regular expressions as a coder, these are things
I use on a regular basis while doing assessments.  However, for others
(such as many who I work with that do not code) this provides a simple
way to demonstrate various simple client-side state weaknesses.

  I would also agree that there are many other tools out there that do
similar things (and much more.) Especially where actual assessments are
the goal.  I was just simply stating that for its intended purpose, it
works, and integrates into IE as a side bar making it easy to tote
around. (Again, For those who use IE...  ) 

On Wed, 2003-06-11 at 17:01, Tim Greer wrote:
> No doubt it looks slick. I've not attempted to run it (don't really
have any
> need nor desire to). Though for desktop use, sure this would be a
better
> solution. I'm not sure what you mean by "those who use LWP and regex"
> though? LWP is a Perl module and regex is short for "regular
expression".
> I.e., s/<input[\s\n]+type\s*=[\s\n]*hidden[\s]+/<input type=text/igs;
It
> would automatically transform hidden tags to text fields for every
page. It
> would operate and look the same and any things that require a referer
could
> be easily modified to work.
>
> I.e. surf with hidden tags shown as text fields. The script's wouldn't
and
> couldn't know the difference. In other words, you could put it on a
web site
> (or tun it locally--yes, if you had Perl and the LWP module installed
> locally) and surf such as that. Anyway, it's a trivial matter anyway.
If a
> script is vulnerable to such things, it's pretty much a target that
will get
> hit anyway. I suppose this tool, or the Perl solution (this would be
about 4
> lines or so of code, is why I mentioned it) would provide a bored
person
> with a few minutes of fun. :-)
> --
> Regards,
> Tim Greer  chatmaster () charter net
> Server administration, security, programming, consulting.