cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: automating authentication...

From: Ralph Mitchell <ralphmitchell_at_gmail.com>
Date: Wed, 4 May 2005 12:47:17 -0500

I've managed to login to some sites that use Siteminder. What happens
there is, you go to the original site, it sends back a redirect to the
Siteminder server with the original url embedded in the url as a GET
variable. The Siteminder server shows you a login form, which you
fill in nd post back to Siteminder. If Siteminder likes you, it hands
out cookies and send you back to the original site. The original site
sees that you have valid cookies and lets you in.

I've seen some obfuscated javascript, but not necessarily in
conjunction with Siteminder. In at least one case, the form action
string is left blank, to be filled in by a javascript submit()
function. At the same time, it copies things from the visible form
entry fields into some hidden fields. Goodness only knows why - that
could easily be accomplished by the server... I mean, you enter a
userid like 123456, and it copies it to a hidden field after padding
on the left with zeroes to make 8 digits. Stupid, really stupid, but
without that the login fails...

If you can't work out what the javascript ends up doing, try
LiveHTTPHeaders, from:

     http://livehttpheaders.mozdev.org/

Works like a charm in Firefox. It shows you all headers, both send
and received, including urls and POSTed variables. Just start it up,
login to the target site, then peruse the headers. You might be able
to work out how to massage the original login data to produce the
desired result. If not, you may be able to simply send whatever
Firefox sends.

Ralph Mitchell

On 5/4/05, Doug McNutt <douglist_at_macnauchtan.com> wrote:
> At 16:00 +0200 5/4/05, Linus Nielsen Feltzing wrote:
> >Try the codumentation section on curl.haxx.se, especially this:
> >http://curl.haxx.se/docs/httpscripting.html
>
> Most informative. But. . .
>
> I would like to automate a private site that goes to more serious extremes. Username and password are passed to some obfuscated JavaScript that contacts a third party site which returns an apparently random string about 1200 characters long. That string needs to be passed in order to perform the login. I assume the string is also being passed simultaneously to the original host for comparison purposes.
>
> Has anyone cracked that kind of thing using curl?
>
> --
> --> Use vowels every day or you'll get consonated <--
>
Received on 2005-05-04