Created
October 3, 2023 07:43
-
-
Save LunarN0v4/d4ca1d0ecd111e00a424e351b8718641 to your computer and use it in GitHub Desktop.
Text and Value Injection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Text Injection is to inject text into a website and overwrite the original content. | |
Value Injection is to inject a custom value to edit what a website says, not the same as text injection but can be used for a similar purpose. | |
These are NOT vulnerabilities, but can be used to deceive people, it might be best to use JS to circumvent this issue. | |
Popular platforms are usually not affected by these issues. | |
Here's an example of how text injection can be done: | |
Let's take "example.com" and repurpose the link to take in text, let's say it's an error, so let's set the text input to "err", the page takes this value from the URL and puts it on the page, even if you reload, it'll show up the same way every time: | |
example.com/?err= | |
Cool, now let's add error text to it: | |
example.com/?err=Operation+Failed | |
Now that we have a base, let's edit it to say whatever we want! | |
example.com/?err=Text+Injection+Test | |
Nice! You have just done some easy text injection. | |
Here's what value injection looks like: | |
Let's get "example.com" and add a "val" variable to it and make the website display a number from 1-10, so "val=1", "val=2", etc, are all possible combinations, or we could possibly go out of those initial boundaries if it lets us. | |
example.com/?val= | |
Nice, now let's add a random value to it: | |
example.com/?val=7 | |
Epic, now let's make it our own value: | |
example.com/?val=10 | |
Nice! Now let's see how far we could push the boundaries of value injection. | |
Let's try a number outside of what's possible, like these: | |
example.com/?val=11 | |
example.com/?val=10000 | |
example.com/?val=-10000 | |
Let's try turning this into a text injection attack by assuming the website just displays the value: | |
example.com/?val=I+just+injected+text+into+a+number | |
Epic! You have now learnt the power of value injection and the ways it can be misused. | |
This is for website owners to let them know that these could be abused in order to scam or confuse people into believing things. | |
Please update your websites! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment