From r.mariotti at financialdatacorp.com Tue Aug 24 09:42:32 2004 From: r.mariotti at financialdatacorp.com (Bob Mariotti) Date: Wed Aug 25 09:06:16 2004 Subject: [Hartford-pm] Help using LWP to change password Q's? Message-ID: <412B53D8.3070108@financialdatacorp.com> Fellow mongers; I have a mental block! I just cannot seem to get this logic to an understandable point. Therefore, I was hoping that some of you could explain the process somewhat. I have several reasonably complex scripts that use LWP to interact with a remote secured web site. Works great and reliably. Now the remote service site has implemented expiring passwords requiring the clients (my script) to change passwords periodically before its next access. Simple I'd say! So I created a relatively short script to do just that. Here's where my brain fry comes in: Q: How does the "submit" button interrelate with the "next" URL? Example: Initial https connect to specified page : https://xxx.yyy.com/ssp/jsp/blah.jsp LWP received the resulting page successfully which contains a form that has fields for username, current password, new password, new password again. The usual stuff. By examining the received HTML code I determined the fieldnames used above so that I could load them on my next POST operation. I also noted that on the FORM statement the value of the ACTION parameter was "ABC123" with NO extension. Also, the SUBMIT tag has an onClick function similar to this: "onClick="return subrname()". I assume that if the LWP POST operation is performed it emulates someone clicking on the SUBMIT button. The subroutine is a javascript editing routine that issues an alert(msg) and returns false or true. Assuming the response is true... must the programmer alter the URL for the POST operation at all? Or will LWP and/or HTTP take care of manipulating the URL in combination with the ACTION value? I'm sorry for the somewhat basic basis for this query but sometimes the gray cells don't work as well as they should. Thanks for ANY help and/or advice anyone can supply (please - no harassing?). Bob - Hartford PM +----------------------------------------+ |Bob Mariotti | Financial DataCorp | |Exec V.P. | 703 Hebron Avenue | |(860) 657-8983 | Glastonbury, CT 06033 | |email: r.mariotti@financialdatacorp.com | |Registered Linux User #320395 | +----------------------------------------+ From aml at world.std.com Tue Aug 24 10:46:48 2004 From: aml at world.std.com (Andrew Langmead) Date: Wed Aug 25 09:06:37 2004 Subject: [Hartford-pm] Re: [Boston.pm] Help using LWP to change password Q's? In-Reply-To: <412B53D8.3070108@financialdatacorp.com> Message-ID: On Tuesday, August 24, 2004, at 10:42 AM, Bob Mariotti wrote: > By examining the received HTML code I determined the fieldnames used > above so that I could load them on my next POST operation. I also > noted that on the FORM statement the value of the ACTION parameter was > "ABC123" with NO extension. Also, the SUBMIT tag has an onClick > function similar to this: "onClick="return subrname()". > > I assume that if the LWP POST operation is performed it emulates > someone clicking on the SUBMIT button. The subroutine is a javascript > editing routine that issues an alert(msg) and returns false or true. The javascript happens solely client side, LWP controls the communication between the client and the server. So to get this to work, you need to mimic the actions that the Javascript is doing before it sends the request. When the user clicks the submit button, instead of submitting the form, it runs the javascript function "subrname". Chances are, subrname performs some sort of side effects, like changing the form action. If subrname returns true, the form (in its current state, after whatever changes subrname caused) is sent to the server. I don't know what subrname looks like, or even if it is the same each time. It is possible that the site is intentionally trying to intentionally make it difficult to automate the password changing. If so, you might have an arms race on your hand. From aml at world.std.com Tue Aug 24 10:47:12 2004 From: aml at world.std.com (Andrew Langmead) Date: Wed Aug 25 09:06:37 2004 Subject: [Hartford-pm] Re: [Boston.pm] Help using LWP to change password Q's? In-Reply-To: <412B53D8.3070108@financialdatacorp.com> Message-ID: On Tuesday, August 24, 2004, at 10:42 AM, Bob Mariotti wrote: > By examining the received HTML code I determined the fieldnames used > above so that I could load them on my next POST operation. I also > noted that on the FORM statement the value of the ACTION parameter was > "ABC123" with NO extension. Also, the SUBMIT tag has an onClick > function similar to this: "onClick="return subrname()". > > I assume that if the LWP POST operation is performed it emulates > someone clicking on the SUBMIT button. The subroutine is a javascript > editing routine that issues an alert(msg) and returns false or true. The javascript happens solely client side, LWP controls the communication between the client and the server. So to get this to work, you need to mimic the actions that the Javascript is doing before it sends the request. When the user clicks the submit button, instead of submitting the form, it runs the javascript function "subrname". Chances are, subrname performs some sort of side effects, like changing the form action. If subrname returns true, the form (in its current state, after whatever changes subrname caused) is sent to the server. I don't know what subrname looks like, or even if it is the same each time. It is possible that the site is intentionally trying to intentionally make it difficult to automate the password changing. If so, you might have an arms race on your hand. From gyepi at praxis-sw.com Tue Aug 24 11:25:43 2004 From: gyepi at praxis-sw.com (Gyepi SAM) Date: Wed Aug 25 09:06:37 2004 Subject: [Hartford-pm] Re: [Boston.pm] Help using LWP to change password Q's? In-Reply-To: <412B53D8.3070108@financialdatacorp.com> References: <412B53D8.3070108@financialdatacorp.com> Message-ID: <20040824162543.GA1821@praxis-sw.com> On Tue, Aug 24, 2004 at 10:42:32AM -0400, Bob Mariotti wrote: > Q: How does the "submit" button interrelate with the "next" URL? > > Example: > > Initial https connect to specified page : > https://xxx.yyy.com/ssp/jsp/blah.jsp The submit button causes your browser to submit the contents of the form using the specified method (post or get). to the specified action URL. Since the action URL in this case is not qualified, a "smart" browser will prepend the base URL (in this case https://xxx.yyy.com/ssp/jsp) to the value of the action attribute and send the response, in this case, to https://xxx.yyy.com/ssp/jsp/ABC123. Note that since the action tag should either be fully qualified (begin with http or https) or be relative (begin with '/'). Neither is true in this case, so the browser has to figure out what to do. > Assuming the response is true... must the programmer alter the URL for > the POST operation at all? Or will LWP and/or HTTP take care of > manipulating the URL in combination with the ACTION value? Since you're writing the "browser", you may need to append the value of the action attribute to the base URL and post the response there. -Gyepi From olson at xynergy.com Tue Aug 24 14:09:49 2004 From: olson at xynergy.com (Eric K. Olson) Date: Wed Aug 25 09:06:37 2004 Subject: [Hartford-pm] Re: [Boston.pm] Help using LWP to change password Q's? In-Reply-To: <412B53D8.3070108@financialdatacorp.com> References: <412B53D8.3070108@financialdatacorp.com> Message-ID: <412B927D.7060805@xynergy.com> Hi All, My understanding is that the original question was "how does the javascript interact with the FORM ACTION parameter?" I think the usual answer is "it does not". If the javascript returns false, the form is submitted with its original ACTION. If the javascript returns true, the form is not submitted at all. In your case, the javascript is probably checking the fields for validity and only allowing the submit if all the tests pass. It IS possible to modify the ACTION in the javascript, but it is rarely done. See http://www.javascript-coder.com/html-form/html-form-action.phtml for an example. The fact that the ACTION doesn't have an extension is not important-- CGI scripts don't have to have any particular extension, if the server is configured appropriately. Cheers, -Eric Bob Mariotti wrote: > Fellow mongers; > > I have a mental block! I just cannot seem to get this logic to an > understandable point. Therefore, I was hoping that some of you could > explain the process somewhat. > > I have several reasonably complex scripts that use LWP to interact with > a remote secured web site. Works great and reliably. Now the remote > service site has implemented expiring passwords requiring the clients > (my script) to change passwords periodically before its next access. > > Simple I'd say! So I created a relatively short script to do just that. > > Here's where my brain fry comes in: > > Q: How does the "submit" button interrelate with the "next" URL? > > Example: > > Initial https connect to specified page : > https://xxx.yyy.com/ssp/jsp/blah.jsp > > LWP received the resulting page successfully which contains a form that > has fields for username, current password, new password, new password > again. The usual stuff. > > By examining the received HTML code I determined the fieldnames used > above so that I could load them on my next POST operation. I also noted > that on the FORM statement the value of the ACTION parameter was > "ABC123" with NO extension. Also, the SUBMIT tag has an onClick > function similar to this: "onClick="return subrname()". > > I assume that if the LWP POST operation is performed it emulates someone > clicking on the SUBMIT button. The subroutine is a javascript editing > routine that issues an alert(msg) and returns false or true. > > Assuming the response is true... must the programmer alter the URL for > the POST operation at all? Or will LWP and/or HTTP take care of > manipulating the URL in combination with the ACTION value? > > I'm sorry for the somewhat basic basis for this query but sometimes the > gray cells don't work as well as they should. > > Thanks for ANY help and/or advice anyone can supply (please - no > harassing?). > > Bob - Hartford PM > +----------------------------------------+ > |Bob Mariotti | Financial DataCorp | > |Exec V.P. | 703 Hebron Avenue | > |(860) 657-8983 | Glastonbury, CT 06033 | > |email: r.mariotti@financialdatacorp.com | > |Registered Linux User #320395 | > +----------------------------------------+ > > _______________________________________________ > Boston-pm mailing list > Boston-pm@mail.pm.org > http://mail.pm.org/mailman/listinfo/boston-pm From uri at stemsystems.com Tue Aug 24 17:44:47 2004 From: uri at stemsystems.com (Uri Guttman) Date: Wed Aug 25 09:06:37 2004 Subject: [Hartford-pm] Re: [Boston.pm] Help using LWP to change password Q's? In-Reply-To: <412B53D8.3070108@financialdatacorp.com> (Bob Mariotti's message of "Tue, 24 Aug 2004 10:42:32 -0400") References: <412B53D8.3070108@financialdatacorp.com> Message-ID: >>>>> "BM" == Bob Mariotti writes: BM> I have several reasonably complex scripts that use LWP to interact BM> with a remote secured web site. Works great and reliably. Now BM> the remote service site has implemented expiring passwords BM> requiring the clients (my script) to change passwords periodically BM> before its next access. BM> Q: How does the "submit" button interrelate with the "next" URL? BM> Example: BM> Initial https connect to specified page : BM> https://xxx.yyy.com/ssp/jsp/blah.jsp BM> LWP received the resulting page successfully which contains a form that BM> has fields for username, current password, new password, new password BM> again. The usual stuff. BM> By examining the received HTML code I determined the fieldnames used BM> above so that I could load them on my next POST operation. I also noted BM> that on the FORM statement the value of the ACTION parameter was BM> "ABC123" with NO extension. Also, the SUBMIT tag has an onClick BM> function similar to this: "onClick="return subrname()". BM> I assume that if the LWP POST operation is performed it emulates someone BM> clicking on the SUBMIT button. The subroutine is a javascript editing BM> routine that issues an alert(msg) and returns false or true. first, i would recommend using WWW::Mechanize for this. it will remove a large chunk of your lwp code (it inherits from LWP). it makes fetching pages and filling/clicking on them much simpler. if the form tag has a URL for its action, then you can ignore the onclick. it may be calling some javascript to verify stuff but that is bogus. only the server should be doing data verification for real (anyone who uses only javascript for this has a large hole waiting to be explored). uri -- Uri Guttman ------ uri@stemsystems.com -------- http://www.stemsystems.com --Perl Consulting, Stem Development, Systems Architecture, Design and Coding- Search or Offer Perl Jobs ---------------------------- http://jobs.perl.org From jwebster03 at snet.net Tue Aug 24 23:21:51 2004 From: jwebster03 at snet.net (Jonathan C. Webster) Date: Wed Aug 25 09:06:37 2004 Subject: [Hartford-pm] Wednesday PERL Meeting? Message-ID: <412C13DF.8070901@snet.net> Hello All, Is there a last Wednesday PERL Meeting? Where? Regards, Jonathan From developer at tsangaris.com Thu Aug 26 17:56:54 2004 From: developer at tsangaris.com (John Tsangaris) Date: Fri Aug 27 08:07:01 2004 Subject: [Hartford-pm] Re: [Boston.pm] Help using LWP to change password Q's? In-Reply-To: Message-ID: <200408262251.i7QMp39a018978@www.pm.org> I'm not sure this answers your question... but I always do this whenever trying to figure out form data being sent to the server for LWP purposes. Use a simple proxy server and log the requests. I used the chance to roll my own (about 20 lines, now up to about 100) that keeps three different types of logging, one for sites visited, one for form post data, and one for everything under the sun. I manually interact once with the site I am trying to LWP, with logging on. I also take a look at the html source for other options, but whatever comes through the log gets cut-and-pasted into my LWP calls for the basis of my interaction. I've never had to get around javascript before, but I'm sure you can simulate the transform pretty easily. -John