2

I am trying to achieve a successful POST to an ASPX (ASP.NET) page (an external site) using cURL.

Since I don't care much for the looks of the page (it is all done on the server side), I am not sending ANY the arguments __VIEWSTATE, __EVENTVALIDATION, __EVENTTARGET, and __EVENTARGUMENT, not even empty, but I do send the real data.

How crucial is it to POST these arguments to the ASP.NET server?

I am not an ASP.NET programmer, but I might suspect that __EVENTVALIDATION might give me some hard time here(?). Or is this something between the browser and the server that I don't need to care much for?

If this is crucial, how can I imitate these variables so the server accepts POSTS?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Ted
  • 3,805
  • 14
  • 56
  • 98

2 Answers2

3

In general, you can not eliminate these values.

The ViewState and the EventValidation are critical - unless the other side has disabled them. If the other side use them and do not find them on postback, a throw error appears, and it depends on the program how it handles it.

The ViewState contains information that the page needs to use after the postback.

The EventValidation contains a key that validates the postback controls to be sure that you do not try to trigger any command that does not have permission, or send any argument that does not have permission to run.

Let's gives you an example: Let's say that I have a control that send a number, 43, and a button that trigger the postback, and I ask the information for id 43. The EventValidation takes care that you can not make a script and ask for all the numbers with any id and get any result that you may think.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Aristos
  • 66,005
  • 16
  • 114
  • 150
1

It is possible. Just not with cURL.

The best way to do it is to use a browser emulator such as mechanize in Python. Here's an example script. Give it a shot. You can always call this script using command line and have it return the resulting HTML.

import mechanize
import cookielib

# Browser
br = mechanize.Browser()

# Cookie Jar
cj = cookielib.LWPCookieJar()
br.set_cookiejar(cj)

# Browser options
br.set_handle_equiv(True)
br.set_handle_gzip(True)
br.set_handle_redirect(True)
br.set_handle_referer(True)
br.set_handle_robots(False)

# Follows refresh 0, but it does not hang on refresh > 0
br.set_handle_refresh(mechanize._http.HTTPRefreshProcessor(), max_time=1)

# Want debugging messages?
#br.set_debug_http(True)
#br.set_debug_redirects(True)
#br.set_debug_responses(True)

# User-Agent (this is cheating, OK?)
br.addheaders = [('User-agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1')]

# Open some site, let's pick a random one, the first that pops in mind:
r = br.open('http://www.example.com/')
html = r.read()

# Show the source
print html
# or
print br.response().read()

# Show the HTML title
print br.title()

# Show the response headers
print r.info()
# or
print br.response().info()

# Show the available forms
for f in br.forms():
    print f

# Select the first (index zero) form
br.select_form(nr=0)

# Let's search
br.form['field']='value'
br.submit()

# Show HTML of results
print br.response().read()
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Omar Wagih
  • 8,504
  • 7
  • 59
  • 75