Hacking with JavaScript

SIMPLE HTML FORMS

1. Bypassing Required Fields

Surely you have met a webpage that requires you to fill all fields in a form in order to submit it. It is possible to bypass these types of restrictions on any webpage. If you take a look at the webpage’s source and follow it down to the form’s code, you will notice the onsubmit form attribute. Hopefully by this time you have experienced the power of javascript and you know that javascript has control over every single element in a webpage, including forms.We can use javascript to our advantage in every page we view for we can modify, delete, or add any element to the webpage. In this case we wish to clear the form’s onsubmit attribute in order for the form to be submitted successfully.

The onsubmit attribute generally points to a function that checks the form to have the correct format.  A function that does this may look something like this:

function formSubmit(x)

{

if(x.email.value==”") return false;

return true;

}










I will not go into great detail about how the formSubmit function works. You should know that if the (textfield/optionfield/option/..) field is left blank, the form will not be submitted to process.php. Now comes the moment of truth, how do we modify the form so that onsubmit returns true everytime? The way we can access the form with javascript and do this is:

document.forms[x].onsubmit=”return true;”;

or

document.spamform.onsubmit=”return true;”;

Both of these ‘queries’ will allow you to submit the form free of restrictions.  The secret is how to execute this.  I do this using my browser’s Location bar. All you have to do is enter this text into the location bar and press enter:

[removed]document.spamform.onsubmit=”return true;”;

The above statement will not work because the ‘query’ will return a value javascript doesn’t know what to do with it so it dumps the returned value on the screen. We need a way to use this value and escape it from passing on to javascript. I know the exact way to do this, with alert()!

[removed]alert(document.spamform.onsubmit=”return true;”);

You will see an alertbox with “return true;” instead of dumping this value out to the webbrowser. Once you have executed this query you will be able to enter whatever value into whatever field in spamform.

Full Article: Hacking with Javascript



By: sandya

About the Author:

Learning from Conversations…




About this entry