I would like a tool (or firefox) that enumerates all , elements on an target HTML page and generates a new HTML page which I can use to post to the original page.
I want to use this for security / sql injection testing, to circumvent any JavaScript validations.
The Web Developer firefox plugin is close, but it doesn't let me change the values of radiobutton elements.
I would like a tool (or firefox) that enumerates all , elements on an target HTML page and generates a new HTML page which I can use to post to the original page.
I want to use this for security / sql injection testing, to circumvent any JavaScript validations.
The Web Developer firefox plugin is close, but it doesn't let me change the values of radiobutton elements.
Share Improve this question edited Dec 10, 2009 at 1:36 Hans Passant 943k150 gold badges1.8k silver badges2.6k bronze badges asked Dec 10, 2009 at 0:26 frankadelicfrankadelic 20.8k37 gold badges114 silver badges167 bronze badges6 Answers
Reset to default 5If you're doing SQL injection testing, you should be sending the POST requests directly, not using a web form. It's easier to automate testing and covers a greater range of attack vectors... Plus, that's what the crackers will be doing, anyway.
Edit: a great promise between the two ways is Fiddler: http://www.fiddler2./fiddler2/ ... You can submit via the web form (with JS disabled) and then edit the outgoing traffic to try to break your SQL injection.
You shouldn't be using Javascript as a form of security. Validations via JS should only be used to improve the user's experience. Therefore, SQL injection protection should be occurring server-side with parameterized queries. To edit values, you could use FireBug to test any Javascript/input.
EDIT: You could also use Tamper Data. Easy to use add-on which lets you change any of the POST parameters quickly.
Selenium is great for this kind of web UI testing.
The easiest way to do this is to use Firebug to edit the DOM.
You can use the Web Dev Toolbar to disable Javascript, and you can use Firebug's HTML view to edit attribute values in real time.
In general, Firebug is an excellent tool for web developers and designers and I (and many other people) highly remend it.
I think the simplest way to do this is not to use forms at all. You can run Fiddler during a normal request and you will see your POST request occur.
You can then replay and modify that request using Fiddler's 'Request Builder' (drag the actual request onto the 'Request Builder' tab and it will clone the request.) This allows you to create whatever bad inputs you wish without worrying about generating new forms to handle this.
Tamper Data https://addons.mozilla/en-US/firefox/addon/966 - does HTTP header modification too.