Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

hmtl form - block script sccess

  • 29-03-2007 7:53am
    #1
    Closed Accounts Posts: 532 ✭✭✭


    Hi there,
    I was just wondering what how or is it possible to write a html form (say a login to a website, with username and password fields) that can know if its a perl or python script thats filling it out, and then reject that connection?

    This is something ive been looking into this last while and trying it out myself with some perl/python on some site's im a member of. It works on most sites (using a script to login that is) but not on others and i was wondering whats the difference?

    Thanks for your help


Comments

  • Registered Users, Registered Users 2 Posts: 3,594 ✭✭✭forbairt


    could be as simple as POST instead of GET .... if you have the username and password I wouldn't see why you wouldn't be able to connect to a page using a script


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Yes and no. It's a bit of a black art.

    It's definitely possible.
    There are a number of server headers that you can use to check who is attempting to log in:

    Referer - This is the name of the page that you were last at (i.e. the page that contained the link to this one). You can specify that "If the referer isn't one of these pagesm then, don't continue". This item can be spoofed, so it's not foolproof.
    User-Agent - This is an identifier of who is accessing the script. Browsers have big long identifying pieces of text, scripting languages tend to just use thing like "PHP/5.0". This too can be spoofed, so again it's not foolproof.

    One way to do it is to rely on something that browser have but scripting languages don't - Javascript.

    Put simply, you add a hidden field to your form, "validate" or something. Set this to false, and then when the submit button is pressed, change it to "true", using javascript. Of course, if the user has Javascript disabled, they'll never be able to log in.


  • Closed Accounts Posts: 532 ✭✭✭slemons


    thanks for the help.

    I am actually trying to replicate some of this myself to see whats going on.

    Here is the form im trying to access using a python script

    [PHP] <td align=left valign=bottom nowrap>
    <form action="http://www.easynews.com/login/&quot; method=post name="login">
    <font face=arial size="+1"><u><b>MEMBERS LOGIN</b></u></font><br><br>
    <font face=arial size=-1>USERNAME:</font><br>
    <input type="text" name="username" size=15 maxlength=15><br>
    <font face=arial size=-1>PASSWORD:</font><br>
    <input type="password" name="password" size=15 maxlength=15><br>
    <input type="submit" value="login"><br>
    </form>
    </td>[/PHP]

    this must be a post method! and the two fields are username and password.
    so my python script is :




    [PHP]#!/usr/bin/python
    import urllib

    data = urllib.urlencode({"username" : "XXXXXX", "password" : "XXXXXXX"})
    f = urllib.urlopen("http://www.easynews.com",data)
    s = f.read()
    print s[/PHP]


    from my limitedknowledge of python, that should work but it doesnt and infact the print s statment prints the exact same html for
    f = urllib.urlopen("http://www.easynews.com")
    as
    f = urllib.urlopen("http://www.easynews.com",data)

    which is very strange. Its as if the form is just totally ignoring my request!

    any idea's whats going on?

    Or how i can find out what exactly the form is doing nehind the scenes?

    Seamus - you raised some good points? Any idea how i can find out for sure what the form is actually checking for?

    I mean it should always be possible to get this form to submit using a script since there's no authenication image or anything like that
    thanks!


  • Registered Users, Registered Users 2 Posts: 568 ✭✭✭phil


    All Javascript does it mimick client behaviour. Any intelligent developer can decode the Javascript on the page, see it's setting that variable to true and simply do so on their script automatically.

    If you want to programatically simulate client browsers through Python use Mechanize:

    http://wwwsearch.sourceforge.net/mechanize/

    If you're still having problems I can knock something up quick that would log you in and get a page on an example site.

    Phil.


  • Registered Users, Registered Users 2 Posts: 3,594 ✭✭✭forbairt


    slemons wrote:
    [PHP] <td align=left valign=bottom nowrap>
    <form action="http://www.easynews.com/login/&quot; method=post name="login">
    <font face=arial size="+1"><u><b>MEMBERS LOGIN</b></u></font><br><br>
    <font face=arial size=-1>USERNAME:</font><br>
    <input type="text" name="username" size=15 maxlength=15><br>
    <font face=arial size=-1>PASSWORD:</font><br>
    <input type="password" name="password" size=15 maxlength=15><br>
    <input type="submit" value="login"><br>
    </form>
    </td>[/PHP]


    Not going into too much detail as I don't know all the details and haven't used python much ... but you haven't submitted the "submit" with value "login" ... potentially they are looking for this in the POST variables ...


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 568 ✭✭✭phil


    Nope, that's incorrect. The name attribute on the relevant input tag hasn't been set and therefore the submit button isn't passed along through the form.

    Phil.


  • Registered Users, Registered Users 2 Posts: 3,594 ✭✭✭forbairt


    had missed that ... I stand corrected :)


  • Registered Users, Registered Users 2 Posts: 3,594 ✭✭✭forbairt


    From that site easynews btw ...
    * You must have session cookies enabled to access the site.

    So its looking for a cookie ... and not seeing one ... ?


  • Registered Users, Registered Users 2 Posts: 568 ✭✭✭phil


    Yup, as I said, use mechanize it will make your life much easier, it will take care of cookies and other such things.

    Something like the following should work:
    import mechanize
    
    br = mechanize.Browser()
    br.open("http://www.easynews.com/")
    br.select_form(name="login")
    br["username"] = "testing"
    br["password"] = "pass123"
    r = br.submit()
    
    print r.read()
    

    Beware, not tested


  • Closed Accounts Posts: 532 ✭✭✭slemons


    lads ye are legends!
    ive no idea about all this stuff
    I was actually going to try using perl's mechanize before you said this since its in that 02sms script and that works fine.
    Id like to stick with python though so i'll give that last bit of code a whirl as soon as i get mechanize and easy install for python going.
    thanks!
    i'll report back soon


  • Advertisement
  • Closed Accounts Posts: 532 ✭✭✭slemons


    na seriously lads ye are legends!! esp yourself phil!
    5 full seconds of work using that code and its flying it.
    I was messing with that for about 6 weeks and got nothing

    Im really starting to loev python. Forget perl!!

    Thanks again
    Looks like the cookie monster struck but i got tha last laugh! lol


  • Registered Users, Registered Users 2 Posts: 568 ✭✭✭phil


    All you're really doing there is utilizing the Mechanize module , it's available in perl as well :)

    Anyways, no problem, enjoy!


Advertisement