Thursday, November 11, 2010

Hacking the DOM of a site using Superscript

For this Article, I will be using the program I've created specifically for doing this... webDOMinator 1.0.


The scripting standard that I'm using is my own language I created for performing super-scripting on web pages. Super-scripting allows you direct access to change and read elements from the Document Object Model (or DOM) of a web page that you're viewing. The coding language has been dubbed "Minion" because it's like having a little programmed minion to do your bidding online. I call it a super-scripting language because it's not a script that exists inside of the web browser being used, it exists outside, and can control the browser and what is inside of it as well.

Let's look at an example of a simple minion script just to show you how it works.
dom.input.q.value=monkey foo

This code is not really that useful to me, but it serves the purpose of it's example. The first line simply does what it looks like it does... navigates the web browser to google. The second line makes the system click on the "Images" link in the DOM structure. The third line tells webDOM to wait for the page to load before performing the next action. Why did I not need this between the first and second lines too? Because the system automatically figures on a navigate command, that it will be waiting until the next page to load to perform the next action. The fourth line is a property setting. It tells webDOM to change the value property of the dom element dom.input.q to be equal to "monkey foo". I'll explain how this works in a bit. The fourth line of course, submits the first form on the page.

Now your question might be: Why do you use two different ways to reference or access a DOM element? Well, that's simple, webDOM has the ability to reference DOM elements both by their name, and by their sequential index in the DOM list for that element type. In the above example code, I say CODE :
, and that is a direct reference to the value property of the input element named q. Dom is simply to specify that I want to use something from the web page DOM that the browser is currently on.

A Working Example

The Situation

Now let's look at how this tool can be applied to a real world task. I have a client, who's name I will not disclose, but they needed some free advertising... they wanted to do an e-mail campaign spam. The way they had been doing it was that they would go out and find e-mail addresses of counselors listed on edu websites and putting those into an excel sheet, etc. etc... in other words, the really slow manual way. I decided to start collecting e-mails for them.

I used siteBore to get a majority of the e-mails from certain websites within their target market, (siteBore is webDOM's information gathering spider... scrapes pages for DOM info or e-mails in a spidering environment.) There were a couple of specific sites that I found that did not list e-mails, but had thousands of people in my target market. Instead, since these people needed to be contacted directly by the public as part of their job and the services of that site, the website decided to offer a messaging system that included a form for messaging. They also had an index of different states in the country that had lists of all of their users.

The Attack Plan

So, using the other tools in webDOM like it's automated user list population tool, and it's mass PMing system, I started gathering a large list of about 4,000 of their users. After I started trying to send messages to them, I noticed that I could not change the subject of the message. This was a hidden field on the message form and it was set to something like "A Contact on needs your help". Not only that, but I couldn't change the name of the contact, it just said: " contact form". I figured that if I was advertising services for their competitors using their own message forms, that the target market would not be set up to receive the message in the right context, that of a better alternative :). So I simply wrote a script that changed that element of the form, since it was provided in the DOM tree :). By the way, this is an example of lazy programmers once again. They could've easily just changed the form for non-logged in users to not include the subject and contact, then include it later on in the code. But oh well, their loss. Anyway, here's the code I used:

click:dom.a.Email me
dom.input.your_name.value =
dom.input.your_email.value =
dom.input.your_email1.value =
dom.input.your_phone.value =
dom.input.subject.value = xxxx
dom.textarea.1.innerhtml = Hello, my name is xxxx and I'm inviting you to come be part of a xxxx website. We are currently in beta testing and we need people to help test our our features including: xxxx, xxxx, xxxx and xxxx, plus a growing community of clients and professionals like you... Currently, we're working on growing our provider base and would be pleased if you joined us for the open beta test of our system. Go to and sign up for a free account to check us out and start offering xxxx from anywhere you want.

Since both the subject and name were not available, and they also had an e-mail confirmation line, something that webDOM does not just have as part of it's normal PMing tool, I just used code to perform all of the actions needed. I clicked "PM All" and viola! worked like a charm. I could even watch the progress, and what the bot was actually doing on the site.


Only took a matter of about 2 hours to send out all 4,000 messages, and it turned out that we got about 14 user signups from it. About a 0.35% conversion ratio, which is decent enough on a spam campaign... needless to say, it was free advertising :)

What's even funnier, my client actually got a call from the other website's owner who was infuriated about the whole thing. Guess he doesn't like to be DOMinated... Go figure.

What's More

Either way, you can use super-scripting to manipulate any website you choose, in a very repetitive, and programmatic way. I've seen some websites that don't except POST information from external websites. Well the way to get around that is simply use their form, but add or subtract the elements that you need in order to do what you want with them.

Other things I use the minion coding and webDOM for are building online profiles, adding friends, sending messages, etc. etc. These sites are constantly updating security, but nobody expects such a strong tool to be used on their site. For instance, one flimsy defense they use is Ajax, or using java<b></b>script code and hidden submits. webDOM can see past all of this, and see exactly what you can see on it's browser window. Since your access to the DOM is in real-time and not set up only once at the loading of a page, you can literally manipulate anything. I've even seen websites try to do things like using "div" elements to capture onclick events instead of providing a link for posting a message... well, fine... I can access the div element and change it or click on it directly from the super-script, no problem.

All in all, super-scripting is a powerful new medium that will continue to surpass the security of websites until they come up with a completely new standard for building sites, that doesn't use HTML.

Amit Tyagi

No comments:

Post a Comment

Do comment If you liked it...