HTS Basic Web 5: Javascript Injection
This is the fifth basic web mission, and Network Security Sam apparently “secured” his email script. After a quick look at the source code, we see that the code visible to us is exactly the same as in the last mission. However, if we try the same hack as in the fourth mission, writing a form of our own, we can see that Sam’s new script checks the referer, i.e. the page that you came from. If it is not equal to the page that you are supposed to come from, you get an error.
This leaves an interesting option. Remember that hidden field that we changed?
We can still change the value of to, but it will require a more sophisticated method: Javascript injection. Did you know that you can execute arbitrary Javascript code on any page? Since Javascript is always executed client-side, this does not often create vulnerabilities. It can, however, throw arrogant network administrators such as Sam off. To execute Javascript code on a page, type this in the location bar (the input field where the URL shows):
javascript:code
Replace code with any Javascript code. In this mission, we want to alter the value of an element’s attribute. This is where the HTML DOM comes in handy. By using the document object in Javascript, we can access every single element in the document.
A form is accessed by document.forms[n], where n is the number of the form. If you count the forms in the source code, you can see that the form we want is the second. Number one, that is — remember that you always start counting on zero. We want to access the to element’s attribute value, so we’ll simply write document.forms[0].to.value. Let’s check if it works by putting the value in an alert box. Type:
javascript:alert(document.forms[0].to.value)
An alert box with the text “webmaster@hulla-balloo.com” (the value of to) should popup. If not, check so that you haven’t disabled Javascript. Instead of merely reading the value of to, let’s alter it:
javascript:alert( document.forms[0].to.value = “webmaster@example.org” )
The alert() is there to show the new value, in case anything would go wrong. Now the value has been changed, so you can just push the Submit button, and the mission is complete!personal loans 24502c000loan calculator sag aftraalex godoy loanexreader adobe downloanaction loan2 tax loans dayloans hme about valoan acceptance Map
Använder FireStats
javascript:alert(document.forms[0].mail.value=”me@hacker.com”)
the value is changed but it does not accpets on clicking submit
and also this code
javascript:alert( document.forms[0].to.value = “webmaster@example.org” )
can anyone tell what is missing
Comment by sandblast — November 13, 2006 @ 5:40 am
sandblast: Try the second code that you wrote, but replace the example address (”webmaster@example.com”) to your own email address. It should pop that address up in an alert box. After this, you can press “submit”.
Comment by Tim — November 13, 2006 @ 7:35 pm
i wrote javascript:alert( document.forms[1].to.value = “webmaster@example.org” ) into the url and changed the webmaster@example.org to my own email address. it comes up with a alert saying my email address. i click ok and then submit and it comes up with error page: i have enterd the incorrect password
please help. George Hurst AKA hurstabot
Comment by George Hurst — November 15, 2006 @ 6:43 pm
don’t worry have completed level 5
Comment by George Hurst — November 15, 2006 @ 7:02 pm
I did what you said but is says incorrect password. I also changed the webmaster@example.org to my email. It still doesn’t work.
Help please!
Comment by Annonyamus — November 17, 2006 @ 3:17 am
where to put javascript:alert( document.forms[0].to.value = “webmaster@example.org” ) ?? what URL field? in the web browser? in the submit form or what?
Comment by wt — November 19, 2006 @ 8:23 pm
Annonyamus: You shouldn’t input any password, you should use the password-reminder form.
Comment by Tim — November 19, 2006 @ 8:26 pm
wt: It goes in the address bar (location bar) on the top of your web browser. By default, it’s to the right of the browser buttons (back, forward, refresh, stop, home). If you’re using Firefox, ctrl+L is the shortcut for making that field active. By putting the code there, you execute Javascript code on the active page. It’s just as if the Javascript code had been there all the time.
Comment by Tim — November 19, 2006 @ 9:39 pm
I having trouble of knowing what to type in the url bar. could someone please help me?
Comment by matana — November 22, 2006 @ 6:17 am
matana; As the post says, you should type the following:
javascript:alert( document.forms[1].to.value = “webmaster@example.org” )Just substitute “webmaster@example.org” with your own email address. This execute Javascript code on the current page. The code changes the value of the hidden form-field to your own email address.
Comment by Tim — November 22, 2006 @ 10:09 am
It still is not working for me
Comment by matana — November 24, 2006 @ 1:12 am
matana: What happens when you type the code in the URL bar? Is Javascript turned off? Are you using some obscure browser?
Comment by Tim — November 24, 2006 @ 6:14 am
I get the following javascript error when entering the injection:
Error: document.forms[1].to has no properties
Source File: javascript:alert( document.forms[1].to.value = “webmaster@example.org” )
Line: 1
Comment by Syn — November 25, 2006 @ 1:26 am
Syn: Ah, thanks. I looked at the challenge again, and the source seems to have been edited since I last did it: they’ve removed one form from the page. Thus, this form’s ID is 0, not 1. This is the correct injection code:
javascript:alert( document.forms[0].to.value =”webmaster@example.org” )(Substitute the email address with your own)
matana: See above.
Comment by Tim — November 25, 2006 @ 7:35 am
man where in the source code do i put this> javascript:alert( document.forms[0].to.value =”webmaster@example.org” )
im confussed!!!!
Comment by mchacker — November 26, 2006 @ 7:42 pm
mchacker: You\’re not supposed to put it in the source code — put it in the location/URL bar, where it now says \”http://timjoh.com/hts-basic-web-5-javascript-injection/\”. By doing so, you execute that Javascript code directly on the page.
Comment by Tim — November 26, 2006 @ 8:27 pm
i enter the exact url in with my email and nothing happens
Well I got past this level and accidentally X’ed the window out. trying to get back
but thwn i put the URL in my bar nothing happens.
it worked before
Comment by Anonymous — November 28, 2006 @ 3:32 am
Anonymous: What URL? Just put the Javascript code that I’ve written previously there. Also, if you’ve already completed that level on that user, you can go directly to the next level by altering the URL (change 5 to 6).
Comment by Tim — November 28, 2006 @ 6:40 am
i tryed as u guys said but all iget is a POP UP with my mail????
Comment by ragnar — December 6, 2006 @ 6:09 pm
ragnar: The code both pops the email address up, and changes the value in the form. Submit the email-form after having seen your email address pop up.
Comment by Tim — December 6, 2006 @ 7:22 pm
if i type (i’m using Mozilla) javascript:alert( document.forms[0].to.value = “webmaster@example.org” ) in the Url bar and ofcourse change the email to my own it then shows my email in the pop-up box, and then when i press Send password to Sam it says: Referrer Error: Please Check Referer, if someone could help me through this i would really appreciate it.
Comment by Stupid noob — December 8, 2006 @ 1:09 pm
“Stupid noob“: The page checks whether the referer is correct. Perhaps you are using a plugin or firewall (software or hardware) which removes or alters the HTTP-Referer field in the HTTP header. Disable any firewalls and try again.
Comment by Tim — December 8, 2006 @ 7:05 pm
i dnt fuckin get it why caant u plz just rite the exact url ur supposed to type with everything in it includin the javascript:alert( document.forms[0].to.value =”webmaster@example.org” )
cant u just give us somthin liek :
http://www.hackthissite.org/missions/basic/5/javascript:alert( document.forms[0].to.value =”webmaster@example.org” )
or w.e its suppose to be
Comment by jesus — December 10, 2006 @ 6:26 pm
jesus: Then you’re not understanding the point. By writing something in the location-field, you do not go to the URL. You merely execute Javascript code on the page that you already are on.
Comment by Tim — December 10, 2006 @ 6:55 pm
Sorry to bother you all again… I’ve turned off my computer firewall, doesn’t help, is there a check box in some settings tab or something to get it to know that it is supposed to send that email?
Comment by Stupid noob — December 15, 2006 @ 9:51 pm
i tried everything you told me to try but it didnt work. It would be cool if you could help all the people that just can’t do it.
three-of-clubs
Comment by three-of-clubs — December 16, 2006 @ 11:13 am
three-of-clubs: Exactly what did you write in the location-field? I’m sorry, but I cannot help anyone without enough information.
Comment by Tim — December 16, 2006 @ 4:34 pm
i published: javascript:alert( document.forms[0].to.value=”webmaster@example.org”)
i changed “webmaster@example.org” to my own address and when i pressed submit it said that i had entered an incorrect password, i also typed javascript:alert( document.forms[0].to.value=”webmaster@example.org”) in again and pressend send password to sam but it said Referrer Error: Please Check Referer. Please could you help
Comment by 3-of-clubs — December 16, 2006 @ 9:53 pm
3-of-clubs: That referrer error is the point of this mission — it’s actually just like mission 4, but the referrer is checked, so that you cannot create your own form. This is why a Javascript injection is required. Thus, something must be wrong with the referrer-header that your browser sent. Are you using a firewall? Perhaps you use a plugin to change the referrer-field?
Comment by Tim — December 16, 2006 @ 11:46 pm
if there is a plugin to change the referrer-field someewhere in the settings… could someone tell where?
Comment by Anonymous — December 18, 2006 @ 1:25 pm
Anonymous: I haven’t tried it yet, but refspoof is supposed to do it.
Comment by Tim — December 18, 2006 @ 2:51 pm
Stupid question but which bit is the location bar?
It says: “To execute Javascript code on a page, type this in the location bar (the input field where the URL shows” but where the heck is this location bar? Is it the top line of the source?
Comment by Ibetrayer — December 19, 2006 @ 8:32 pm
Ah right ok, its not going in the source, it goes in the address bar but where about?
Comment by Ibetrayer — December 19, 2006 @ 8:44 pm
Ibetrayer: The “address bar” or “location bar” is the field in your browser which says the URL of the page you are at. Currently, it should say “http://timjoh.com/hts-basic-web-5-javascript-injection/” and have my favicon, a blue T on a black square, to the left. It’s close to the navigation buttons.
Comment by Tim — December 19, 2006 @ 9:31 pm
This is thye first actual hard mission and this site is pretty cool but you should try learning javascript anyways your never going to be a hacker if you are told the answers to problems
Comment by friend_from_hell666 — December 20, 2006 @ 2:47 pm
I put in the code
javascript:alert( document.forms[0].to.value=”webmaster@example.org”)
and changed the email to mine, but nothing popped up, but I clicked the submit button, and it said “password reminder successfully sent.” so i clicked the back button on my browser, and I clicked “submit” under the empty password form, but it took me to an error page. I’ve used IE and firefox, and they both did that. javascript is on, I checked. what am I doing wrong?
Comment by sdhaklsa — December 24, 2006 @ 3:58 am
javascript:alert( document.forms[0].to.value=”myemail@mydomain.myexstention”)
do that, and it works!
ONLY IN Internet Explorer!
Firefox doesn’t support the injection!
Comment by Topcat — December 24, 2006 @ 3:29 pm
It works with Firefox, I’ve just tried.
But I prefer a more conventional method : POST method using telnet. I’ve just “sniffed” the headers and form fields sent by my browser and then resent it using telnet with a another “to” field.
Comment by triptan — December 26, 2006 @ 4:20 am
I had figured out how to do it by myself, but it wasn’t working, so after about an hour, I shut down my firewall and trie again… and it worked….
Comment by Jebo — January 5, 2007 @ 3:44 pm
Hey Triptan how did you do with telnet to pass the authentication?
bye
Comment by theSnail — January 24, 2007 @ 12:24 am
I would not bother anyone but for me the only injection that worked is
javascript:void(document.forms[0].to.value=”email@nhacks.com”)
and it sounds better than “alert”, but can someone explain me why?
theSnail
Comment by theSnail — January 24, 2007 @ 1:09 am
theSnail: Both void() and alert() are supposed to work. The difference is that void() returns nothing, while alert() puts the value in an alert-box.
Comment by Tim — January 24, 2007 @ 9:01 pm
Ok, so I’ve tried the codes with my email, void and alert javascript:void(document.forms[0].to.value=”myemail@myemail.extension”)
javascript:alert(document.forms[0].to.value=”myemail@myemail.extension”)
The same thing happens with both as i click submit, just for reassurance, i am clicking “submit (password)” and not “Send Sam the email” right? I’ve been clicking submit.
But anyway, with the alert code, i don’t get an alert message at all, it just goes straight to “Sorry, but you have entered an incorrect password” and with sending the reminder to Sam, it just says its sent (and i have checked my email in case it may send it there and that was the whole point, and in junk box)
I’ve tried in Mozilla and IE Explorer, I’ve made sure that javascript is on. So what is there left to do?
Comment by tardedcat — January 25, 2007 @ 10:22 am
tardedcat: I tried the second code that you wrote, and it works for me.
IMPORTANT: You can NOT just copy the code from this site — this is because the quotation marks used here are not regular ones, they are the more neat-looking but not javascript-compatible ones.
Comment by Tim — January 25, 2007 @ 12:31 pm
ok… i downloaded the file… edited to to be my email… loaded it in IE and firefox… put javascript:alert( document.forms[0].to.value= “my@email.com” ) in… got the popup… clicked send pass… says rong referer… not a comlete noob but im not familiar with javascript…
Comment by shaunisradd — January 26, 2007 @ 3:06 am
shaunisradd: You shouldn’t download the file. Just do the javascript injection.
Comment by Tim — January 26, 2007 @ 6:32 am
I’ve changed the quotation marks, of the second(alert) and first(void), no pop-up and the same answer “Sorry, but you have entered an incorrect password”.
do i need spaces in the code or what? is it worth disabling my firewall?
i even looked at the code and c/p their quotation marks lol, and i have tried ’sdghdsgsdg’
I’m not a javascript kid, i was going to look it up but the website provided isn’t working so i just went straight to it.
Comment by tardedcat — January 26, 2007 @ 3:56 pm
Hold on, i put in a few spaces, and accidentally hit ‘Enter’ instead of going to click submit and i got a pop-up with my email inside, but after that… that was all i got.
Comment by tardedcat — January 26, 2007 @ 4:00 pm
^ and i did click submit after, but its not working, i will try in IE explorer though
Comment by tardedcat — January 26, 2007 @ 4:05 pm
Oh my god, i damn well asked if i had to press the SEND button and not SUBMIT lol, nm… found it
Comment by tardedcat — January 26, 2007 @ 4:07 pm
Do you have any tips on protecting your web pages from this type of vulnerability?
Thanks!
Comment by LG — January 29, 2007 @ 9:15 pm
LG, just make sure that you never allow code to be output without replacing the < and > with their respective HTML entities, < and >.
Comment by Tim — January 29, 2007 @ 9:40 pm
i wrote
javascript:alert(document.forms[0].to.value=”myemail@mydomain.myexstention”)
behind http://www.hackthissite.org/missions/basic/5/index.php/ it dont pop up something and in url is written:
http://www.hackthissite.org/missions/basic/5/index.php/javascript:alert(document.forms%5B0%5D.to.value=%22myemail@mydomain.myexstention%22)
Comment by Anonymous — February 2, 2007 @ 10:07 am
Anonymous, you need to erase the complete URL from the address bar before entering the Javascript code. Otherwise, it will be recognized as a URL instead of code.
Comment by Tim — February 3, 2007 @ 12:50 am
thx got it
Comment by Anonymous — February 3, 2007 @ 11:00 am
im retyping the exact code not copying it and it still sais iv entered an incorrect password. some plz display thorugh instrutions on hot to do this.
Comment by this won't work — February 5, 2007 @ 3:37 am
this won’w work, you shouldn’t touch the password field. Press the button that sends a new password to the email address after you have executed the Javascript code.
Comment by Tim — February 5, 2007 @ 6:41 am
PEOPLE. DO NOT PRESS SUBMIT. YOU NEED TO TYPE javascript:alert( document.forms[0].to.value = “(insert email here” )INTO UR ADDRESS BAR AND HIT “send pass to sam”. that worked for me
Comment by GER — February 13, 2007 @ 1:08 pm
hey…
i’ve tried all your sugestions, but i think it comes down to my firewall(s)
if i disable them i still get the referer check!!!
=[
Comment by Stuie — February 14, 2007 @ 10:11 am
Stuie, I just put this script for checking your referer up. See if your referer is shown; if it isn’t, you can be sure that it is either a firewall or your browser. Referer check.
Comment by Tim — February 14, 2007 @ 4:59 pm
seriously u guys:
u got questions like whats the URL bar
i typed in the pass[is there even a pass box?!]
ur messin up on code thats actually POSTED! rely. u guys, read and plz dont b a bunch of script kiddies! seriously, URL BAR?!
Comment by ahem — February 18, 2007 @ 7:22 am
Umm i’m confused.
i did the referer check script and it said Your HTTP referer is: “http://timjoh.com/hts-basic-web-5-javascript-injection/”
so does that mean i don’t have a firewall or what??
hate to be a pain but i’m REALY confused
=[
Comment by Stuie — February 18, 2007 @ 9:14 am
Stuie: Yes, it means that your firewall is not hindering it in any way. I’m sorry, but I have no idea about what the problem is.
Comment by Tim — February 18, 2007 @ 10:25 am
well thanks for trying =]
Comment by Stuie — February 19, 2007 @ 4:43 am
hello tim..
i’ve tried it..and i think i’m on the right path since it did said “Password reminder successfully sent.”..
but the problem is,there’s nothing in my mailbox from Sam…
p/s: i’ve tried with two email addresses…both also didnt get any mail from Sam…wonder if HTS email services is down or what…is it possible?
Comment by plasticbag — February 25, 2007 @ 7:48 am
yupp..maybe its down…
tried clicking lost password links..and this came up…
Error:
Sorry, email doesn’t work currently
arghhhh!!! LOL ;p
Comment by plasticbag — February 25, 2007 @ 8:25 am
plasticbag: Hah. I suppose you’ll just have to wait, then.
Comment by Tim — February 25, 2007 @ 9:15 am
Yo i thought i would never get it but u helped alot, thanks
Comment by Da'Von — February 25, 2007 @ 4:25 pm
Da’Von, I’m glad to help.
Comment by Tim — February 25, 2007 @ 5:41 pm
If you type in the code thing say mine: javascript:alert ( document.forms[0].to.value = “chill_dude160@hotmail.com ) the box will pop up. Then what I did was I clicked send password to sam and a new page came up with the password.
Comment by DJ — February 28, 2007 @ 11:00 pm
I did the referer check, i had no referer, i changed the quotation marks, and i put in my email, but it still says check referer!
Comment by 4356 — March 1, 2007 @ 4:28 pm
4356, that’s the problem then: you should have a referer. Check your firewall.
Comment by Tim — March 1, 2007 @ 5:51 pm
It actually worked, i’m not a total faliour!
Comment by 4356 — March 2, 2007 @ 4:26 pm
thanx for the help: syntax errors are a b!7ch.
Comment by nvs625 — March 2, 2007 @ 6:44 pm
Here’s a little help for those of you who got the code and still have problems with “Referer”.
BACKGROUND
First, and most important, you need to understand how this works. There’s no point on just completing the missions when you have no idea of what you’re doing. This mission isn’t as simple as mission 4, where you actually copied the site to your pc, changed the links and pufff.. you got it!!
This time, Sam wrote a program on the server side which acts as a guard rejecting any attempts from intruders. You would be consider an intruder IF you do this mission as the last one. You’d be actually requesting the password, but you are sending this request from YOUR PC.
What you have to do is: Somehow change the email address from within the site as you did changing the code from your PC. This can be done with Javascript!! ;)
Ok, There are two things you have to know for this mission (void) and (alert).
(alert)= “as the name says” ALERTS, it gives you a message!
(void)= is MODIFY
for you to have a better understanding just type this on an EMPTY URL box (where you type http://www.google.com). Must be EMPTY, no HTTP://
javascript:alert(’Dar-kun0r’)
You’ll get a message alert box on your browser saying: what you typed!
Ok, this might be NOT useful at all, but it’s only for you to understand. Now, go to MISSION 5. If you read the html code. You’ll notice that the FORM has some certain values. As a letter has an envelope, things on internet have headings, which work exactly the same. There is a From: “Grandma” To: “Grandson”…
If you got the “Referer” problem I hope you already understand why!!
ok, remember the (void) command? now is time to use it!! ;)
For you to completely understand, do the following:
javascript:alert(document.forms[0].to.value)
This will tell us the email address where the password will be sent. Because you are on the web, not on your PC, you will get “Sam’s Email” right? You change his email with the VOID command! ;)
Let’s change Sam’s email!!… just type the following:
javascrip:void(document.forms[0].to.value=”email@address.com”)
this will change his email to any email you want “Yours”
Ok, just to make sure, lets see the changes!
javascript:alert(document.forms[0].to.value)
Your EMAIL ADDRESS should appear. It it does, Everythings fine, and REMEMBER!!!
Don’t Learn to Hack!!
HACK TO LEARN ;)
oK, now go SUBMIT and Have Fun PeopLe!!
if you have any questions, just ask me: llitos @ hotmail.com
Comment by dar-kun0r — March 10, 2007 @ 4:38 am
i personally have found that if you are using Firefox then the code will not work. You can always just use the original internet source that was preloaded with the ops
Comment by jackhomorabbit — March 11, 2007 @ 7:17 pm
i got no referer! i tried disabling Windows Firewall too, and i still got no referer!
Comment by no referer!??!? — March 12, 2007 @ 6:58 am
btw im using ie7
Comment by no referer!??!? — March 12, 2007 @ 7:30 am
hmm… this works !!!
but i still didn’t know what is the meaning >>> forms[0]
how do you count it to 0 ??
where can you find it in sourcecode?
Comment by Osoiiii — March 21, 2007 @ 3:04 pm
Osoiiii, always start counting from zero. Thus, the first form is forms[0], the second form is forms[1], the third form is forms[2] and so on. That is the first form on the page, and thus it is forms[0].
Comment by Tim — March 21, 2007 @ 6:12 pm
Hello! When im submiting after exute the javascript, it says Referer Error…. Im using Mac and need help, turning on referer…[?] ;)
- Regards Nikolaj
Comment by 1337 — March 22, 2007 @ 7:04 pm
Well… its working now, how? Well, I switched to Mozilla Firefox! :P
Comment by 1337 — March 22, 2007 @ 7:31 pm
I typed in the location bar :-
javascript:alert( document.forms[0].to.value = “webmaster@example.org” )
and changed webmaster@example.org and this works. A pop-up windows appears, displaying my email address; the one to which I change “webmaster@example.org”
What should I do then? Click on Send Password to Sam?
Comment by Akasha — March 28, 2007 @ 3:02 pm
Akasha exactly. This would submit the form, but instead of Sam’s email address, yours will be used.
Comment by Tim — March 28, 2007 @ 4:48 pm
Hey you, yes you.
If your problem is javascript you can forbid scripts and replace the value of the form to your internet address. This can be done with the firefox webdeveloper and Noscript tool
Comment by negroi — April 8, 2007 @ 3:40 am
negroi, good idea. I use NoScript myself. Unfortunately it doesn’t help here since this is about others executing the script, but it is a good plugin to use nonetheless.
Comment by Tim — April 9, 2007 @ 10:14 pm
i dont no how to do 5 where do you add in the java script
Comment by jerrod1607 — April 27, 2007 @ 1:12 am
For those people that are having problems…this is why….
1. Make sure your Address Bar (Location Bar) has the following: http://www.hackthissite.org/missions/basic/5/ If it doesn’t have it then paste it and go to it….
2. Get the code Tim Gave you, Paste it on the Address Bar (Location Bar)
3.Change the E-Mail to yours and change the quotation marks. (Just delete them and write them again)
4. Press enter….
5. If a pop up with you’re E-Mail pops up, then press send password to sam.. If it doesn’t pop up that means you’re e-mail is wrong or you didn’t change the quotation marks. Or you probably have the whole code wrong.
6. when you press the send password to sam button, you should be sent to a page with the password.. (I can’t give u it, its different with everyone…And I don’t want to..)
7. Go back and put in the password, press submit…and done!
Comment by Hey_You — April 27, 2007 @ 4:08 am
alert(’This is how’); alert(’This is how’); >alert(’This is how’);
no ofense 2 noobys but this kind obveeis
Comment by alert('This is how'); — May 10, 2007 @ 11:27 pm
>alert(’whtever u want’);>
>alert(’whtever u want’);>
:::::0000000000000000000000
Comment by Anonymous — May 10, 2007 @ 11:28 pm
????lol………………….
>
>>
>>>
>>>>
>>>>>
>>>>>>
>>>>>>>
>
>>
>>>
>>>>
>>>>>
>>>>>>
>>>>>>>
Comment by ggg — May 10, 2007 @ 11:31 pm
This is how you do it 100% possitive on the same web page that the hack this site is at type= javascript:alert( document.forms[0].to.value =”webmaster@example.org” ) in the URL area
Comment by Hi this is Spazztic_Killer — May 20, 2007 @ 11:01 pm
when i type in code it goes to like http://code.google.com/ anyone wanna help me
Comment by matt — May 25, 2007 @ 8:32 pm
Hey guys my Firefox, and Explorer just stares at me, wont do a thing when i inject the code in my browser.
What do i do?
Believe me i have the code right.
javascript:alert(document.forms[0].to.value=“allankamagara@hotmail.com”)
Comment by Allan — May 30, 2007 @ 6:55 am
matt: Make sure that you have no space before “javascript:”. It seems like your browser thinks that you are searching for those keywords, and therefore gives you the first Google result for those terms.
Allan: Check that Javascript is not disabled.
Comment by Tim — May 30, 2007 @ 6:50 pm
—————-
Load the page:
http://www.hackthissite.org/missions/basic/5/
————–
Then in Address bar paste:
javascript:alert( document.forms[0].to.value = “webmaster@example.org” )
————-
Alert will pop-up
—————
E-mail “webmaster@hulla-balloo.com” changed to “webmaster@example.org”
———
And FINALY press:
Send password to Sam
——–
ATTENTION:DO NOT PRESS:
Submit
————–
Copy password,
Go back,
Paste password,
Press “Submit”
FINISHED!!!
Comment by Anonymous — May 31, 2007 @ 10:31 pm
Ok people all you have to do it read this!!!
Type in the URL Address Bar…
javascript:alert( document.forms[0].to.value = “your email here!” )
And click on Send Password to Sam, DONT NOT CLICK ON SUBMIT!!
It should then show up with a password :)
Comment by John_Hacker — June 3, 2007 @ 7:50 pm
this worked for me
javascript:alert( document.forms[0].to.value = “eblis01″ )
Comment by eblis01 — June 11, 2007 @ 3:33 pm
“We can still change the value of to, but it will require a more…”
I know I sound like a “n00b,” but how do you change “to?”
Comment by DK — June 20, 2007 @ 8:04 pm
DK: Through a Javascript injection, as the original post says. That’s what this mission is all about.
Comment by Tim — June 21, 2007 @ 10:50 am
javascript:alert( document.forms[1].to.value = “my-email” )
i type this into my firefox url the click send password reminder it then says Password reminder successfully sent
now what…. please help
Comment by ppl — July 7, 2007 @ 11:42 pm
It is easy :)
Just COPY This:
javascript:alert( document.forms[0].to.value = “lol@lol.lol” )
Enter to lvl5
Press CTRL+L and CTRL+V then ENTER
it will POP window with text lol@lol.lol
Then press SEND REMINDER (or what was there)
and it will show Password :)
Comment by SharkyLV — July 19, 2007 @ 11:13 am
Are there other ways of going about this?
Comment by em-kay-ultra — August 8, 2007 @ 4:14 am
em-kay-ultra: Yes; you can use the same method as in basic web 4 if you spoof your referrer, for example with a Firefox plugin.
Comment by Tim — August 8, 2007 @ 5:55 am
Not to be a dick, but if we gave you the answer, what did you learn? To have the exact answer to this problem negates the entire purpose of HTS. To all those not willing to research and learn why these vulnerabilities exist, I hope you make a website someday. I’ll be there.
Comment by Not to be a dick, but — August 11, 2007 @ 5:58 pm
I’m using ie and i’m doing exactly what i’m suposed to do.
I’m typing javascript:alert( document.forms[0].to.value = “MyEmail@hotmail.com” ) in the url feild, i tried turning my fire wall off, and using void instead of alert but i don’t get to a web page with a password just a page that says password reminder successfully sent when i use void or a page that says Referrer Error: Please Check Referer (Note: This is not a bug) when i use alert.
SOMEONE PLEASE HELP ME!!!
Comment by ME — August 14, 2007 @ 9:50 pm
all of you, ” is not a valid character for java script it is ‘, next delete everthing in the url bar and paste that it should pop up your email now hit ok and hit “send password to sam”, wohha there is the password.
ps thanks for the tut
Comment by Bluestorm21 — August 16, 2007 @ 3:26 am
V good avise which works when you change “” for ” . this worked for me…………
It is easy :)
Just COPY This:
javascript:alert( document.forms[0].to.value = ‘lol@lol.lol’ )
Enter to lvl5
Press CTRL+L and CTRL+V then ENTER
it will POP window with text lol@lol.lol
Then press SEND REMINDER (or what was there)
and it will show Password :)
Comment by Textronics — August 21, 2007 @ 1:42 pm
I am with allan. When I type in the javascript code and hit ‘enter’ or click ‘go’, my browser does absolutely nothing. I have tried it on both firefox and IE. I have also verified that javascript is turned on. ???
Comment by itfell — August 29, 2007 @ 4:36 am
these tutorial…have saved me time and ive learned alot thanks!
Comment by gasparin66 — September 14, 2007 @ 10:24 pm
Do not forget to include “;” after the js code.
javascript:void(document.forms[0].to.value=”webmaster@example.org”);
Comment by subsystemerror — September 22, 2007 @ 5:26 pm
Stupid Noobbs!
Comment by Anonymous — September 24, 2007 @ 6:29 am
How do i check if my javascript is disabled.
Comment by Anonymous — October 2, 2007 @ 9:49 pm
Types Of Computer Viruses…
I couldn’t understand some parts of this article, but it sounds interesting…
Trackback by Types Of Computer Viruses — October 4, 2007 @ 9:39 pm
to make sure it will work try to delete cookies and temporary internet files then type normal
javascript:alert( document.forms[0].to.value = “your email here!”
Comment by esak — October 5, 2007 @ 8:23 pm
Once you’ve added the java script to the address bar, press enter.
then click on “send to sam”
use that password.
It’s that friggin’ simple people.
Comment by Silo — October 8, 2007 @ 8:50 am
i think i may blow up lol i put in the correct code, i get the alert i hit ok i hit send password to sam and i still dont get the mission complete crap no idea why
Comment by gar face — October 9, 2007 @ 2:24 pm
ok nm im clearly retarded so for you other retards whom didnt quite get it here it is. When you modify the webmaster@example.org you need to make it YOUR HACKTHISSITE login name then hit send password to sam the following page will show you the password you need. Go back to the page enter the password you just got hit submit and boom ur done
Comment by gar face — October 9, 2007 @ 2:27 pm
FOR ME IT JUST SAYS THIS AFTER ALL THE CODE AND EVERYTHING IS DONE The requested URL /missions/basic/5/javascript:Not Allowed(%20document.forms[0].to.value%20=%20%22my@email.cm%22%20) was not found on this server.
Comment by doesnt matter — October 16, 2007 @ 12:57 am
Programming Tutorials…
I couldn’t understand some parts of this article, but it sounds interesting…
Trackback by Programming Tutorials — October 23, 2007 @ 8:09 am
hey gar face: thanks for the hookup from Oct 09. I was getting a message coming up saying “password reminder sucessfully sent”, when hitting send p/w. Then when trying to test the forgotten password link, I got a message saying “sorry,email does not work currently” I tried your advise , using the username, and it worked. I try the exact same script that was giving me trouble earlier, and that is now working fine now as well. The forgotten password link is still getting ” email not working ” message too. Any clue wot was up?
Comment by mistchild_01 — November 10, 2007 @ 1:13 pm
Hey this tut was great. I already knew what i had to do but i just couldn’t get the code right because i didn’t understand it This guide helped me alot. Are there guides on this site for the any other of the missions???
Comment by Pleek — November 11, 2007 @ 2:17 am
hi, whenever i click submit it comes up with
Referrer Error: Please Check Referer (Note: This is not a bug)
Comment by mike — November 21, 2007 @ 7:51 pm
World Wide Web Resources…
I couldn’t understand some parts of this article, but it sounds interesting…
Trackback by World Wide Web Resources — November 22, 2007 @ 12:59 pm
Yo. Babes, the command once you entered it, you will press ok.
Then click on send password to Sam. Then the password will be attributed to you, just copy and paste at the form.
Youre done. OK?
Comment by KiNG — November 23, 2007 @ 12:21 pm
Guy’s, the reason it sais error is because you are not pushing the “Send Password To Sam” button. Once you push that, it will show you the password and you just have to copy and paste it into the password space.
Comment by ickyhacker — November 25, 2007 @ 1:35 am
GRrr Not working
Comment by kickapoo — December 4, 2007 @ 10:29 pm
Sorry! We have moved! The new URL is: hackthissite.org
You will be redirected to the new address in five seconds.
If you see this message for more than 5 seconds, please click on the link above!
Comment by emo — December 4, 2007 @ 10:32 pm
function message()
{
alert(”Lmao 1337″)
}
Comment by emo — December 4, 2007 @ 10:33 pm
Right people, here’s what to do.
Go to Basic 5 (simple haha)
Delete the text from the address bar (before deleting it should say: http://www.hackthissite.org/missions/basic/5/)
Then, once you have deleted it, copy and paste this line of text into the Address bar:
javascript:alert( document.forms[0].to.value = “insert email here” )
Where it says “insert email here” simply put in your email address.
After that, press Enter (or Return) on your keyboard. A pop-up will appear on-screen with the email your just wrote. Click the Ok button.
Now click “Send password to Sam”.
On the new page you should see the password.
Copy this password and click your Back button in your browser.
Now paste the password into the password box underneath the word “Password” and click the Submit button.
You have now (hopefully) completed Basic Level 5!
Comment by Tattons — January 4, 2008 @ 7:14 pm
^^^ The quotation marks ( ” ” ) for this site are not compatible with Javascript. Therefore, once you’ve copied and paste the line of text into the Address bar, delete the quotation marks and then put them back in again. I know it sounds silly, but you have to. Honestly, just try it.
Hope it works out for you. Also, there’s nothing wrong with anyones firewall, so don’t mess with it. Aslong as you have Javascript enabled (Tools –> Internet Options —> Advanced —> Java —> Tick the only box) then you can do it.
Hope this helps
Comment by Tattons — January 4, 2008 @ 7:22 pm
I tipe in URL bar javascript injection and nothing appears.Like nothing happend!i tried whith turning off firewall but steel nothing and I have Javascript enabled.
What to do???
Comment by DarkoM — January 7, 2008 @ 2:48 pm
just try this one:
javascript:alert( document.forms[1].to.value = your@email.com“)
It will show you a popup with your own email.
Press OK
Press on the send mail, or something like that, button.
And you’re finished
Comment by Me — January 7, 2008 @ 8:52 pm
i too was getting the referer error. this is what i did to resolve it.
when i started the lesson the address was:
http://hackthissite.org/missions/basic/5/
i added the “www” to the address and hit enter. it then loaded having the correct referer address of:
http://www.hackthissite.org/missions/basic/5/
i then did the Javascript insertion and clicked the Send Email button and was rewarded with the password page. Yeah
Comment by chadman — January 11, 2008 @ 8:45 pm
hey i keep getting the message password sent successfully but it doesn’t send me the password. i changed the address to mine and it still says the password was sent successfully but i don’t get the email
Comment by goose — January 24, 2008 @ 7:37 pm
hey darkom…
I had the same problem u have. When i put the line in my address nothing happened except giving an error. Therefore just press ctrl+o and paste the line there. Then there will popup your email and then just click on the button: send an email. U then get ur password and can fill it in.
Comment by n00bas — January 26, 2008 @ 6:03 pm
Here`s what you do:
In the adress bar you delete http://www.hackthissite.org/missions/basic/5/index.php ,
and replace it with javascript:alert( document.forms[0].to.value =”webmaster@example.org” )
instead of webmaster@example.org ,you put you own e-mail adress and click Send to Sam ,and now you have completed Basic Mission 5! Congratz
Comment by trayhacker — February 2, 2008 @ 11:06 pm
thanks a lot, great information learned loads
Comment by lee price — February 5, 2008 @ 2:25 pm
Go to URL BAR (if you were going to go to google, its where you would type)
delete all the text in it….
copy from here -> javascript:void( document.forms[0].to.value = “youremail@email.com” )
Comment by Sam — February 22, 2008 @ 6:14 am
Should I Use Social Networking as a Marketing Tool?…
Many people who are just getting into Marketing 2.0 assume if there’s an internet-based tool available for marketing, they should use it….
Trackback by Network Tool That Lets — February 28, 2008 @ 3:11 pm
‘ or ‘a’='a
Comment by Anonymous — March 21, 2008 @ 4:16 am
i feel stupid
i typed in the javascript injection into the url after deleting the hack this site url i changed the example email to my email hit enter and nothing happens at all.
if anyone can help me that would be great
Comment by goose — March 30, 2008 @ 11:01 pm
hack this site was hacked tim you should hack it and put it back to normal it would be a good test of your skills
Comment by goose — April 2, 2008 @ 12:26 am
Guys use this code:javascript:alert( document.forms[0].to.value = “webmaster@example.org” )but use ur email instead of webmaster and then you should get a javascript alert then click send password to sam…Thats it its actually easy to do by yourself if you learn java wich i reccomend if you want to hack and not ask questions…
Comment by Luke — April 29, 2008 @ 2:08 pm
YA BUNCH OF DIRTY CHEATERS
Comment by ep0ch — May 3, 2008 @ 10:55 pm
i did all this and i still dont get a mail. I didnt get a mail at fourth eather. The provider is mail.com
Can you help me?
Comment by amle — May 9, 2008 @ 3:15 pm
im typing it right, but im not getting the email to give me the password. help?
Comment by Tobias Berenson — May 12, 2008 @ 7:01 pm
this is totally bugging me off. i have done the basic mission upto 4th level by myself without any help. but now at 5th level, i have tried using the javascript injection, and clicked send mail to sam, but the next page just displays password successfully send instead of displaying the password page. why is this happening?
Comment by misty — May 13, 2008 @ 7:03 am
in the above other posts, it has mentioned that a new page displaying the password will be displayed. is that correct? or will a mail be sent to you, as in the 4th mission?
Comment by misty — May 13, 2008 @ 7:07 am
I cant seem to inject this js write i have tried so many times i can inject things like javascript:alert(”test123″) to see if it just works it did then i tried your code and nothing happens whats happening
Comment by TALOR — June 15, 2008 @ 12:29 pm
Ok, im going to make this very clear. WARNING: SPOILER ALERT!!!!!!!!!
==============================SPOILER================================
Ok, make sure that java is working. In the bar where you normally type a web address type this exact thing
javascript:alert(document.forms[0].to.value)
Then press Enter. A box should come up and say
webmaster@hulla-balloo.com
if it did then your java is working, if it didnt then you need to enable java.
Next in the same bar type this
javascript:alert(document.forms[0].to.value = “youremail@somewhere.co.uk”)
obviously replacing “youremail@somewhere.co.uk” with your actual email address. Make sure the quotes are still there.
Then press enter, an alert box will appear with your email address. just close it then press the.
Send password to sam
button, not the submitt button. The you will be taken to a page which has the password. Simply copy it then go back a page, enter it and press Submit.
Comment by Bodsda — June 16, 2008 @ 2:54 am
There’s a problem with the first quotationmark in the example(it’s the wrong character), so if you copy/paste it, it won’t work.
Type the example manually, and it works fine.
Comment by jack — June 18, 2008 @ 6:41 pm
javascript:alert( document.forms[1].to.value = “webmaster@example.org” )
it should be javascript:void(document.forms[1].to.value = “webmaster@example.org”)
(change the alert bit to void)
Comment by blah — July 15, 2008 @ 6:15 am
blah: That does not matter.
Comment by Tim — July 15, 2008 @ 8:30 pm
javascript:alert( document.forms[0].to.value=”youremail@host.com”)
if you copy and paste it make sure u delete the ” ” and retype them your self
after it pops up click send password to sam take you to the next page with the password then go and enter it
make sure you have javascript / on
a few web sites have this mission iv noticed so make sure the document number is that of the website you doing it on
Comment by tim — July 16, 2008 @ 8:45 am
As said before at post 44:
When you copy the text from this site, and paste it into address bar, then replace all exlamation marcs “”"”" <- those.. :) with your typed ones.. That way it worked for me. Good luck.. Thanks Tim for seeing this subtle detail.
Andi
Comment by Try this!! :) — July 28, 2008 @ 11:56 pm
… DUMB PPL!!!
javascript:alert(document.forms[0].to.value = “youremail@somewhere.co.uk”)
WOULDNT WORK ! CAS THE “”
CHANGE IT TO “”
IT SHOULD BE LIKE THIS!
javascript:alert(document.forms[0].to.value=”WATEVER UR EMAIL IS!”)
THATS ALLL
Comment by ZeroCool — August 3, 2008 @ 4:54 pm
javascript:alert(document.forms[0].to.value = “youremail@somewhere.co.uk”)
WOULDNT WORK ! CAS THE “”
CHANGE IT TO “”
IT SHOULD BE LIKE THIS!
javascript:alert(document.forms[0].to.value=”WATEVER UR EMAIL IS!”)
THATS ALLL
Comment by ZeroCool — August 3, 2008 @ 4:56 pm
Soo I have Linux and Javascript doesn’t work on my computer… any alternative?
Comment by Nubface 001 — August 12, 2008 @ 8:45 am