edit html source code "live"

**GBHis** · January 24, 2006, 22:27

Originally posted by Red Squirrel

Oh no not trying to deface, that would require having some kind of write rights on the server itself, and otherwise illegaly entering.

Yeah, if you had write access to the server, you wouldn't need to edit it, you could just upload your own files... But gaining write access to a server is kinda' illegal... :D

Originally posted by Red Squirrel

But for the record, this will not be used on the dark side, it will mostly be used to test my own scripts and such, as I'm working on a BBS and those have plenty of room for security holes given the size of such project, so trying to submit junk to it is a good way to ensure it's secure, unlike that shout box that had no server side authentication for the submision process.

I use JS injections when sites requires referrers from the domain-name...

I have done some serious security testing/debugging on a YaBB forum. (ver. 1 gold SP 1.32, filled with holes...) I managed to download EVERYONE's passwords due to an error while he used chmod when installing it.
I also managed to view "hidden" threads and I put a \n in front of my name.
(I named myself "GBHis\nForum Boss" which made me - well - Forum Boss. On normal forums i shouldn't be able to insert \'es, but it was all due to bad security.)
And I rolled 45 with 3d6... The dice mod we used stored the rolled results in hidden form fields.
The site didn't check for referrers, but JS is useful anyway!!
At last I made him change to the newer YaBB 2.1. Good decision ;)

Another option is to edit the "temporary" website stored with some strange name, i.e: 264DefCon[1].htm somewhere in windows. This is theory, i don't know what it does when you refresh it from the browser. Guess you would have to open the file with the strange name in the browser after editing it...

Enjoy,
- GBHis

edit html source code "live"

Comment