Author | Message | Time |
---|---|---|
Sixen | So hmph? Is it possible? Here's the current code i've got that fills the information for everything else, however if the field is masked then I cannot input text into the textbox this way. If it matters, the issue is the password textbox. [code]Private Sub cmdGo_Click() Dim Gateway As String Dim Account As String Dim Password As String Dim Subject As String Dim Body As String Dim Signature As String Dim URL As String Dim flags As Long Dim targetFrame As String Dim Postdata() As Byte Dim Headers As String Gateway = cbGateway.Text Account = txtAccount.Text Password = txtPassword.Text Subject = txtSubject.Text Body = txtBody.Text Signature = chkSignature.Value URL = txtURL.Text targetFrame = "" Postdata = "Cluster=" & Gateway & "&Account=" & Account & "&Password=" & Password & "&Subject=" & Subject & "&Body=" & Body & "&AutoSignature=" & Signature Postdata = StrConv(Postdata, vbFromUnicode) Headers = "Content-Type: application/x-www-form-urlencoded " & vbCrLf WebBrowser1.Navigate URL, flags, targetFrame, Postdata, Headers End Sub[/code] | July 9, 2008, 8:33 AM |
iago | Hidden fields are submitted the exact same as any other field. | July 30, 2008, 1:35 PM |
Myndfyr | [quote author=iago link=topic=17564.msg179128#msg179128 date=1217424907] Hidden fields are submitted the exact same as any other field. [/quote] So are password fields. Interestingly though, your code appears to be subject to a number of potential security flaws based on URL encoding. | July 30, 2008, 3:37 PM |
iago | Right, password fields. Incidentally, you're missing the "Content-length" header, which is required for post data. | July 30, 2008, 7:02 PM |
Sixen | It wasn't anything serious, was just testing some stuff out. Also, didn't know Length was required, =/. Anyway, apparently I need to make a secure connection somehow. | August 1, 2008, 5:36 AM |
Myndfyr | [quote author=Sixen link=topic=17564.msg179149#msg179149 date=1217568991] It wasn't anything serious, was just testing some stuff out. Also, didn't know Length was required, =/. Anyway, apparently I need to make a secure connection somehow. [/quote] Making a secure connection wouldn't address the underlying security issues. The one about URL encoding - if a user enters an ampersand, for instance, into any of your text boxes, you'll get hosed because you're just using unchecked input. Securing the password can be done fairly straightforwardly by implementing a server-side and client-side token. The tokens can be exchanged in cleartext and it still prevents a man-in-the-middle attack; however, it requires that the server already have a hashed version of the password without having had tokens applied to it. (This happens to be why SRP is a better key exchange than Battle.net's original implementation, for instance; SRP is secure even if the communication is intercepted at account creation). | August 1, 2008, 9:30 AM |
iago | [quote author=Sixen link=topic=17564.msg179149#msg179149 date=1217568991] It wasn't anything serious, was just testing some stuff out. Also, didn't know Length was required, =/. [/quote] Content-length is required when you're submitting POST data, but not for GET requests. | August 1, 2008, 1:43 PM |
iago | [quote author=MyndFyre[vL] link=topic=17564.msg179150#msg179150 date=1217583040] [quote author=Sixen link=topic=17564.msg179149#msg179149 date=1217568991] It wasn't anything serious, was just testing some stuff out. Also, didn't know Length was required, =/. Anyway, apparently I need to make a secure connection somehow. [/quote] Making a secure connection wouldn't address the underlying security issues. The one about URL encoding - if a user enters an ampersand, for instance, into any of your text boxes, you'll get hosed because you're just using unchecked input. Securing the password can be done fairly straightforwardly by implementing a server-side and client-side token. The tokens can be exchanged in cleartext and it still prevents a man-in-the-middle attack; however, it requires that the server already have a hashed version of the password without having had tokens applied to it. (This happens to be why SRP is a better key exchange than Battle.net's original implementation, for instance; SRP is secure even if the communication is intercepted at account creation). [/quote] You're assuming he controls both the client and the server, though, this may not be the case. Although maybe it is, I don't really know. :) | August 1, 2008, 1:44 PM |
Myndfyr | [quote author=iago link=topic=17564.msg179152#msg179152 date=1217598268] You're assuming he controls both the client and the server, though, this may not be the case. Although maybe it is, I don't really know. :) [/quote] You're correct! I was in fact making that assumption. | August 2, 2008, 12:46 AM |
Sixen | [quote author=MyndFyre[vL] link=topic=17564.msg179154#msg179154 date=1217637963] [quote author=iago link=topic=17564.msg179152#msg179152 date=1217598268] You're assuming he controls both the client and the server, though, this may not be the case. Although maybe it is, I don't really know. :) [/quote] You're correct! I was in fact making that assumption. [/quote] I don't, :(. Blizzard's website servers control the server, hence why this really wouldn't be possible, Mynd.. =/. [quote author=iago link=topic=17564.msg179151#msg179151 date=1217598234] Content-length is required when you're submitting POST data, but not for GET requests. [/quote] Understood, <3. | August 4, 2008, 6:20 AM |
Barabajagal | Oh, you're making a blizzard.com/account creator to get 26 digit keys? | August 4, 2008, 6:40 AM |
Sixen | [quote author=Andy link=topic=17564.msg179173#msg179173 date=1217832037] Oh, you're making a blizzard.com/account creator to get 26 digit keys? [/quote] Was actually just making a forum AI Bot, heh. Problem is, I can't get the password field to get sent through. | August 4, 2008, 11:09 PM |
Barabajagal | Oh... Why not just emulate HTTP connections entirely instead of using the web browser control? I find it a lot easier and more reliable. | August 5, 2008, 12:22 AM |
iago | [quote author=Sixen link=topic=17564.msg179186#msg179186 date=1217891366] [quote author=Andy link=topic=17564.msg179173#msg179173 date=1217832037] Oh, you're making a blizzard.com/account creator to get 26 digit keys? [/quote] Was actually just making a forum AI Bot, heh. Problem is, I can't get the password field to get sent through. [/quote] Some forums (SMF, for example) don't send the password directly. They use some kind of Javascript sorcery to send it. I'm guessing it's hashed or encrypted or something first. | August 5, 2008, 3:28 AM |
Sixen | [quote author=Andy link=topic=17564.msg179189#msg179189 date=1217895761] Oh... Why not just emulate HTTP connections entirely instead of using the web browser control? I find it a lot easier and more reliable. [/quote] Care to explain a little bit more? [quote author=iago link=topic=17564.msg179190#msg179190 date=1217906911] Some forums (SMF, for example) don't send the password directly. They use some kind of Javascript sorcery to send it. I'm guessing it's hashed or encrypted or something first. [/quote] Yeah, that's correct, iago. I found that out shortly after originally making this thread. Anyway, it is in fact encrypted, which is why I said I need to figure out how to make a secure connection. It uses SSL. | August 5, 2008, 5:38 AM |
Myndfyr | [quote author=Sixen link=topic=17564.msg179193#msg179193 date=1217914711] [quote author=Andy link=topic=17564.msg179189#msg179189 date=1217895761] Oh... Why not just emulate HTTP connections entirely instead of using the web browser control? I find it a lot easier and more reliable. [/quote] Care to explain a little bit more? [quote author=iago link=topic=17564.msg179190#msg179190 date=1217906911] Some forums (SMF, for example) don't send the password directly. They use some kind of Javascript sorcery to send it. I'm guessing it's hashed or encrypted or something first. [/quote] Yeah, that's correct, iago. I found that out shortly after originally making this thread. Anyway, it is in fact encrypted, which is why I said I need to figure out how to make a secure connection. It uses SSL. [/quote] SMF doesn't necessarily use SSL. I use SMF on a couple servers on which I don't have server certificates. It encrypts the password using JavaScript. | August 5, 2008, 7:30 AM |
iago | [quote author=MyndFyre[vL] link=topic=17564.msg179195#msg179195 date=1217921419] SMF doesn't necessarily use SSL. I use SMF on a couple servers on which I don't have server certificates. It encrypts the password using JavaScript. [/quote] Myndfyre's right, this has nothing to do with SSL and everything to do with Javascript. | August 5, 2008, 12:21 PM |
dlStevens | Just use .NET and the webbrowsercontrol, you could do it in less than 10 lines of code. | August 5, 2008, 6:41 PM |
Sixen | [quote author=iago link=topic=17564.msg179199#msg179199 date=1217938918] [quote author=MyndFyre[vL] link=topic=17564.msg179195#msg179195 date=1217921419] SMF doesn't necessarily use SSL. I use SMF on a couple servers on which I don't have server certificates. It encrypts the password using JavaScript. [/quote] Myndfyre's right, this has nothing to do with SSL and everything to do with Javascript. [/quote] Hmph.. [quote author=Dale link=topic=17564.msg179204#msg179204 date=1217961667] Just use .NET and the webbrowsercontrol, you could do it in less than 10 lines of code. [/quote] Wouldn't I still be stuck at this part though? =P. | August 6, 2008, 8:17 PM |
dlStevens | W[quote author=Sixen link=topic=17564.msg179218#msg179218 date=1218053836] [quote author=iago link=topic=17564.msg179199#msg179199 date=1217938918] [quote author=MyndFyre[vL] link=topic=17564.msg179195#msg179195 date=1217921419] SMF doesn't necessarily use SSL. I use SMF on a couple servers on which I don't have server certificates. It encrypts the password using JavaScript. [/quote] Myndfyre's right, this has nothing to do with SSL and everything to do with Javascript. [/quote] Hmph.. [quote author=Dale link=topic=17564.msg179204#msg179204 date=1217961667] Just use .NET and the webbrowsercontrol, you could do it in less than 10 lines of code. [/quote] Wouldn't I still be stuck at this part though? =P. [/quote] Well no, Not that I'd think, you just get the element id and set it's innerText *EDIT: I just read back to your original post, and I'm pretty sure this would solve your problem considering I made an auto-login bot for a website without a problem. | September 19, 2008, 10:52 PM |