tags:

views:

274

answers:

6
Q: 

Tool for generating html post page to bypass JS validation and test sql injection

Hi, I would like a tool (or firefox) that enumerates all , elements on an target HTML page and generates a new HTML page which I can use to post to the original page.

I want to use this for security / sql injection testing, to circumvent any JavaScript validations.

The Web Developer firefox plugin is close, but it doesn't let me change the values of radiobutton elements.

A: 

The easiest way to do this is to use Firebug to edit the DOM.

You can use the Web Dev Toolbar to disable Javascript, and you can use Firebug's HTML view to edit attribute values in real time.

In general, Firebug is an excellent tool for web developers and designers and I (and many other people) highly recommend it.

SLaks  2009-12-10 00:32:50
Why was this downvoted?
SLaks  2009-12-10 01:09:52
firebug is *not* the right way to do this. Use the same tools the people exploiting your site might possibly use. Fiddler is a good choice, doesn't require you to use a browser and can do much more analysis than simply posting a form with modified input values via firebug can.
Abba Bryant  2009-12-10 01:10:56
also, i voted it down accidentally. Not that I think it was a good or correct answer, but it didn't deserve to be voted down. A clarification comment was more than enough criticism. Sorry for the neg rep.
Abba Bryant  2009-12-10 01:13:02
@Abba#1: I didn't mean to say that Firebug is the ultimate pen-testing tool; I'm saying that its the easiest. Modifying an `option` element in Firebug is _much_ easier than crafting a request in Fiddler.
SLaks  2009-12-10 02:23:28
+1  A: 

Selenium is great for this kind of web UI testing.

cxfx  2009-12-10 00:35:40
+2  A: 

You shouldn't be using Javascript as a form of security. Validations via JS should only be used to improve the user's experience. Therefore, SQL injection protection should be occurring server-side with parameterized queries. To edit values, you could use FireBug to test any Javascript/input.

EDIT: You could also use Tamper Data. Easy to use add-on which lets you change any of the POST parameters quickly.

keyboardP  2009-12-10 00:36:17
Right, so what did I just answer with a link to the FireBug addon?
keyboardP  2009-12-10 00:46:38
I was responding to the first part.
SLaks  2009-12-10 02:24:03
I hardly think extra relevant information is something to be criticized, especially in a condescending manner. In fact, the original question could be misread to mean that the SQL Injection/Security testing was in place in order to circumvent the validation. Therefore, that implies security at a JS level. Also, you have to realise that other people may come and wander into this thread, who may be using JS level security and so I hardly think a quick explanation is a problem. Your comment was unnecessary and would only have a point if I didn't actually answer the question.
keyboardP  2009-12-10 03:02:47
You're right; I apologize.
SLaks  2009-12-10 03:13:13
+4  A: 

If you're doing SQL injection testing, you should be sending the POST requests directly, not using a web form. It's easier to automate testing and covers a greater range of attack vectors... Plus, that's what the crackers will be doing, anyway.

Edit: a great compromise between the two ways is Fiddler: http://www.fiddler2.com/fiddler2/ ... You can submit via the web form (with JS disabled) and then edit the outgoing traffic to try to break your SQL injection.

Robert Fraser  2009-12-10 00:42:40
How can this been done in Fiddler? Note I am using a form over HTTPS.
frankadelic  2009-12-10 01:00:31
Submit the form (with or without validation), use Fiddler to capture the submitted HTTP request, change some of the values to invalid ones (or eliminate/add some), check if you get some access you shouldn't.
Robert Fraser  2009-12-10 01:15:00
Ah, the key for HTTPS in Fiddler2 was... Tools : Fiddler Options : HTTPS : Decrypt HTTPS traffic
frankadelic  2009-12-10 02:33:48
A: 

I think the simplest way to do this is not to use forms at all. You can run Fiddler during a normal request and you will see your POST request occur.

You can then replay and modify that request using Fiddler's 'Request Builder' (drag the actual request onto the 'Request Builder' tab and it will clone the request.) This allows you to create whatever bad inputs you wish without worrying about generating new forms to handle this.

Dolbz  2009-12-10 00:51:38
A: 

Tamper Data https://addons.mozilla.org/en-US/firefox/addon/966 - does HTTP header modification too.

zen  2009-12-10 01:09:10

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?