HTS Basic Web 4: Alter the Hidden Fields

In the fourth basic web mission, Network Security Sam apparently hasnt learnt anything from his prior mistake. In the third basic web mission, we extracted information from hidden form fields and thereby found out the name of a password file. The procedure is essentially the same in this mission. As usually, check the source code first. These snipets have been formated for easier reading:

As you can see, this level contains two forms. The upper one is the Send password to Sam button, and the lower one is the password field. You should already have noticed the highly suspicious hidden field in the upper form. Its purpose is obvious: it supplies the email address that the password will be emailed to. From merely knowing this address, you cannot achieve anything (except if you managed to hack the server). Therefore, you should alter the field to contain your email address instead of Sams.

In order to enter your own information in to, the hidden field, you can create a local copy of the form. In your modified version, you can either change webmaster to your own email address, or change the type="hidden" to type="text". The prior changes the email address automatically, while the latter allows you to enter another address.

If you are pedantic and want your local version to validate, use the following code.

Remember to change the URL from local to absolute ( instead of /missions/basic/4/level4.php). Save the file as e.g. hackthissite.htm, then open it in your web browser.

Leave a Reply

Your email address will not be published.