2

A website presents a login form containing simply "Username" and "Password". Pressing enter or clicking the "Login" button logs you in.

The HTML form (from the page source) looks like this:

<form name="login" action="https://www.mywebsite.com/index.php?main_page=login&amp;action=process" method="post" id="loginForm"><fieldset>
<legend>Please Log In</legend>

<label class="inputLabel" for="email-address">Email Address:</label>
<input type="text" name="email_address" size = "41" maxlength= "96" id="email-address" /><br class="clearBoth" />

<label class="inputLabel" for="login-password">Password:</label>
<input type="password" name="password" size = "41" maxlength = "40" id="login-password" /><br class="clearBoth" />
<input type="hidden" name="securityToken" value="0330682553ea36639f62317144927f3f" /><div class="buttonRow forward"><input type="image" src="includes/templates/lite_grey/buttons/english/login.gif" alt="Sign In" title=" Sign In " /></div>
<div class="buttonRow back important"><a href="https://www.mywebsite.com/index.php?main_page=password_forgotten">Forgot password</a> | <a href="index.php?main_page=activation_email&resend=1">Re-send activation email</a></div>
</fieldset>
</form>

The form contains two visible fields (email_address and password), and one hidden field (securityToken).

When I fill the form and press enter in my browser, the browser generates a POST request that looks like this:

POSTDATA=email_address=my@emailaddress.org&password=mypass123&securityToken=0330682553ea36639f62317144927f3f&x=37&y=15

(I was able to see this post-data by using the "Tamper data" plugin for Firefox. Also confirmed with wireshark)

Notice the fields that the browser is sending: email_address, password, securityToken - and two other fields that didn't exist in the HTML code: x=37 and y=15. I am at a loss as to where these values come from.

In addition, those values, x and y, change every time I login to the website.

All browsers seem to be able to handle this login form just fine (not just Firefox). The HTML page doesn't seem to be obfuscated or anything..

Any ideas where these values are coming from or how I can find out?

Thanks

Kal
  • 371
  • 2
  • 7
  • Sounds like Csrf: https://en.m.wikipedia.org/wiki/Cross-site_request_forgery, Auto generated in server side with each load – ItayB Sep 20 '15 at 03:16
  • The fields aren't server-generated because then they would be in the HTML source. – Tomalak Sep 20 '15 at 03:23
  • Agreed with @Tomalak . The POSTDATA is what my browser is sending, so it's the browser that's generating them. I just don't see what in the HTML is making it do so... – Kal Sep 20 '15 at 03:26

2 Answers2

3

Those values (x and y coordinates) are always sent when your form submit is type="image":

<input type="image" src="includes/templates/lite_grey/buttons/english/login.gif" alt="Sign In" title=" Sign In " />

See this answer: https://stackoverflow.com/a/801722/870729

Community
  • 1
  • 1
random_user_name
  • 25,694
  • 7
  • 76
  • 115
  • Yes, this appears to be the issue. When I press 'Enter' instead of clicking the Login image, those values are always 0. Thanks very much! – Kal Sep 20 '15 at 03:37
1

EDIT: Although my answer could technically be a possibility in some instance, cale_b's answer is about 100,000,000 times more probable. Thanks cale_b.

There must be a javascript framework they are using to attach an onSubmit handler to the form, and injecting their own fields before it gets sent off.

Open up Developer Tools in chrome, and search for "onSubmit" in the source code, "post", etc. You'll likely find your culprit.

If you can't find it that way, search for ".preventDefault()", but that will turn up a LOT of stuff, probably.

Richard Peterson
  • 873
  • 6
  • 15
  • Thanks. I've looked at questions like http://stackoverflow.com/questions/17809056/how-to-add-additional-fields-to-form-before-submit?rq=1 and I don't see any of the tactics in there used in the page source. Is there another approach that does the same thing? – Kal Sep 20 '15 at 03:28