3

So I can do the following POST submit

@Html.BeginForm(null, null, FormMethod.Post, new { @action = "https://externalsite.com/secretroom" })
    {
        <input id="SECRETCODE" name="SECRETCODE" type="hidden" value="GABEN" />
        <input type="submit" value="submit"/>
    }

After the submit, it will took me to https://externalsite.com/secretroom. But as you can see the SECRETCODE is getting exposed in user HTML page and I don't want that.

So what I'm gonna do is I'm trying to do the POST on my server side.

public ActionResult Test()
    {
            using (var client = new HttpClient())
            {
                client.BaseAddress = new Uri("https://externalsite.com/secretroom");
                var content = new FormUrlEncodedContent(new[] 
                {
                    new KeyValuePair<string, string>("SECRETCODE", "GABEN")
                });
                var result = await client.PostAsync("", content).Result;
                if(result.IsSuccessStatusCode)
                {
                    return Redirect("https://externalsite.com/secretroom");
                }
            }
    }

The problem is I can't redirect the user because the externalsite will deny it and I have no idea/no control over how the secretroom validation works on externalsite. It will only allow access if I did it the way I did above.

That being said, is this actually possible?

tickwave
  • 3,335
  • 6
  • 41
  • 82

1 Answers1

2

Edit: After getting a little more clarity on exactly what you're trying to accomplish, I don't believe you can do that. Specifically because in your first example, you're actually sending a response to the users browser which is redirecting them to the target site and sending along the form parameters for the ride. Whereas, programmatically POSTing the data is out-of-band of the browser. The two approaches aren't interchangeable. You'll most likely need to work with the site provider to identify an alternative method if you're not satisfied sending sensitive data this way.

Original Solution

You can use the WebRequest class to programmatically POST the data over. 

WebRequest request = WebRequest.Create("https://externalsite.com/secretroom");
request.Method = "POST";
... rest omitted - refer to link below for specifics ...

https://msdn.microsoft.com/en-us/library/debx8sh9%28v=vs.110%29.aspx

Also, you may want to refer to the following SO question for details on the variants of the WebRequest classes i.e. HttpWebRequest, FtpWebRequest, etc.

C# HttpWebRequest vs WebRequest

Community
  • 1
  • 1
Nate222
  • 856
  • 2
  • 15
  • 25
  • so how do I redirect user after a successful POST? It seems like this is only able to get the response which I already be able to by using `HttpClient` but I actually need to redirect my user to that page. – tickwave Oct 22 '15 at 04:00
  • @warheat1990 - You could simply do as you're doing now in your first example but make the method to be `FormMethod.Get` and then omit the sensitive data. If you're trying to POST the data behind-the-scenes AND transfer the user at the same time - you can't do that. – Nate222 Oct 22 '15 at 04:04
  • Can you post some code example? especially the omit data part and redirect. – tickwave Oct 22 '15 at 04:10
  • @warheat1990 - Refer to the edit in my answer. After realizing exactly what you're trying to do, you won't be able to accomplish it in the fashion you're currently using - or at least you'll need input from someone more sage than I if there is a way. – Nate222 Oct 22 '15 at 04:11
  • @warheat1990 - Actually after some more thought, there might in fact be a way to do it. When you're using a standard form POST to the site with the secret value - is that effectively authenticating you with the site? If so, then you may be able to grab the auth cookie from the HttpWebRequest's response, then turn around and provide that cookie to your normal response. This would pass the auth cookie back to your target site without you needing to provide the sensitive data openly. Refer to this http://stackoverflow.com/questions/16380189/get-cookies-from-httpwebrequest – Nate222 Oct 22 '15 at 04:20