Download Article
Download Article
JavaScript injection is a process by which we can insert and use our own JavaScript code in a page, either by entering the code into the address bar, or by finding an XSS vulnerability in a website. Note that the changes can only be seen by you and are not permanent. This is because JavaScript is a "client-side" language.
Steps
Sample Injections
-
You must enter the code in the URL address bar of the window. Try these injections:
- Note - If you use Firefox, you will have to use another way, like cmd-shift-k on a Mac
- javascript:alert("Hello!");
- To bring up an alert box saying "Hello!":
-
javascript:alert("Hello"); alert("World");
- To bring up 2 alert boxes, the one in the front will say "Hello" and once you click OK, the one saying "World" will appear:
Advertisement -
javascript:alert(document.forms[0].to.value="something")
- To change the value of form [0] to something:
-
javascript:void(document.bgColor="blue")
- To change the background color to blue. You can put any other color in the place of blue to change it to a different color:
-
javascript:alert("The actual url is: \t\t" + location.protocol + "//" + location.hostname + "/" + "\nThe address URL is:\t\t" + location.href + "\n" + "\nIf the server names do not match, this may be a spoof.");
- To see the real server name of the site you are looking at. You should use it if you think that you are viewing a spoofed website, or anytime just to make sure:
-
javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.images; DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position='absolute'; DIS.left=Math.sin(R*x1+i*x2+x3)*x4+x5; DIS.top=Math.cos(R*y1+i*y2+y3)*y4+y5}R++}setInterval('A()',5); void(0);
- To make pictures fly around. Make sure to find a site like Google Images so there are more pictures!(If you press the refresh button, it goes really fast, but might only work with macOS):
-
javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.images; DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position='absolute'; DIS.left=Math.cos(R*x1+i*x1+x2)*x4+x5; DIS.top=Math.cos(R*y1+i*y2+y3)*y4+y5}R++}setInterval('A()',5); void(0);
- To spin circle of pictures. It funnels the pictures in a snake-like motion:
-
javascript:document.body.contentEditable='true';document.designMode='on';void 0
- To move things around on the webpage:
![Step 3 javascript:alert(document.forms[0].to.value=](#/Image:Use-JavaScript-Injections-Step-3-Version-2.jpg)
Advertisement
Community Q&A
Search
-
QuestionIs this the equivalent of the JavaScript console?Community AnswerYes; this is much less limited, though. The JavaScript console in the dev tools has features such as auto-completion and can show your history of executed commands. Additionally, you can check things such as break points for analyzing and debugging your code.
-
QuestionIn Step 3, how do I select a form? The example specifies forms[0], but how do I actually specify a certain form if the code has several forms within it?Community AnswerYou can select forms from the website using document.forms. The forms[0] indicates that it is the 1st form on the page, because the collection starts at 0. You can make a form with the HTML form tag, and you can learn more at sites like w3schools.
Ask a Question
200 characters left
Include your email address to get a message when this question is answered.
Submit
Advertisement
Video
Tips
- Only you can see the changes.Thanks
- The changes are not permanent. It's a static change that won't affect any server information.Thanks
- If you're using a browser with an address bar that doubles as a search bar (e.g., Google Chrome), make sure that after you type in the JavaScript code, you select your address bar for processing the code, not the search function.
Thanks
Submit a Tip
All tip submissions are carefully reviewed before being published
Thanks for submitting a tip for review!
Advertisement
Expert Interview
Thanks for reading our article! If you’d like to learn more about dealing with html, check out our in-depth interview with Jessica Andzouana .
References
About This Article
Thanks to all authors for creating a page that has been read 514,595 times.
Advertisement
