I. Injection Basics
You can also have more than one command run at the same time:
II. Cookie Editing
First off, check to see if the site you are visiting has set any cookies by using this script:
It is also useful to tack an alert(document.cookie); at the end of the same line to see what effect your altering had.
III. Form Editing
Every form on a given webpage (unless named otherwise) is stored in the forms[x] array… where “x” is the number, in order from top to bottom, of all the forms in a page. Note that the forms start at 0, so the first form on the page would actually be 0, and the second would be 1 and so on. Lets take this example:
<form action=”http://www.website.com/submit.php” method=”post”>Note:Since this is the first form on the page, it is forms
<input type=”hidden” name=”to” value=”email@example.com”>
Say this form was used to email, say vital server information to the admin of the website. You can’t just download the script and edit it because the submit.php page looks for a referer. You can check to see what value a certain form element has by using this script:
In this case, It would pop up an alert that says “firstname.lastname@example.org”
So here’s how to Inject your email into it. You can use pretty much the same technique as the cookies editing shown earlier:
Then you could use the alert(); script shown above to check your work. Or you can couple both of these commands on one line.
Posted by XERO . Thanks to NeoXdyne , testingsecurity.com