August 17, 2008

Javascript Injection

Did you know you can edit the contents of sites with javascript? Yes you can, however browser security will limit what you can do, so a little ingenuity is needed. Also the Safari web browser seems to be most lenient about javascript injection, where as FireFox is the most preventive. So you might want to use Safari for this type of hacking, no Idea on IE yet.

Try typing in the address bar...


javascript: alert('Hello World');


This not just doing a javascript call, it is actually using the page to call the alert function.

As a more advanced example...

javascript: alert(document.body.childNodes[0].innerHtml);


This will actually display what text is in the first element on the page, hopefully a div, as if there is no text in it it will be blank.

I have been working on a small project which uses javascript injection to play a simple html game for you. Yep, it is a very simple bot. Although it is rather stupid in point, it was fun to get working, as I needed a good refresher in Javascript before I go back to school. Expect to see the finished version posted in a week or two after I finish tweaking it, and leveling up my character.

2 comments:

MacJediMatt said...

FYI, your first example worked great in Camino.

Efeion said...

Both examples work in all browsers, the second will say undefined, but that is normal, because it would require a page with just one div, and text in that. However if you try innerHTML = "something" in firefox based browsers the entire page disappears on changing any element, this does not happen in Saffari. I assume it is a protection against rogue scripts. Also cross frame is "almost imposible".