Javascript Injection

I found many people asking about XSS and so so..u can check the "XSS" topice discussed earlier form this link:
http://www.orkut.co.in/Main#CommMsgs?cmm=25319870&tid=5399636797310526015

The Javascript injection: A hidden power

Javascript injection is a nifty little technique that allows you to alter a sites contents without actually leaving the site. This can be very usefull when say, you need to spoof the server by editing some form options. Examples will be explained throughout.

Contents:

I. Injection Basics

II. Cookie Editing

III. Form Editing

I. Injection Basics:-

Javascript injections are run from the URL bar of the page you are visiting. To use them, you must first completly empty the URL from the URL bar. That means no http:// or whatever.

Javascript is run from the URL bar by using the javascript: protocol. In this tutorial I will only teach you the bare bones of using this, but if you are a Javascript guru, you can expand on this using plain old javascript.

The two commands covered in this tutorial are the alert(); and void(); commands. These are pretty much all you will need in most situations. For your first javascript, you will make a simple window appear, first go to any website and then type the following into your URL bar:

code
javascript:alert('Hello, World');

You should get a little dialog box that says "Hello, World". This will be altered later to have more practical uses.
You can also have more than one command run at the same time:
code
javascript:alert('Hello'); alert('World');
This would pop up a box that said 'Hello' and than another that says 'World'.

II. Cookie Editing

First off, check to see if the site you are visiting has set any cookies by using this script:

code
javascript:alert(document.cookie);


This will pop up any information stored in the sites cookies. To edit any information, we make use of the void(); command.

code
javascript:void(document.cookie="Field = myValue");


This command can either alter existing information or create entirely new values. Replace "Field" with either an existing field found using the alert(document.cookie); command, or insert your very own value. Then replace "myValue" with whatever you want the field to be. For example:

code
javascript:void(document.cookie="Authorized=yes");

Would either make the field "authorized" or edit it to say "yes"... now wheter or not this does anything of value depends on the site you are injecting it on.

It is also usefull to tack an alert(document.cookie); at the end of the same line to see what effect your altering had.