JavaScript codes can be injected in the address bars of web browsers to edit online forms before submitting them, bellow I am posting an example for archiving purposes.

Assuming the page has a contact form, where submitted data is sent to an email address included in a hidden HTML input tag as in the following code:

<form name="ContactForm" action="submit.php" method="post">
<input type="hidden" name="Email" value="admin@website.com" />

To change the email address to: myemail@hotmail.com, the following code can be injected:

javascript:void(document.ContactForm.Email.value="myemail@hotmail.com");

Where ContactForm is the name of the form and Email is the name of the input tag.

To check that the value has actually been changed, view it with:

javascript:alert(document.ContactForm.Name.value);

If the form has no name, check the form order in the page, if it is the first, you may refer to it using: forms[0]. Same thing applies to the input tag, you may refer to it using: elements[0].

This way, assuming the form is the first, and the order of the input tag in that form is 4, our codes will be:

javascript:void(document.forms[0].elements[3].value="myemail@hotmail.com");

and

javascript:alert(document.forms[0].elements[3].value);

One Response to “JavaScript Injection (Form Editing)”

Leave a Reply

*

Haider’s WebSpace

Welcome to my technical blog. This is where I write, archive and share computer related articles. Subjects vary from posting technical solutions to researching particular topics. Feel free to comment and talk IT!

The information provided is for educational purposes only. All content including links and comments is provided "as is" with no warranty, expressed or implied. Use is at your own risk and you are solely responsible for what you do with it.

Sponsored Links
My Tweets