cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Problems and infos

From: Massimiliano Cuttini <max_at_phoenixweb.it>
Date: Sun, 23 Nov 2008 12:54:58 +0100

Thank you Doug,

> But don't get your hopes up.
>
> If money is involved there are third party programmers who, with job
> security in mind, can do strange things. One that intrigues me is the
> JavaScript that creates a request to a third party site for a "random "
> number that has to match the value sent to the original site when the POST
> is made. The third party site sends the random number to the prime site
> over a separate channel. It's almost impossible to match the secret codes
> that change each time and must be acceptable to the third party site.

> The value of a cookie changes for each request you make and you must
> request all of the intermediate files in the right sequence to get to the
> one you want.

I have already checked cookie and session (they work fine over the website).

> And, by the way, some of the needed values are sent in disguised image
> files that are one pixel by one pixel but carry a cookie with them.

This is not possible due to the reason above. The script works directly from
the ADDRESS BAR after the login.

> I have given up on my broker's site. With their latest scheme I was up to
> 200 separate requests to something over three different sites to get
> logged in.
>
> Some of the addins for Firefox, GreaseMonkey and iMacros, look
> interesting. A problem is that JavaScript itself makes it nearly
> impossible to submit a form because of a perceived security risk..
>
> If anyone knows a broker or a bank who will honor my RSA certificate
> please let me know. I'm on my way.
> --

I have checked if it so.
But copy and pasting the POST vars directly in the URL after the login i get
the operation performed. There are no secret codes on the FORM page that
have to be submitted to the script.

Honestly, my supplier's website is a shit. It's coded an half with php and
an half in cgi and by different coders.
There are a lot of scripts that don't work at all till you don't modify
something in the page by using the form editor of firefox.

Lot of bugs and something more.

However that page perform an extra control server side that block the
action.
But i dunno how to debug this.

It's likely impossible.

PhoenixWeb - WebDesign - www.phoenixweb.it
Pegaso Hosting - Professional Hosting & Domain Registration -
www.pegasohosting.net

-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2008-11-23