
The simplest way to test for this is to simply enter script into the parameter
and see if it is echoed back to the browser. Figure B.18 shows a request packet
being modified; the legitimate value for the parameter named userid is replaced
with a simple Java script.
Figure B.18 also demonstrates encoding the parameters. When manipulating
packets directly, you must remember that the content-length header has to be
updated to reflect the new length of the post data string. It might also be neces-
sary to encode the input. Web browsers do this for you automatically, and any
packet editor you use should allow you to do this as well.
After you’ve injected the ...