Ever have to run a pentest sans tools? Breaking a WebApp can be a fairly tedious experience when your intercepting proxy has flown the coup. Believe it or not many of the functions you may be used to accomplishing through ZAP or Burpsuite can also be done in the URL bar of your browser! URL Injection is a great way to do anything from modifying your browser cookies to changing form data, to modifying arbitrary code on the web page.
For starters let’s take a look at how it’s done:
Some web developers handle authentication and session information with cookies. With the above URL Injection revealing this is trivial, and it’s normally one of the first things I do to any WebApp I’m pentesting. Getting information is all well and good, but how can we put this technique to more nefarious purposes?
The less eloquent method will direct you browser to a blank page (where it will execute your injection). Using that method you have to browse back to the original site for your edits to take the appropriate effect. It can; however, be easier to remember.
Modifying Form Data
One of the most useful aspects of an Intercepting Proxy is its ability to modify form data on the fly. In a pentest we can use this to fuzz the inputs of websites searching for anything from XSS flaws to SQL Injection vulnerabilities. This can also be done with URL Injection. Check it out:
Editing Arbitrary Web Data
And finally for those moments when you have to edit some random html element on a page. There is the innerHTML function. Check out Google’s new facelift!
Basically, we can specify an element on the webpage (in this case “lga”). Then using innerHTML we can edit the code in real time, replacing it with more useful stuff.
This function is also pretty nifty when you’ve MITM’d your spouse with Subterfuge and want to do some seamless edits… Because, You Know… Hacker…