Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: https, redirection and authentication using POST

From: Ralph Mitchell <rmitchell_at_eds.com>
Date: Fri, 30 May 2003 00:13:24 -0500

David Withnall wrote:

> This has got to be the wierdest damn site i've seen (but living in Oz I understand that Tel$tra is full of strange people).
>
> To get into the site you need to do it in 2 stages
> The first one you've almost got correct, you go there, but send no post data.
> After that connection has run through the numerous redirects and gathered all the cookies and wotnot that bigpond issue to you.
> Then I think you go to here - the form is actually submitted using java script, not a standard form action command.
>
> https://telstra.com/tcoma/security/login2-sm.asp?form=bdumcust_,_AUTH_REDIR=https://account.bigpond.com/broadband/usage/secure/monthlyusage.do
>
> with the following post data (Once the password form has loaded, look at the source and you'll see all of these)
> SMENC=ISO-8859-1
> SMLOCALE=US-EN
> USERNAME=xxxx_at_bigpond.net.au
> PASSWORD=yyyy
> target=https://telstra.com/tcoma/security/login2-sm.asp?form=bdumcust_,_AUTH_REDIR=https://accounts.bigpond.com/broadband/usage/secure/monthlyusage.do
> smauthreason=0
> retrytext=Invalid Username or Password
>
> and that should get you in. I Think. it's a bit confusing because of all the redirects, javascript and other garbage they've got on the site.

Yay, SiteMinder!! I'd recognise those grubby fingerprints anywhere... :)

To be fair to Telstra, it's probably not their redirects, javascript and such. They're just using SiteMinder to handle the logins and authentication.

And yes, I've been beating my head on a couple of sites like this one. Most recently, one that is handling multi-lingual clients by having a rather large javascript function that loads up variables with character strings (and even the input tag for the submit!) and then document.write's them out. The submit function loads up a form variable from several others, assembles the action url from somewhere and then posts.

I hates it, I does... :)

Ralph Mitchell

-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
Received on 2003-05-30