Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I want to enter with LWP on a site where, to enter the password, you must click on a virtual kayboard on the screen.

I tried to identify on my classic browser, and then get the cookies with LWP, but it doesn't work.

Any track?

Replies are listed 'Best First'.
Re: mouse keyboard
by erroneousBollock (Curate) on Aug 26, 2007 at 10:40 UTC
    Most of those virtual-keyboard things are specifically designed to make it difficult to automate their use... this is to stop trojan's from recording or re-using your bank account authentication details.

    The keyboards are usually implemented in Javascript; I've seen two different kinds:

    1. The keys are in random locations inside the virtual keyboard (in order to stop a trojan from recording the click positions)
    2. As in (1), but the keys change position on each click.

    Usually, the virtual keyboard produces a one-time hash value dependent on the initial position of the keyboard keys so that simply sniffing the HTTP traffic does not help much (unfortunately, I have seen really insecure ones out there).

    While these virtual keyboards do not really add a lot of security (it's still just a secondary secret key you must remember) they are genuinely annoying... and can be by-passed.

    (I just remembered seeing a virtual keyboard that was a naive replacement for the user's password in a login form. You can easily by-pass that by talking to the back-end directly).

    Generally, my approach to this kind of problem would be to use Javascript on the client side (perhaps using Mozilla::Mechanize) to determine the positions of the keys, and to respond to changes. Unless it's obvious that you can figure out the hashing algorithm yourself given the inputs and outputs of the keyboard over time, there's not really a lot of options.

    As this is a sensitive area w.r.t security, I will not post example code immediately. Perhaps you could show us what you have achieved so far (leaving in the details of the particular site, but not your login details) ?

    -David

[reply]
Re: mouse keyboard
by CountZero (Bishop) on Aug 26, 2007 at 19:54 UTC
    What you should really try to do is to intercept the traffic between the page with the virtual keyboard and the server. In the end, whatever the way of inputting data, it all has to be send to the web-server by using the HTTP or HTTPS protocols. The normal way to do that is by linking to the web-site through a proxy-server you control and where you can log the traffic.

    CountZero

    A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

[reply]

Back to Seekers of Perl Wisdom