« Home

Creating a Visual Basic worm »VIDEO: Bill Gates smashes into camera »The Mob at Defcon »Hacking Browsers (VML Buffer Overflow and DoS) »phpMyAdmin Directory Traversal »Hacking Microsoft's Universal Plug N' Play Event (... »Good to be here »A new writer joins the team »Hacking (any) Email Server »VX improved » 

Javascript Injection

Published 10.30.2005 by jm | E-mail this post

E-mail this post



Remember me (?)



All personal information that you provide here will be governed by the Privacy Policy of Blogger.com. More...


I have a new favorite exploit, because it's so much fun, and so simple, and requires linear thinking. First, let me describe the command you will be using. This is a command that you put into the browser address bar:

javascript:alert(document.form[1].price.value)

This command is broken down with the following:
javascript:alert is the command for a popup document. is the location of our playground. This pretty much says "This webpage we are looking at now."
form[1] is the form name.
price is the variable
value is the value. This can also be length, or whatever the variable conditions can be.

Example hack, with no explanation:

This Ticketmaster link
Copy and paste these commands into the browser one after another:
javascript:alert(document.asb.iu.value)
javascript:void(document.asb.iu.value="fart.com")
javascript:alert(document.asb.iu.value)

This changes the referencing address to "fart.com" as we see in the screenshot below.



Actual hack, with explanation:

Now for actual explanation. I searched for a random show in my area. This may be outdated by the time you look for it, but simply go to Ticketmaster.com and find an event in your area and find the page that tells you the cost per ticket. I used: Ticketmaster link. This is where nueance and grace takes place. View source, and find form names and variable names. To skip to the important part, I found the form's name is "chkOutResrv" and the variable name is "p_0000000000010". So now we can play.

First, show yourself the value of the ticket with:
javascript:alert(document.chkOutResrv.p_0000000000010.value)
next, change the value, make sure you us "void" instead of "alert" as void tells javascript to change a value:
javascript:void(document.chkOutResrv.p_0000000000010.value="$1")
Next, verify the value was saved with:
javascript:alert(document.chkOutResrv.p_0000000000010.value)



At this point, the actual price hasn't changed, just the value at this particular page. If you go through with ordering a ticket, on the same page they ask for credit card information, change the value, and then the price will be changed. They will charge your credit card for $1, then whatever service charges might apply. This is further than I wanted to go, because I did not want to be arrested for theft or anything. Hopefully after this happens a few times, online sales places will change their security.

How do you find variables and form names:

I went the next step, and looked at an online flight booking place. (Travelocity in this case). I found my flight (Dulles to Berlin) and went through all the steps to "Buy ticket now." Here, I opened the page source, and looked for variables like:

input type=hidden name="svc_fee_ind" value="1"
input type=hidden name="surc_amt" value="5.00"
input type=hidden name="previous_page" value="airgprice"
input type=hidden name="total_Xsellprice" value="1603.31"

Next I looked for the form name. Typical form names come after "document.", so I searched for that string and found:

document.forms[0].action = url;

Which let me know that the form name is "forms[0]"

To change the surcharge, I put in the address bar:

javascript:void(document.forms[0].surc_amt.value="$1")

And bam, no more surcharge. The rest is up to you.

    If the human body was never exposed to ailments, it would be impressivly vulnerable to the slightest cold. If our country was never exposed to hacking, it would be oppressivly vulnerable to cyber terrorism. With out the creation of a malicious hacking, Afganistan could have destroyed America's economy with a ping flood. This is why I encourange maclicious hacking, as an ethical practice. Without strengthening our defenses, we are weak. This site is focused on security through knowledge. I detest the fact that so many companies are being exploited because malicious hackers know their security holes before they do. For that reason, I hope to educate where the exploits lay. This isn't a 100% information base, as I only publish things I have been able to implement on myself. No credit is needed anywhere . However if you are a publisher, I would appriciate credit. I am an advocate of open source, so copy and paste and call it your own if you like. If my work is good enough for you to plagerize then that is my biggest compliment . If my work is good enough, I will be approached and asked to write more ... this is natural selection of the digital age .

Previous hacks

Previous Hacks



    This link kills spam


    spam IP addresses


    These are sites I block at my firewall.

    cdn2.gms1.net
    gms1.net
    servedby.advertising.com
    advertising.com
    a.tribalfusion.com
    tribalfusion.com
    pimpslord.com
    altfarm.mediaplex.com
    mediaplex.com
    ad.yeildmanager.com
    yeildmanager.com
    doubleclick.net
    isg32.casalemedia.com
    casalemedia.com

    Cost of the War in Iraq
    (JavaScript Error)

Two very recommended books:


. . The only hacking forum I have found worth mentioning here