Thread: Hidden fields in forms
Status: Alpha
Brought to you by:
coroberti
Menu
▾
▴
curl-loader-devel
|
From: Peter B. <pwb...@ho...> - 2010-06-16 08:25:05
|
I have just started to use curl-loader and its looking great!I have hit a problem with security. The site uses a hidden field which has a randomly generated value, like this:<input type='hidden' id='csrfmiddlewaretoken' name='csrfmiddlewaretoken' value='60d74dd4115ee9e876d6a5f258a1ee9b' /> _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 |
|
From: Peter B. <pwb...@ho...> - 2010-06-16 08:25:29
|
I have just started to use curl-loader and its looking great!I have hit a problem with security. The site uses a hidden field which has a randomly generated value, like this:<input type='hidden' id='csrfmiddlewaretoken' name='csrfmiddlewaretoken' value='60d74dd4115ee9e876d6a5f258a1ee9b' /> _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969 |
|
From: Peter B. <pwb...@ho...> - 2010-06-16 08:42:57
|
I have just started to use curl-loader and its looking great!But I have hit a problem with security.The site uses a hidden field which has a randomly generated value, like this:<input type='hidden' id='securitytoken' name='securitytoken' value='123456789abcdef0123456' /> I need to post this back when POSTing the form. Is this possible with curl-loader? If not, are there plans to implement it? It seems that scan_for_key and scan_for_value would need to be changed... _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969 |
|
From: Robert I. <cor...@gm...> - 2010-06-16 18:33:53
|
Hi Peter, On Wed, Jun 16, 2010 at 11:42 AM, Peter Becker <pwb...@ho...> wrote: > I have just started to use curl-loader and its looking great! > > But I have hit a problem with security. > > The site uses a hidden field which has a randomly generated value, like this: > > <input type='hidden' id='securitytoken' name='securitytoken' value='123456789abcdef0123456' /> > > Please, provide your filled PRF (PROBLEM-REPORTING Form) > I need to post this back when POSTing the form. Is this possible with > curl-loader? > If not, are there plans to implement it? It seems that scan_for_key and > scan_for_value would need to be changed... > Look in the examples and read the FAQs. There are a couple of ways to make POSTING, including taking params from a file. > > ------------------------------ > Hotmail: Powerful Free email with security by Microsoft. Get it now.<https://signup.live.com/signup.aspx?id=60969> > > > ------------------------------------------------------------------------------ > ThinkGeek and WIRED's GeekDad team up for the Ultimate > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to win: > http://p.sf.net/sfu/thinkgeek-promo > _______________________________________________ > curl-loader-devel mailing list > cur...@li... > https://lists.sourceforge.net/lists/listinfo/curl-loader-devel > > -- Truly, Robert Iakobashvili, Ph.D. ...................................................................... www.ghotit.com Assistive technology that understands you ...................................................................... |
|
From: Peter B. <pwb...@ho...> - 2010-06-16 20:05:10
|
Thank you Robert. I have read all the documentation several times, and find no reference to this issue. I do not have a problem compiling, running etc, so the details requested on the PRF are truly irrelevant. My question is about functionality, as described. I want to know if I can pick up the value of a hidden field as below, and post that back. <input type='hidden' id='securitytoken' name='securitytoken' value='123456789abcdef0123456' /> When I try to use RESPONSE_TOKEN=securitytoken, the value of this token is recorded as 'name', but (of course) I need to post back 123456789abcdef0123456. Kind regards, Peter Date: Wed, 16 Jun 2010 21:33:41 +0300 Subject: Re: Hidden fields in forms From: cor...@gm... To: cur...@li... Hi Peter, On Wed, Jun 16, 2010 at 11:42 AM, Peter Becker <pwb...@ho...> wrote: I have just started to use curl-loader and its looking great!But I have hit a problem with securit The site uses a hidden field which has a randomly generated value, like this:<input type='hidden' id='securitytoken' name='securitytoken' value='123456789abcdef0123456' /> Please, provide your filled PRF (PROBLEM-REPORTING Form) I need to post this back when POSTing the form. Is this possible with curl-loader? If not, are there plans to implement it? It seems that scan_for_key and scan_for_value would need to be changed... Look in the examples and read the FAQs. There are a couple of ways to make POSTING, including taking params from a file. Hotmail: Powerful Free email with security by Microsoft. Get it now. ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ curl-loader-devel mailing list cur...@li... https://lists.sourceforge.net/lists/listinfo/curl-loader-devel -- Truly, Robert Iakobashvili, Ph.D. ...................................................................... www.ghotit.com Assistive technology that understands you ...................................................................... _________________________________________________________________ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969 |
|
From: Robert I. <cor...@gm...> - 2010-06-16 20:29:08
|
Hi Peter, On Wed, Jun 16, 2010 at 11:05 PM, Peter Becker <pwb...@ho...> wrote: > Thank you Robert. I have read all the documentation several times, and > find no reference to this issue. > I do not have a problem compiling, running etc, so the details requested on > the PRF are truly irrelevant. My question is about functionality, as > described. > This is a common mistake. > > I want to know if I can pick up the value of a hidden field as below, and > post that back. > > <input type='hidden' id='securitytoken' name='securitytoken' value='123456789abcdef0123456' > /> > When I try to use RESPONSE_TOKEN=securitytoken, the value of this token is > recorded as 'name', but (of course) I need to post back > 123456789abcdef0123456. > This is explained in docs/FAQs within curl-loader bundle, in man page of curl-loader-config and examples are in conf-examples. > > Kind regards, > Peter > ------------------------------ > Date: Wed, 16 Jun 2010 21:33:41 +0300 > Subject: Re: Hidden fields in forms > From: cor...@gm... > To: cur...@li... > > Hi Peter, > > On Wed, Jun 16, 2010 at 11:42 AM, Peter Becker <pwb...@ho...>wrote: > > I have just started to use curl-loader and its looking great! > > But I have hit a problem with securit > > The site uses a hidden field which has a randomly generated value, like this: > > <input type='hidden' id='securitytoken' name='securitytoken' value='123456789abcdef0123456' /> > > Please, provide your filled PRF (PROBLEM-REPORTING Form) > > > I need to post this back when POSTing the form. Is this possible with > curl-loader? > If not, are there plans to implement it? It seems that scan_for_key and > scan_for_value would need to be changed... > > > > Look in the examples and read the FAQs. > There are a couple of ways to make POSTING, including taking params from a > file. > > > > > ------------------------------ > Hotmail: Powerful Free email with security by Microsoft. Get it now.<https://signup.live.com/signup.aspx?id=60969> > > > ------------------------------------------------------------------------------ > ThinkGeek and WIRED's GeekDad team up for the Ultimate > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to win: > http://p.sf.net/sfu/thinkgeek-promo > _______________________________________________ > curl-loader-devel mailing list > cur...@li... > https://lists.sourceforge.net/lists/listinfo/curl-loader-devel > > > > > -- > Truly, > Robert Iakobashvili, Ph.D. > ...................................................................... > www.ghotit.com > Assistive technology that understands you > ...................................................................... > > ------------------------------ > Hotmail: Free, trusted and rich email service. Get it now.<https://signup.live.com/signup.aspx?id=60969> > > > ------------------------------------------------------------------------------ > ThinkGeek and WIRED's GeekDad team up for the Ultimate > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to win: > http://p.sf.net/sfu/thinkgeek-promo > _______________________________________________ > curl-loader-devel mailing list > cur...@li... > https://lists.sourceforge.net/lists/listinfo/curl-loader-devel > > -- Truly, Robert Iakobashvili, Ph.D. ...................................................................... www.ghotit.com Assistive technology that understands you ...................................................................... |
|
From: Robert I. <cor...@gm...> - 2010-06-16 20:33:00
|
Hi Peter, On Wed, Jun 16, 2010 at 11:29 PM, Robert Iakobashvili <cor...@gm...>wrote: > Hi Peter, > >> >> I want to know if I can pick up the value of a hidden field as below, and >> post that back. >> >> <input type='hidden' id='securitytoken' name='securitytoken' value='123456789abcdef0123456' >> /> >> When I try to use RESPONSE_TOKEN=securitytoken, the value of this token is >> recorded as 'name', but (of course) I need to post back >> 123456789abcdef0123456. >> > > > This is explained in docs/FAQs within curl-loader bundle, in man page of > curl-loader-config > and examples are in conf-examples. > > Look how to POST after GET. > >> -- >> Truly, >> Robert Iakobashvili, Ph.D. >> ...................................................................... >> www.ghotit.com >> Assistive technology that understands you >> ...................................................................... >> > |
|
From: Peter B. <pwb...@ho...> - 2010-06-22 15:34:55
|
Hello again Robert. Thank you for your response. It would be most useful if you could give specific references, for example a section number in the FAQ, or the name of the TAG I should be looking at, or _anything_ specific that would help me find what I need. As I mentioned, I have read all the documents you refer to, and have not yet found it. Googling curl-loader "post after get" returns no hits. Kind regards, Peter Date: Wed, 16 Jun 2010 23:32:52 +0300 Subject: Re: Hidden fields in forms From: cor...@gm... To: cur...@li... Hi Peter, On Wed, Jun 16, 2010 at 11:29 PM, Robert Iakobashvili <cor...@gm...> wrote: Hi Peter, I want to know if I can pick up the value of a hidden field as below, and post that back. <input type='hidden' id='securitytoken' name='securitytoken' value='123456789abcdef0123456' /> When I try to use RESPONSE_TOKEN=securitytoken, the value of this token is recorded as 'name', but (of course) I need to post back 123456789abcdef0123456. This is explained in docs/FAQs within curl-loader bundle, in man page of curl-loader-config and examples are in conf-examples. Look how to POST after GET. -- Truly, Robert Iakobashvili, Ph.D. ...................................................................... www.ghotit.com Assistive technology that understands you ...................................................................... _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 |
|
From: Robert I. <cor...@gm...> - 2010-06-22 15:47:51
|
Hi Peter, On Tue, Jun 22, 2010 at 6:34 PM, Peter Becker <pwb...@ho...> wrote: > Hello again Robert. Thank you for your response. > > It would be most useful if you could give specific references, for example > a section number in the FAQ, or the name of the TAG I should be looking at, > or _anything_ specific that would help me find what I need. As I mentioned, > I have read all the documents you refer to, and have not yet found it. > Googling curl-loader "post after get" returns no hits. > > Kind regards, > Peter > > The rules of the list: the PRF first. -- Truly, Robert Iakobashvili, Ph.D. ...................................................................... www.ghotit.com Assistive technology that understands you ...................................................................... |
|
From: Peter B. <pwb...@ho...> - 2010-06-22 20:48:18
|
CURL-LOADER VERSION: 0.51, Juanuart, 2010
HW DETAILS: CPU/S and memory are must: IRRELEVANT
LINUX DISTRIBUTION and KERNEL (uname -r): IRRELEVANT
GCC VERSION (gcc -v): IRRELEVANT
COMPILATION AND MAKING OPTIONS (if defaults changed): IRRELEVANT
COMMAND-LINE: IRRELEVANT
CONFIGURATION-FILE (The most common source of problems):
Place the file inline here: n/a, IRRELEVANT
DOES THE PROBLEM AFFECT:
COMPILATION? No
LINKING? No
EXECUTION? No
OTHER (please specify)?
Have you run $make cleanall prior to $make ? YES/IRRELEVANT
DESCRIPTION: See below
QUESTION/ SUGGESTION/ PATCH:
I want to know if I can pick up the value of a hidden field as below, and post that back.
<input type='hidden' id='securitytoken' name='securitytoken' value='123456789abcdef0123456' />
When I try to use RESPONSE_TOKEN=securitytoken, the value of this token is recorded as 'name', but (of course) I need to post back 123456789abcdef0123456.
Date: Tue, 22 Jun 2010 18:47:42 +0300
Subject: Re: Hidden fields in forms
From: cor...@gm...
To: cur...@li...
Hi Peter,
The rules of the list: the PRF first.
--
Truly,
Robert Iakobashvili, Ph.D.
......................................................................
www.ghotit.com
Assistive technology that understands you
......................................................................
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969 |
|
From: Gary F. <ga...@iF...> - 2010-06-23 23:48:11
|
Peter,
I was the one who added the RESPONSE_TOKEN function to curl_loader. I no longer have access to my original code, or to a system where I could work on the code, but I do occasionally look at this list, and I did find some of the documentation for RESPONSE_TOKEN that I contributed:
> RESPONSE_TOKEN - (Example: RESPONSE_TOKEN = user_id) There can be any number of RESPONSE_TOKENs in an URL or URL_TEMPLATE subsection. When curl-loader fetches the url, it will scan the server's response for all the response tokens. If found, curl-loader will save the "value" of each response token for use in constructing later URL_TEMPLATEs (see URL_TOKEN below). For instance, if we specify RESPONSE_TOKEN = user_id, and if the server response contains ... user_id=1234 ..., then we will save the name-value pair "user_id, 1234". Different clients may well receive different responses and save different values, thus constructing different urls from later templates.
>
> In more detail: names and values are either quoted strings or extended-alphanumeric strings that may contain the 8-bit characters A-Z, a-z, 0-9, @, underscore, and dot. When an url is fetched, the server's response will be scanned for tokens that match any of the url's RESPONSE_TOKENs. If a match is found, the next extended alphanumeric token, or quoted string, in the server response will be taken as the value. All such values will be saved on a per-client basis, and used to construct subsequent URL_TEMPLATEs for that client (see URL_TOKEN below).
>
> Notes: The order of the RESPONSE_TOKENs in the url subsection is immaterial. Matches and values are collected across response-packet boundaries. Once a value is collected from a particular server response, the scanning for that token stops, and subsequent occurrences of that token in the response will not trigger a new value collection. Finally, a RESPONSE_TOKEN with the same name as one in a previous url will replace any previously collected value for that name.
>
> Examples: RESPONSE_TOKEN = user_id would collect the intended value in the following server responses: ... user_id 1234 ... user_id = 1234 ... user_id="1234" ... user_id = "Jane Doe" ... user_id = ja...@fo... ... <user_id> 1234 </user_id>. (This mechanism would not work for ...name=user_id value=1234... and other more complex syntax.) Limitations: There is no support for wide characters, and no support for saving multiple values of the same name from different responses.
As you can see from the last paragraph, the capability you want isn't there, and you would have to add it. Sorry.
Gary Fitts
On Jun 22, 2010, at 1:48 PM, Peter Becker wrote:
CURL-LOADER VERSION: 0.51, Juanuart, 2010
HW DETAILS: CPU/S and memory are must: IRRELEVANT
LINUX DISTRIBUTION and KERNEL (uname -r): IRRELEVANT
GCC VERSION (gcc -v): IRRELEVANT
COMPILATION AND MAKING OPTIONS (if defaults changed): IRRELEVANT
COMMAND-LINE: IRRELEVANT
CONFIGURATION-FILE (The most common source of problems):
Place the file inline here: n/a, IRRELEVANT
DOES THE PROBLEM AFFECT:
COMPILATION? No
LINKING? No
EXECUTION? No
OTHER (please specify)?
Have you run $make cleanall prior to $make ? YES/IRRELEVANT
DESCRIPTION: See below
QUESTION/ SUGGESTION/ PATCH:
I want to know if I can pick up the value of a hidden field as below, and post that back.
<input type='hidden' id='securitytoken' name='securitytoken' value='123456789abcdef0123456' />
When I try to use RESPONSE_TOKEN=securitytoken, the value of this token is recorded as 'name', but (of course) I need to post back 123456789abcdef0123456.
Date: Tue, 22 Jun 2010 18:47:42 +0300
Subject: Re: Hidden fields in forms
From: cor...@gm...
To: cur...@li...
Hi Peter,
The rules of the list: the PRF first.
--
Truly,
Robert Iakobashvili, Ph.D.
......................................................................
www.ghotit.com
Assistive technology that understands you
......................................................................
Hotmail: Powerful Free email with security by Microsoft. Get it now. ------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo_______________________________________________
curl-loader-devel mailing list
cur...@li...
https://lists.sourceforge.net/lists/listinfo/curl-loader-devel
|
|
From: Peter B. <pwb...@ho...> - 2010-06-25 09:24:15
|
Many thanks Gary for your most helpful reply.
I had read the section in the documentation on RESPONSE_TOKEN many times, and unfortunately it does not have the detail you provided here. As you point out, I need a feature which curl-loader cannot at present do.
This is probably a common issue, as the security feature I encountered is part of a standard Django/Python framework. It is most disapointing that you don't have access to a system! Its probably a small change - just to look for a slightly different pattern: /name="x" value="y"/ instead of /x="y"/. Is there any way we can arrange to add this to the code? As per my first post, I found the section of code which applies, but getting to understand it all was a bit daunting: scan_response/keyval_scan/kv_scan/scan_for_key/bitap_search... If I email you the source, please could you outline the change(s) needed, and I can implement them? I am fluent in C, so you would just have to give a little assistance...
(This is, of course, only applicable if the current developer team are not willing to assist with this!)
Kind regards,
Peter
From: ga...@iF...
Subject: Re: Hidden fields in forms
Date: Wed, 23 Jun 2010 15:47:58 -0700
To: cur...@li...
Peter,
I was the one who added the RESPONSE_TOKEN function to curl_loader. I no longer have access to my original code, or to a system where I could work on the code, but I do occasionally look at this list, and I did find some of the documentation for RESPONSE_TOKEN that I contributed:
RESPONSE_TOKEN - (Example: RESPONSE_TOKEN = user_id) There can be any number of RESPONSE_TOKENs in an URL or URL_TEMPLATE subsection. When curl-loader fetches the url, it will scan the server's response for all the response tokens. If found, curl-loader will save the "value" of each response token for use in constructing later URL_TEMPLATEs (see URL_TOKEN below). For instance, if we specify RESPONSE_TOKEN = user_id, and if the server response contains ... user_id=1234 ..., then we will save the name-value pair "user_id, 1234". Different clients may well receive different responses and save different values, thus constructing different urls from later templates.
In more detail: names and values are either quoted strings or extended-alphanumeric strings that may contain the 8-bit characters A-Z, a-z, 0-9, @, underscore, and dot. When an url is fetched, the server's response will be scanned for tokens that match any of the url's RESPONSE_TOKENs. If a match is found, the next extended alphanumeric token, or quoted string, in the server response will be taken as the value. All such values will be saved on a per-client basis, and used to construct subsequent URL_TEMPLATEs for that client (see URL_TOKEN below).
Notes: The order of the RESPONSE_TOKENs in the url subsection is immaterial. Matches and values are collected across response-packet boundaries. Once a value is collected from a particular server response, the scanning for that token stops, and subsequent occurrences of that token in the response will not trigger a new value collection. Finally, a RESPONSE_TOKEN with the same name as one in a previous url will replace any previously collected value for that name.
Examples: RESPONSE_TOKEN = user_id would collect the intended value in the following server responses: ... user_id 1234 ... user_id = 1234 ... user_id="1234" ... user_id = "Jane Doe" ... user_id = ja...@fo... ... <user_id> 1234 </user_id>. (This mechanism would not work for ...name=user_id value=1234... and other more complex syntax.) Limitations: There is no support for wide characters, and no support for saving multiple values of the same name from different responses.
As you can see from the last paragraph, the capability you want isn't there, and you would have to add it. Sorry.
Gary Fitts
On Jun 22, 2010, at 1:48 PM, Peter Becker wrote:
CURL-LOADER VERSION: 0.51, Juanuart, 2010
HW DETAILS: CPU/S and memory are must: IRRELEVANT
LINUX DISTRIBUTION and KERNEL (uname -r): IRRELEVANT
GCC VERSION (gcc -v): IRRELEVANT
COMPILATION AND MAKING OPTIONS (if defaults changed): IRRELEVANT
COMMAND-LINE: IRRELEVANT
CONFIGURATION-FILE (The most common source of problems):
Place the file inline here: n/a, IRRELEVANT
DOES THE PROBLEM AFFECT:
COMPILATION? No
LINKING? No
EXECUTION? No
OTHER (please specify)?
Have you run $make cleanall prior to $make ? YES/IRRELEVANT
DESCRIPTION: See below
QUESTION/ SUGGESTION/ PATCH:
I want to know if I can pick up the value of a hidden field as below, and post that back.
<input type='hidden' id='securitytoken' name='securitytoken' value='123456789abcdef0123456' />
When I try to use RESPONSE_TOKEN=securitytoken, the value of this token is recorded as 'name', but (of course) I need to post back 123456789abcdef0123456.
Date: Tue, 22 Jun 2010 18:47:42 +0300
Subject: Re: Hidden fields in forms
From: cor...@gm...
To: cur...@li...
Hi Peter,
The rules of the list: the PRF first.
--
Truly,
Robert Iakobashvili, Ph.D.
......................................................................
www.ghotit.com
Assistive technology that understands you
......................................................................
Hotmail: Powerful Free email with security by Microsoft. Get it now. ------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo_______________________________________________
curl-loader-devel mailing list
cur...@li...
https://lists.sourceforge.net/lists/listinfo/curl-loader-devel
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969 |
|
From: Gary F. <ga...@iF...> - 2010-06-25 13:10:37
|
If you email the source files, I'll take a look. No guarantees. Even if I can make the changes, I won't be able to test the result -- that would be up to you. Gary On Jun 25, 2010, at 2:24 AM, Peter Becker wrote: Many thanks Gary for your most helpful reply. I had read the section in the documentation on RESPONSE_TOKEN many times, and unfortunately it does not have the detail you provided here. As you point out, I need a feature which curl-loader cannot at present do. This is probably a common issue, as the security feature I encountered is part of a standard Django/Python framework. It is most disapointing that you don't have access to a system! Its probably a small change - just to look for a slightly different pattern: /name="x" value="y"/ instead of /x="y"/. Is there any way we can arrange to add this to the code? As per my first post, I found the section of code which applies, but getting to understand it all was a bit daunting: scan_response/keyval_scan/kv_scan/scan_for_key/bitap_search... If I email you the source, please could you outline the change(s) needed, and I can implement them? I am fluent in C, so you would just have to give a little assistance... (This is, of course, only applicable if the current developer team are not willing to assist with this!) Kind regards, Peter |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X