Friday, August 21, 2009

Javascript Injection and Cookie Editing - Web Hacking

JavaScript is a strong scripting language which can come in really handy while you're dealing with web based environments. Although the basic usage of Javascript is to spice up your web pages, it can play pretty tricks with web pages and web servers and can help in developing an exploit.

What is an Injection?

So, to start of, let us consider the ways in which Javascript can be deployed as a tool here. Applying JavaScript is as easy as ABC. A Javascript Injection is used by pasting the script in the URL bar after clearing it of the website address. Pressing the enter key results in the execution of the script. This is what is called a Javascript Injection.

What can you do by using Javascript Injections?

There is a lot of stuff you can do with Javascript if you know how to use it properly. I'll cover two basic tricks you can play by the use of Javascript scripts.

a)Cookie Editing
b)Form Editing

In this tutorial we will only be covering Cookie Editing!

Cookie Editing

I shall not bear the responsibility of any misuse of the following information. It is being shared just for the sake of imparting knowledge.

By using Javascript, you can edit the information contained in the cookies, edit the existing ones or add completely new entries. Before you begin with cookie editing, your first step should be to get to know whether the site you are visiting has set any cookies by using this script:


Just paste this in the address bar followed by pressing enter. This will pop up the information stored in the site cookies. Now if you want to edit the information contained in the cookies you have to make use of the following command:

javascript:void(document.cookie=”Field = myValue”);

This command can either alter existing information or create entirely new values. Replace “Field” with either an existing field found using the alert(document.cookie); command, or insert your very own value. Then replace “myValue” with whatever you want the field to be. For example:


This is just an example and the field name you have here depends on the site you're injecting in.


Anonymous said...

well you gave good technical details.
thanks a lot.

Cash Online Get Easy cash at your door step

Post a Comment