Monthly Archives: August 2013

Pentesting WebApps with Javascript URL Injection

Synopsis

Ever have to run a pentest sans tools? Breaking a WebApp can be a fairly tedious experience when your intercepting proxy has flown the coup. Believe it or not many of the functions you may be used to accomplishing through ZAP or Burpsuite can also be done in the URL bar of your browser! URL Injection is a great way to do anything from modifying your browser cookies to changing form data, to modifying arbitrary code on the web page.

Injection Basics

For starters lets take a look at how its done:

Basic URL Injection

 

 

 

The javascript alert function is the progenitor of those annoying popups that pervaded the internet in the nineties, and still exist on the sites of those web developers who haven’t pulled their heads out of a hole in over a decade. For our purposes the alert function is extremely handy. We can use it to quickly interrogate our browsers. The above command, for instance, will display current cookie values for our perusal. Your browser can be interrogated in the same way for just about any of the information that an intercepting proxy yields.

Some web developers handle authentication and session information with cookies. With the above URL Injection revealing this is trivial, and it’s normally one of the first things I do to any WebApp I’m pentesting. Getting information is all well and good, but how can we put this technique to more nefarious purposes?

Cookie Fraud

Javascript URL Injection is my preferred method of modifying web session cookies because it’s quick, easy, and because 60% of the time it works every time. This is most eloquently done with the void() function, though that can be left off.

More Eloquent:
javascript:void(document.cookie="MyCookie=MyValue")

Less Eloquent:
javascript:document.cookie="UserID=42"

The less eloquent method will direct you browser to a blank page (where it will execute your injection). Using that method you have to browse back to the original site for your edits to take the appropriate effect. It can; however, be easier to remember.

Modifying Form Data

One of the most useful aspects of an Intercepting Proxy is its ability to modify form data on the fly. In a pentest we can use this to fuzz the inputs of websites searching for anything from XSS flaws to SQL Injection vulnerabilities. This can also be done with URL Injection. Check it out:

javascript:void(document.forms[0].to.value="");

Editing Arbitrary Web Data

And finally for those moments when you have to edit some random html element on a page. There is the innerHTML function. Check out Google’s new facelift!

GoogleFaceLift

javascript:void(document.getElementById('lga').innerHTML="<img src='http://kinozoa.com/images/0sm0s1z.png' style='padding-top:112px'>")

Basically, we can specify an element on the webpage (in this case “lga”). Then using innerHTML we can edit the code in real time, replacing it with more useful stuff.

This function is also pretty nifty when you’ve MITM’d your spouse with Subterfuge and want to do some seamless edits… Because, You Know… Hacker…