QAInsight.net, QABlog.com, QABlog.net
Brent Strange's thoughts on Software Quality Assurance and technology

 
Sunday, January 08, 2006
  
 

JavaScript injection to change form values

  
 

Back in the day, before I started using proxies to bypass Web form validation (Achilles, Paros, Fiddler), I used to use the tool Paessler Site Inspector to help me bypass some types of form validation (one of Corillian QA's many security tests). Site Inspector uses JavaScript to access the DOM and allow you change the values. Simply put, the tool allowed you to do a JavaScript injection attack. A simple thing to do but Site Inspector made it simpler by wrapping a pretty UI around it. An article I found when perusing through the latest 2600: Hacker Quarterly at Barnes and Noble the other day reminded how truly easy this was to do without a tool. Provided below is a simple example of a JavaScript injection attack:

Consider the following text field in a balance transfer form:

<input name="amount" type="text" maxlength="3">

Let's say this form has a $999 transfer limit controlled by the HTML maxlength property set to 3 (yes, it's cheesy & foolish validation).

From the browser URL bar we can easily bypass this check by using the DOM through JavaScript to change the amount value:

Example 1 (using form name and form textbox element name):
javascript:document.forms['transfer'].elements['amount'].value = '10000'

Example 2 (using the index number of the form and element arrays):
javascript:document.forms[0].elements[0].value = '10000'

You'll get a JavaScript error if your syntax is incorrect or are attempting to access an object that doesn't exist. If you have no error you can double check that the value actually stuck by displaying it in a JavaScript alert. You can do this by typing the following in the browser URL bar:

javascript:alert(document.forms[0].elements[0].value)

The expected result of the test case would be that even though you could do this JavaScript injection attack at the UI, the duplicated server side validation would catch and stop the attack. If it isn't stopped on the server side then you have yourself a serious defect!

Happy testing! I'll talk about bypassing validation with a proxy another day...

 
   
   
   
Comments are closed.

Search QAInsight.net
Subscribe!
RSS 2.0All of QAInsight.net
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

My Testing Tools
Brent's Web Testing Toolbox
User-Agent Info and Tools

QA Blogs
 Bug Bash
 James Bach
 Josh Poley
 Rosie Sherry
 Test Early
 Testing Reflections
 The Braidy Tester
Other, Favorite Blogs
 Alex Scoble
 CopyBlogger
 Greg Hughes
 Jeff AtWood
 Lidor Wyssocky
 Matt Lapworth
 Milind Pandit
 Phillip Forteza
 Rory Blyth
 Scott Hanselman
 Simon Goldstein

Profile
About Brent Strange
Send mail to the author(s)
E-mail
Instant Message
View Brent Strange's profile on LinkedIn

Blog Archive
 List all Posts
December, 2008 (2)
November, 2008 (2)
September, 2008 (7)
August, 2008 (1)
July, 2008 (3)
June, 2008 (1)
May, 2008 (2)
April, 2008 (9)
March, 2008 (14)
February, 2008 (8)
January, 2008 (13)
December, 2007 (8)
November, 2007 (4)
October, 2007 (14)
September, 2007 (11)
August, 2007 (4)
July, 2007 (1)
June, 2007 (4)
May, 2007 (10)
April, 2007 (7)
March, 2007 (6)
February, 2007 (11)
January, 2007 (19)
December, 2006 (6)
November, 2006 (5)
October, 2006 (22)
September, 2006 (12)
August, 2006 (16)
July, 2006 (12)
June, 2006 (19)
May, 2006 (18)
April, 2006 (23)
March, 2006 (27)
February, 2006 (16)
January, 2006 (21)
December, 2005 (14)
July, 2005 (2)

Legal Mumbo-Jumbo
The opinions expressed herein are not necessarily those of my employer, not necessarily mine, and probably not necessary.

Copyright 2009 Brent Strange
Driven by newtelligence dasBlog 2.0.7226.0