Re^2: WWW::Mechanize and buttons tied to javascript

That doesn't look very much like POST data, not any regular kind of POST data, where did you get that from?

Maybe my terminology was incorrect. When I logged into the website via Chrome, that was the data listed under the "Form Data" section of the Network->Headers section of the Chrome Developer Tools.

Well, you'd do it by figuring out and knowing what the javascript does and the way it does it, then replicate that request -- do you know javascript?

I only know a little bit, but that was kind of why I was asking this question. How would I figure out what the website is doing? As I said in my post, it appears to be taking the form data I entered, verifying the responses, and GETing the location URL I posted above. The only part I really don't understand is the ANTI_CSRF_TOKEN.

I will look into phamtomjs.

Comment on Re^2: WWW::Mechanize and buttons tied to javascript

Replies are listed 'Best First'.
Re^3: WWW::Mechanize and buttons tied to javascript by Anonymous Monk on Jul 05, 2014 at 03:14 UTC
Maybe my terminology was incorrect. When I logged into the website via Chrome, that was the data listed under the "Form Data" section of the Network->Headers section of the Chrome Developer Tools. :) Well, your terminology appears correct ... form data usualy comes delimited with "=" where as headers are delimited with ":" ... the data you've shown has two:two:two ... that confused me a bit ... I don't have chrome :) I only know a little bit, but that was kind of why I was asking this question. How would I figure out what the website is doing? :) I already explained -- I'd do it by figuring out and knowing what the javascript does and the way it does it -- this means I'd read the javascript program -- try a few of the functions (firefox ctrl+shift+k or ctrl+shift+j ) -- the open source version of reverse engineering lots of time they just fetch this var, fetch that one, do some simple substitution/addition ... sometimes they md5 or sha256 some part and set a new variable ... sometimes its considerably more pointless contortions (esp difficult to discern when they use jsmin type compressors) The only part I really don't understand is the ANTI_CSRF_TOKEN. Its just another form variable , its given to your browser to prevent replay attacks and session riding... CSRF ... https://www.owasp.org/index.php/Session_Management#Page_and_Form_Tokens , Cryptographic nonce, Plack::Middleware::CSRFBlock	[reply]

Replies are listed 'Best First'.

Re^3: WWW::Mechanize and buttons tied to javascript
by Anonymous Monk on Jul 05, 2014 at 03:14 UTC

Maybe my terminology was incorrect. When I logged into the website via Chrome, that was the data listed under the "Form Data" section of the Network->Headers section of the Chrome Developer Tools.

:) Well, your terminology appears correct ... form data usualy comes delimited with "=" where as headers are delimited with ":" ... the data you've shown has two:two:two ... that confused me a bit ... I don't have chrome :)

I only know a little bit, but that was kind of why I was asking this question. How would I figure out what the website is doing?

:) I already explained -- I'd do it by figuring out and knowing what the javascript does and the way it does it -- this means I'd read the javascript program -- try a few of the functions (firefox ctrl+shift+k or ctrl+shift+j ) -- the open source version of reverse engineering

lots of time they just fetch this var, fetch that one, do some simple substitution/addition ... sometimes they md5 or sha256 some part and set a new variable ... sometimes its considerably more pointless contortions (esp difficult to discern when they use jsmin type compressors)

The only part I really don't understand is the ANTI_CSRF_TOKEN.

Its just another form variable , its given to your browser to prevent replay attacks and session riding... CSRF ... https://www.owasp.org/index.php/Session_Management#Page_and_Form_Tokens , Cryptographic nonce, Plack::Middleware::CSRFBlock

[reply]