WebApp Sec mailing list archives
RE: View and edit hidden HTML form fields (fwd)
From: "Jordi Molina" <warper () eresmas com>
Date: Thu, 12 Jun 2003 19:15:30 +0200
Hi all. I think that the application is good for checking out if it is any hidden field in the form that stores sensible information. I have to say, too, that, in many ways, this kind of "programming error" has been checked by anyone that works with dynamic web application. Ç At this time, I have a lot of questions regarding the storage of session variables in many languages (coldfusion i.e.) I checked if Internet Explorer store them on a cookie, but I haven't found them yet. Anyone knows where these variables are stored on client side? It's there any program like this one that allows to check the content of session variables instead of hidden fields in html forms? Thanks in advance PS: Excuse me for my bad English, I think I have to practice a little more :) -----Mensaje original----- De: sirkus [mailto:sirkus () sirkit net] Enviado el: jueves, 12 de junio de 2003 17:13 Para: webappsec () securityfocus com Asunto: Re: View and edit hidden HTML form fields (fwd) Indeed. I certainly wasn't claiming any greatness on the part of the program, especially since we're not a Window's shop -- it doesn't particularly apply to me. My point was that while I may be comfortable with using Perl/LWP and regular expressions as a coder, these are things I use on a regular basis while doing assessments. However, for others (such as many who I work with that do not code) this provides a simple way to demonstrate various simple client-side state weaknesses. I would also agree that there are many other tools out there that do similar things (and much more.) Especially where actual assessments are the goal. I was just simply stating that for its intended purpose, it works, and integrates into IE as a side bar making it easy to tote around. (Again, For those who use IE... ) On Wed, 2003-06-11 at 17:01, Tim Greer wrote:
No doubt it looks slick. I've not attempted to run it (don't really
have any
need nor desire to). Though for desktop use, sure this would be a
better
solution. I'm not sure what you mean by "those who use LWP and regex" though? LWP is a Perl module and regex is short for "regular
expression".
I.e., s/<input[\s\n]+type\s*=[\s\n]*hidden[\s]+/<input type=text/igs;
It
would automatically transform hidden tags to text fields for every
page. It
would operate and look the same and any things that require a referer
could
be easily modified to work. I.e. surf with hidden tags shown as text fields. The script's wouldn't
and
couldn't know the difference. In other words, you could put it on a
web site
(or tun it locally--yes, if you had Perl and the LWP module installed locally) and surf such as that. Anyway, it's a trivial matter anyway.
If a
script is vulnerable to such things, it's pretty much a target that
will get
hit anyway. I suppose this tool, or the Perl solution (this would be
about 4
lines or so of code, is why I mentioned it) would provide a bored
person
with a few minutes of fun. :-) -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting.
Current thread:
- Re: View and edit hidden HTML form fields (fwd), (continued)
- Re: View and edit hidden HTML form fields (fwd) dan cuthbert (Jun 12)
- Re: View and edit hidden HTML form fields (fwd) Alex Lambert (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 11)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 12)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) Tim Greer (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) George W. Capehart (Jun 14)
- Re: View and edit hidden HTML form fields (fwd) sirkus (Jun 11)
- RE: View and edit hidden HTML form fields (fwd) Jordi Molina (Jun 13)
- RE: View and edit hidden HTML form fields (fwd) hans (Jun 13)
- Re: View and edit hidden HTML form fields (fwd) riptide (Jun 17)