Javascript Injection - The Byzantine Attack: 10.2005

I have a new favorite exploit, because it's so much fun, and so simple, and requires linear thinking. First, let me describe the command you will be using. This is a command that you put into the browser address bar:

javascript:alert(document.form[1].price.value)

This command is broken down with the following:
javascript:alert is the command for a popup document. is the location of our playground. This pretty much says "This webpage we are looking at now."
form[1] is the form name.
price is the variable
value is the value. This can also be length, or whatever the variable conditions can be.

Example hack, with no explanation:

This Ticketmaster link
Copy and paste these commands into the browser one after another:
javascript:alert(document.asb.iu.value)
javascript:void(document.asb.iu.value="fart.com")
javascript:alert(document.asb.iu.value)

This changes the referencing address to "fart.com" as we see in the screenshot below.


Actual hack, with explanation:

Now for actual explanation. I searched for a random show in my area. This may be outdated by the time you look for it, but simply go to Ticketmaster.com and find an event in your area and find the page that tells you the cost per ticket. I used: Ticketmaster link. This is where nueance and grace takes place. View source, and find form names and variable names. To skip to the important part, I found the form's name is "chkOutResrv" and the variable name is "p_0000000000010". So now we can play.

First, show yourself the value of the ticket with:
javascript:alert(document.chkOutResrv.p_0000000000010.value)
next, change the value, make sure you us "void" instead of "alert" as void tells javascript to change a value:
javascript:void(document.chkOutResrv.p_0000000000010.value="$1")
Next, verify the value was saved with:
javascript:alert(document.chkOutResrv.p_0000000000010.value)


At this point, the actual price hasn't changed, just the value at this particular page. If you go through with ordering a ticket, on the same page they ask for credit card information, change the value, and then the price will be changed. They will charge your credit card for $1, then whatever service charges might apply. This is further than I wanted to go, because I did not want to be arrested for theft or anything. Hopefully after this happens a few times, online sales places will change their security.

How do you find variables and form names:

I went the next step, and looked at an online flight booking place. (Travelocity in this case). I found my flight (Dulles to Berlin) and went through all the steps to "Buy ticket now." Here, I opened the page source, and looked for variables like:

input type=hidden name="svc_fee_ind" value="1"
input type=hidden name="surc_amt" value="5.00"
input type=hidden name="previous_page" value="airgprice"
input type=hidden name="total_Xsellprice" value="1603.31"

Next I looked for the form name. Typical form names come after "document.", so I searched for that string and found:

document.forms[0].action = url;

Which let me know that the form name is "forms[0]"

To change the surcharge, I put in the address bar:

javascript:void(document.forms[0].surc_amt.value="$1")

And bam, no more surcharge. The rest is up to you.