DO NOT TRY THIS AT HOME : Our text files and message bases are for INFORMATIONAL PURPOSES ONLY. DO NOT undertake any project based upon any information obtained from this or any other web site.We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
(155 votes) Published: Apr 22, 2007 10:41 a.m. In 24 Favorites Lists Viewed 1107 times
This is part of the series "AE’s Guide To Website Manipulation". For a full listing of articles in this series, click here.
This article is brought to you by:
Introduction The first step to manipulating a website to do what you want is to know how the website works. In this article, we will be discussing form data, the two different types of form methods, and tampering form data.
Introduction To Forms Here is an example of a basic form, taken from w3schools.
In this example, the name of the form is "imput", the data from the form is being sent to a page hosted locally named "html_form_action.asp", and the method is "get".
There are two different methods used in forms, post and get. The difference between the two is that get data can be viewed in the url, but post data can’t. Get data can be used in hyperlinks, but post data is limited to only forms.
Tampering Get Data Example:
Quote Get Data:
...html_form_action.asp?user=AE
The value of "user" can be clearly seen in the url, meaning it could be easily changed by editing the url in the address bar, and resending the data. Easy right? Well unfortunately, most websites don’t use get data for anything important being sent.
Tampering Post Data But if we changed "get" to "post" in the image I showed you earlier, the output url would be as follows.
Quote Post Data:
...html_form_action.asp
The value of "user" cannot be seen in the url, but it was still sent to the page using post data, meaning editing it can be a bit more tricky. For this I recommend the Firefox extention Tamper Data
Quote:
Use tamperdata to view and modify HTTP/HTTPS headers and post parameters.
Trace and time http response/requests.
Security test web applications by modifying POST parameters.
FYI current version of Google Web Accelerator is incompatible with the tampering function of TamperData. Your browser will crash.
Works with:
Firefox Firefox: 1.0 – 2.0.0.*
By using this add-on, you can tamper post data being sent to webpages through forms. First, make sure nothing in firefox is loading, or else you will be bombarded with tamper requests when you turn the tamper feature on. Next, choose the form you want to tamper with, and fill it out, without submitting the data yet. As an example, I will use an poll here on RottenEggs.
Now, go to Tools>Tamper Data in the Firefox menu, and click "Start Tamper".
Go back to the page where the form is, without closing Tamper Data, in this case, the poll, and submit the form data. After about a second, you will get a tamper request in your Tamper Data window. Uncheck "Continue Tampering?", and click "Tamper".
Each poll option has a value in the form (visible in the source code), the first option on this specific form being 0, the second option being 1. If I change the "poll_option" input from 0 to 1, since I chose 0, it would change my vote to the second option. But if I change my vote to a non-existant option, i.e. 2, since there are no options with the value of 2, it will send a blank vote. Now I just click "Ok", and my vote submits.
And there you have it, a vote for a non-existant option. There are much more interesting things you can do with this, but I chose something simple for this article.
Any way you can make it say AE voted for Shut the Hell Up
If weasel set the names of the votes as the value you could, but since he uses numbers, then the php tells the poll what the number represents, you can’t do it, unfortunately. It may work on other sites though.
Apr 22, 2007 5:41 pm - I’m sure you could do it with GET data as well, but sometimes websites force you to use post data, such as donating egg points to groups here on RottenEggs.
Apr 23, 2007 5:15 am - Thanks Keiser. And I just sort of mess around on the computer a lot while I’m at home, after a while just started picking stuff up.
Edit Page
Message AE
Add Comment
Add to Favorites
Email to Friend
Firefox Firefox: 1.0 – 2.0.0.*
