0

I am trying to submit a form via PHP CURL library. The problem is there is a hidden input field in which its value changes after each refresh, it means that it changes when I send to different requests to read the page content. I need that hidden value to be sent among the other fields in my POST request for the form submission to be submitted successfully.Since the action of the form that I want to submit is "itself" (the same page) I do not know how to fetch the hidden input value, put it in the POST request and send the POST request which would be considered roughly simultaneous. I have used a specific library for my CURL so even if I share the code you will not completely understand it.Anyway, I think I have clearly explained what I am confused about. Looking forward to hearing from you.
P.S. You might say, it will not be simultaneous, one request to fetch the form and one another to send the POST request. Indeed, the problem is when I fetch the page content to get the hidden value(TOKEN) it has value "X" and when I want to send the POST request after it, it will have value "Y". I want to have "X" and utilize it in submitting the form with "X" going to take value "Y". That is the simplest way to explain what I want.

FreeMind
  • 213
  • 3
  • 20
  • 1
    Are you trying to evade some sort of XSRF token? – Damien Pirsy May 21 '15 at 15:16
  • @DamienPirsy Yes, I think it would be called XSRF. __RequestVerificationToken=MYq_REyEAaX6IUDQy5J7h3dKQnOdSWb23vE55nvc0r_y1IxADbputJY - Something like this – FreeMind May 21 '15 at 15:18
  • 1
    Sorry, no way to help without you showing the code. Leave it to us to understand a propperly simplyfied and reduced part of your code. – arkascha May 21 '15 at 15:19
  • I would expect that hidden vallue to be part of the form when requested from the server. Certainly you may have to send such token back to the server when posting the form back, but that is not in the same request. One request to fetch the form, one to post it. So what is the problem here? – arkascha May 21 '15 at 15:21
  • @arkascha It is a token, do you have a solution? there is no need to see the code since I am looking for the strategy, if you do an example I will understand it. – FreeMind May 21 '15 at 15:21
  • @arkascha Right, but when I request to fetch the form, the token has value "X" and once I want to send the request the token takes value "Y" – FreeMind May 21 '15 at 15:23
  • Sorry, but that does not make any sense at all. Even when not miss using the form, but using a normal browser to fill and send it, there is no means in the world to somehow _guess_ the required value or morph it back in time to have it available when posting the form. I assume you draw invalid conclusions from what you observed. Don't get this wrong, it is just what I can say to the strategy you describe. It simply does not make any sense. – arkascha May 21 '15 at 15:26
  • @arkascha I think you have not understood what I am asking properly. The hidden value changes when I perform two different requests. – FreeMind May 21 '15 at 15:28
  • 1
    OK, fine. Sorry, just tried to help. – arkascha May 21 '15 at 15:29
  • It might be that the token ("hidden value") is related to a server side session. That might explain why the value you use is invalid for subsequent uses. You have to reference the same session in both requests. How depends on the mechanism the server uses. Might be cookies or similar. – arkascha May 21 '15 at 15:30
  • The purpose of that token is to avoid requests not coming from the same session, for example an external POST request. Even if you send the correct token, you don't have a session with the same token to match against the request – Damien Pirsy May 21 '15 at 15:37
  • The code I posted here does all you need to dohttp://stackoverflow.com/a/28660511/1067003 – hanshenrik May 21 '15 at 15:40
  • A bug in stackoverflow won't let me edit posts on the android browser, but http://stackoverflow.com/a/28660511/1067003 – hanshenrik May 21 '15 at 15:41
  • Has anyone pointed out that this cannot be done with less than 2 requests? – hanshenrik May 21 '15 at 15:50
  • @hanshenrik Sure, just see above. But the OP claims that is wrong and he has to read and send in a single request and use the result from read in send. :-) – arkascha May 21 '15 at 16:14

2 Answers2

0

Once I worked on a similar scenario.

This should be the strategy for you:

  1. First make a CURL request to the link that contains the form.

  2. Parse the page html and read the form hidden field (__RequestVerificationToken) value with regular expression match or any other library.

  3. Use the __RequestVerificationToken for your next request.

  4. As you mentioned the next request will return the form html, get the __RequestVerificationToken hidden field value again from the response html.

  5. Use it for subsequent request and repeat the same process.

As you are not telling more details. What I assume is you are working with PHP to submit data to .NET based website form. If this is the case, just capturing the __RequestVerificationToken won't be enough. You have to take care of other sensitive headers like Cookies, User-Agent, any kind of custom headers etc.

Community
  • 1
  • 1
Adnan
  • 2,001
  • 2
  • 26
  • 28
  • That is exactly what I sketched in my comment above. The OP claims that does not work. – arkascha May 21 '15 at 15:31
  • It might not work because the purpose of that token is to protect against forged attacks. Likely there's a session variable with the same token to be matched against the request, and that doesn't happen when the reqeust comes from an external source – Damien Pirsy May 21 '15 at 15:34
  • You have to almost `mimic` all the browser features into your coding as if the request is being sent via a real browser with all headers, etc. Also is there any kind of Javascript based hashing security? Sometimes the security tokens are randomly generated on submit button click using js. – Adnan May 21 '15 at 15:41
  • @adnan There are Js files included, however, I don't see any hashing system based on Js. – FreeMind May 21 '15 at 15:45
  • Well, the website is written with Python. It is not Dot Net. – FreeMind May 21 '15 at 15:45
  • @FreeMind, do you have server access to the other end? I mean the Python script. If yes, you can debug from the Python and print out debug messages to see what input field or header is missing from your CURL requests. – Adnan May 21 '15 at 15:47
  • @adnan Unfortunately not. I would have done it if I had the code. – FreeMind May 21 '15 at 15:49
  • 1
    Are you using PHP from your end? pecl_http can handle browser like request handling https://pecl.php.net/package/pecl_http – Adnan May 21 '15 at 15:52
  • 1
    @adnan Yes, I will take a look at it. – FreeMind May 21 '15 at 15:56
0

The "grep-to-variable" bit works differently on a Mac OS, because there is no "grep -P". (See grep -P no longer works how can I rewrite my searches for details.)

Given five instances of something like this in an HTML page: 

<input name="_dynSessConf" value="-5345230103218767463" type="hidden"></input>

...I used a curl command to pull down my page into "output.txt" and then pulled the value of _dynSessConf into a an environment variable using a RegEx via perl. 

dynSessConf=$(perl -nle 'print $& if m{.*_dynSessConf" value="\K[^"]+}' output.txt | tail -1)

I know this isn't the "one-liner" you were looking for, but it could probably be tweaked to give you a one-liner on a Mac.

Dalek Control
  • 587
  • 5
  • 7