in reply to Re: Re: Can't Automate Login To System
in thread Can't Automate Login To System

I should say again, the form can be submitted without JavaScript
Your question looked pretty interesting, so I took a stab at it. Turns out I can't log in at all using mozilla.
Here's what I tried:

Of these, only using genuine IE worked — they're doing something nefarious.
So, a quick experiment with an HTTP Sniffer reveals that IE POSTs the request, to which the webserver doesn't appear to respond, but it does offer a 301 redirect to another GET request.

I've got absolutely no idea how this works — as I understand HTTP, this shouldn't happen; which probably explains why it doesn't work with Mozilla. Could you show us some (password/username-sanitized) code so we can play with it ourselves?

Update: This bit added

so what the point of their weird MD5-hashing of hidden fields and passwords is I don't know
That appears to be used if JavaScript's enabled (which would probably be for 95% of their users) — it prevents transmission of the password in cleartext. Instead, an MD5 hash of their password with a server-provided challenge is sent. The challenge token probably (hopefully) expires once used, and after a timeout period. This is a pretty effective way of preventing password-sniffing, and because the password entry would still be there for non-JavaScript browsers, it'd work for users without JavaScript (although they'd have to be using a broken browser as discussed above).

cheers


davis
It's not easy to juggle a pregnant wife and a troubled child, but somehow I managed to fit in eight hours of TV a day.

  • Comment on Re: Re: Re: Can't Automate Login To System

Replies are listed 'Best First'.
Re: Re: Re: Re: Can't Automate Login To System
by Cody Pendant (Prior) on Dec 03, 2003 at 11:20 UTC
    I've got absolutely no idea how this works — as I understand HTTP, this shouldn't happen; which probably explains why it doesn't work with Mozilla. Could you show us some (password/username-sanitized) code so we can play with it ourselves?

    I gleaned some of that too, by trying to log in with Lynx. It kept giving me error messages, but you can actually get in with Lynx, because it will say something like "POST doesn't work, want to continue with GET instead?"

    I haven't got my code here to show you but essentially what I'd do is get the page with LWP, grab the hidden field values (the "challenges") then construct a form submission to the form's "action" by shoving all the key-value pairs into a string. Something like (pseudocode) 

    $login = new HTTP::Request($action);
$login->type(www-encoded form);
$login->content('a=1&b=2&c=3');
$useragent->do($login)

    [download]
    and I presume that's what WWW::Mechanize was doing too. 

    ($_='kkvvttuubbooppuuiiffssqqffssmmiibbddllffss')
 =~y~b-v~a-z~s;                             print

    [download]
[reply]
[d/l]
[select]

      I guess it would be possible to do this with LWP, but you might find it easier just using the cookie_jar function with a fabricated cookies file (probably using the info sniffed from IE once you've selected the "remember my details" checkbox). This would probably bypass that evil login form and allow you access what you were after in the first place.
      Hope this helps.


      davis
      It's not easy to juggle a pregnant wife and a troubled child, but somehow I managed to fit in eight hours of TV a day.
[reply]

In Section Seekers of Perl Wisdom