Announcement

Collapse
No announcement yet.

edit html source code "live"

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • edit html source code "live"

    Anyone know of a good firefox extension to edit the source code of a website and refresh as if the source code was on the server? Ex: if a site has a form with a special ID in a hidden field, I can change that ID, hit refresh, then I can submit the form with the new ID, without actually changing it on the server. I know with Opera I can do this, but I'm hoping there's a firefox extension. Not even sure what I'd search for to find this. The reason I need it is to test security on forms and such (scripts I make) Great for testing for SQL injection, or POSTing a form with different arguments then those intended, etc.
    Red Squirrel

  • #2
    can't you just save the webpage, edit it and double click it? you get the same results.
    BY ACCEPTING THIS BRICK THROUGH YOUR WINDOW, YOU ACCEPT IT AS IS AND AGREE TO MY DISCLAIMER OF ALL WARRANTIES, EXPRESS OR IMPLIED, AS WELL AS DISCLAIMERS OF ALL LIABILITY, DIRECT, INDIRECT, CONSEQUENTIAL OR INCIDENTAL, THAT MAY ARISE FROM THE INSTALLATION OF THIS BRICK INTO YOUR BUILDING.

    Comment


    • #3
      Originally posted by ^Dash^
      can't you just save the webpage, edit it and double click it? you get the same results.
      No you wouldn't. Think how relative links work.

      Comment


      • #4
        I'm not sure if it edits live code, or not, but I think Greasemonkey might be one to look at.

        http://greasemonkey.mozdev.org/
        Biggest Brother's watching Bigger Brother watching Big Brother watch you.

        Comment


        • #5
          Originally posted by Voltage Spike
          No you wouldn't. Think how relative links work.
          Well if you start editing a form u can easily modify the links too, i mean once you start doing something.... u might aswell do it all the way.
          BY ACCEPTING THIS BRICK THROUGH YOUR WINDOW, YOU ACCEPT IT AS IS AND AGREE TO MY DISCLAIMER OF ALL WARRANTIES, EXPRESS OR IMPLIED, AS WELL AS DISCLAIMERS OF ALL LIABILITY, DIRECT, INDIRECT, CONSEQUENTIAL OR INCIDENTAL, THAT MAY ARISE FROM THE INSTALLATION OF THIS BRICK INTO YOUR BUILDING.

          Comment


          • #6
            Actually I've tried turning reletive links to full links with the url, and odly, it's not the same. I used opera to exploit some guy's shout box once, if you sent the user name field (which did not apear if you were not logged in so I added it) it would authenticate as that user. the guy never cared either, yet he was very conservative about who could do what on the forum. But when I downloaded the script and changed to a full path, it did not work. Think it has to do with how the POST request is sent.

            Since I'm working on the script myself I can change it and hit refresh, but I'm hoping to do it without touching the script. If there's no extension I can always just use opera, though it's always nice if I can stick to one browser and firefox is my main browser.
            Red Squirrel

            Comment


            • #7
              http://www.nvu.com/

              nvu is what I current use for "live" editing, basically ties into your ftp server and allows direct editing of websites then just hit the publish button.
              ~:CK:~
              I would like to meet a 1 to keep my 0 company.

              Comment


              • #8
                Not sure what all you want to do, if you are trying to edit an entire page you may want to try using a program designed to do this, but if you just want to do simple things, like change values in a form, then Javascript injection should work (i.e. custom countries in snitz, or removing required fields), an article on it is here:http://seclists.org/lists/bugtraq/2005/Feb/0193.html

                For editing whole webpages, try something like http://www.ieinspector.com/dominspector/

                Or just go to google and search for "live edit html source", without quotes. Lots of info there.

                @red squirrel, the reason for this is usally that another file was downloaded when you saved the webpage (i.e. CSS document), in which case you need to edit links in there, also.

                Comment


                • #9
                  haha, you guys trying to deface a site or edit one....cause I am starting to feel it might be the first one.
                  ~:CK:~
                  I would like to meet a 1 to keep my 0 company.

                  Comment


                  • #10
                    Originally posted by ck3k
                    haha, you guys trying to deface a site or edit one....cause I am starting to feel it might be the first one.
                    What makes you think he was trying to deface it? Maybe he just wants to mess with forms, get around a required field, or just see how a certain webpage works, since maybe he doesn't know how to make one like it, and needs an example. Of cource, I am probably looking too much into this.

                    Comment


                    • #11
                      Originally posted by minihacker316
                      What makes you think he was trying to deface it? Maybe he just wants to mess with forms, get around a required field, or just see how a certain webpage works, since maybe he doesn't know how to make one like it, and needs an example. Of cource, I am probably looking too much into this.
                      Um...comments like this? This thread is about one dumbass comment away from closing.

                      Originally posted by Red Squirrel
                      I used opera to exploit some guy's shout box once, if you sent the user name field (which did not apear if you were not logged in so I added it) it would authenticate as that user. the guy never cared either, yet he was very conservative about who could do what on the forum. But when I downloaded the script and changed to a full path, it did not work.
                      Aut disce aut discede

                      Comment


                      • #12
                        Firefox developer toolkit (Firefox plugins)
                        OWASP WebScarab(proxy in java)

                        There is tonns of application that do just that I won't name them all
                        /* NO COMMENT */

                        Comment


                        • #13
                          Originally posted by dataworm
                          Firefox developer toolkit (Firefox plugins)
                          OWASP WebScarab(proxy in java)

                          There is tonns of application that do just that I won't name them all
                          Instead of editing it, you could look into javascript "injections"? I'm reading about it right now, and it seems very interesting. This, of course, depends on, what you want to do, edit or add, but...
                          It's nice for my purposes.

                          -GBHis

                          Comment


                          • #14
                            Oh no not trying to deface, that would require having some kind of write rights on the server itself, and otherwise illegaly entering.

                            What I need to be able to do is change it as it apears, without downloading the file locally. From the browser's point of view it should be as if the page really is the way I changed it.

                            A good example is the shout box I had exploited a long time ago, it had a hidden field for the username and the value came from the vB database, but as a guest that field was not there, and the submit button was not there, but by "live editing" it I was able to submit something under ANY username I wanted, even those not registered. By downloading the actual page and editing the POST ACTION to a full link instead of reletive did not work, it had to be submitted from that domain, most likely it had some kind of referer checker. All this could be done through telnet, but it's much easier to do it by editing source. It's a good technique to find security holes in the way a server side script handles forms. JS injection sounds interesting, I'd have to read up on that. So does the Firefox developer toolkit, I'll have a look at that too.

                            But for the record, this will not be used on the dark side, it will mostly be used to test my own scripts and such, as I'm working on a BBS and those have plenty of room for security holes given the size of such project, so trying to submit junk to it is a good way to ensure it's secure, unlike that shout box that had no server side authentication for the submision process.
                            Red Squirrel

                            Comment


                            • #15
                              I was of course referancing what I use to keep my website updated (slacker = me) I conclude your looking for scripting errors or overflows, which would consitute that whole haxoring the gibson. If you want to learn about http and such, I would attempt to set up apache on your internal network and mess around with it there, it is a good learning experience that you can take alot away from.
                              ~:CK:~
                              I would like to meet a 1 to keep my 0 company.

                              Comment

                              Working...
                              X