Client side Html Injection with firebug

As described in another article, you can use Client side html injection techniques basically for two reasons:

  • cheat on your friends
  • send variables

In this example we will send some vars to a php page predisposed in order to show all POST vars, then we will apply this technique to the ebay homepage to apply a filter to the search form.

So, first of all let’s create a php page that shows all posts, code follows

<?php
print_r($_POST); 
?>

Let’s save this as echo.php in your webserver or in your local pc testing environment. Create another file, html one this time let’s call it form.html and paste in the following code:

<html>
<head>
</head>
<body>
<h1>Client side HTML injection playground</h1>
<h2>Use this page as described in the tutorial</h2>
<hr />
<form action="echo.php" method="POST">
<input type="text" name="text_one" /> 
<input type="submit" value="Send" />
</form>
</body>
</html>

Upload or copy these two new files in a convenient location within your webserver documents, and type the complete address URL of form.html like “http://yoursite.com/test/form.html”; You should see something like this:

This ia the example form used in this tutorial
This ia the example form used in this tutorial

Just give it a try to test if it works as expected or if there are common syntax errors, or something else is not working) . So type “hello” in the text field and just click “Send” and see what happens, if all works as expected you will see the value of the submitted form text field. like this:

image of the submitted form
This image shows the submitted vars echoed in the test page

Now, we need Mozilla Firefox AND Firebug installed. If you haven’t done yet, use these link to get there quickly: Firefox (opens in a new window) Firebug (opens in a new window) Fine, now go back to the form page and rightclick on the textfield and select “Check Element with Firebug” from the context menu (or similar i have an italian version now). Then Firebug will open up and it will add some panels to the bottom part of your browsers, highlighting the element on wich your mouse point where on when you rightclicked. The following image shows the window at this point, check it.

Image of Firebug highlighting a form element
This image shows how to open firebug and select the element you are interested in

Now you have to right click on the selected and highlghted element and select “Edit HTML” from the context menu like the following image:

Image of Firebug selecting an element of a form
How to select an element to add html code before or after

A sort of small text editor will appear in place of the html panel and it will contain the code of the element you selected, like this:

Adding html to a live web page with firebug
Firebug editing HTML “Live”

Here we will add a short HTML tag code in order to add a variable to the original form (suppose you don’t have control over the html of the form page). This tag could be for example:

<select name="injected_var"><option>YES</option><option>NO</option>

 

just type it righ after the original content of the mini text editor within firebug, like follows

image of injected html code
This image shows the injected html code and its results

You will see changes in the page as you write the code, so go straight to the end, don’t worry if it doesn’t look as expected until you finish typing.

At this point, our last step will be submitting the form and see what happens in the echo.php page.
You should see your new injected var printed together with the original one, like follows

Submitted injected html form
This image shows the result of the submitted injected html form

This is a clientside html injection.
Now let’s apply it in the real world, this short footage will show you how to use it, for example, with ebay search form without leaving the homepage, gaining time.

Thanks for reading/watching 

Incoming search terms:

  • psquiza o feihebuger (10)
(Visited 4,712 times, 1 visits today)

Author: Giuseppe Urso

Giuseppe lives in Haarlem now with his shiny dog, Filippa In 1982 received his first home computer, a Commodore 64, followed by Datasette and a 1541 Floppy Disk Drive. In 1999 he installed his first Linux distro (LRH6). In 2006 he switched to Debian as favourite OS. Giuseppe Urso actively sustains the Free Software Fundation and his founder Richard Mattew Stallman, he speaks to people trying to convince them to join the fight now, and about how important is to use Free Software only. He has a job as Infra Specialist at Hippo Enterprise Java Cms an Open Source Enterprise class Content Management System, one of the coolest company ever, in Amsterdam. He's always ready to install Debian on other people computers for free.

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.