javascript injection and looping

Question

I want to test a site against javascript injection. I am familier with following syntaxes which are working fine.

javascript:alert(document.cookie);
javascript:void(document.cookie="authorization=true");
javascript:void(document.cookie="authorization=true");javascript:alert(document.cookie);
javascript:void(document.forms[0].email.value="test@test.com");

I tried following to inject a loop

javascript:for(i=0;i<10;i++){document.forms[0].t1.value=i;}

It is working. But clering all the contents of browser and prints '9' (result).

Is there any way/sybtax to inject a loop so i can run/call a function/statement multiple times. Or any tool/utility/aadon which can help me.

*I can run the site only in IE.

It's nice to see someone that actively cares about javascript vulnerabilities. Cheers to you. — Jordan, Jun 16 '11 at 04:53

score 4 · Accepted Answer · answered Jun 16 '11 at 04:36

4

Add void(0); to the end of your code:

javascript:for(i=0;i<10;i++){document.forms[0].t1.value=i;}void(0)

However, you may want to move your code into a closure; you're modifying a global variable named i. Here we combine this with void as well:

javascript:void(function(){for(var i=0;i<10;i++){document.forms[0].t1.value=i}}())

answered Jun 16 '11 at 04:36

icktoofay

126,289
21
250
231

wow great. it works thanks @icktoofay for quick reply. Can you sugegst me some link where i can read more about it. – Amit Kumar Gupta Jun 16 '11 at 04:42
1

@articlestack: Perhaps [this question](http://stackoverflow.com/questions/666936/). – icktoofay Jun 16 '11 at 04:43

javascript injection and looping

1 Answers1