0

I have a JSF webpage that does a POST request and then a GET request. I managed to figure out the parameters of POST request by souping the page. How the GET request generated by the page is of form http://example.com/javax.faces.resource/sd8a0b55e-a6ff-49cc-b927-2713df1c59c1.jsf

The hex ID here after slash changes during each time. How do i work back from this hex ID to decode what it is. First of all is it a HEX ID or some UTF-8 encoding

The form is of url encoded type. I am stuck here and dont have an idea how to proceed. I checked for javax.faces.resources there is no such element with an id and there is no form ID either

Im couldnt provide the URL since its behind a server that only authorized people have access to

After my research I found that It seems there is a client ID generated in JSF2 pages . How do i extract this ID in Python?

Here is the Client ID Function as seen in DEV Tools

td><button class="btn-retrieve" id="list:downloadBtn" name="list:downloadBtn" onclick="new ice.ace.DataExporter('list:downloadBtn', function() {  });ice.s(event,this);return false;" style="margin-top: -4px;"><span>Download</span></button><span id="list:downloadBtn_script"><script type="text/javascript">ice.ace.jq(ice.ace.escapeClientId('list:downloadBtn')).button();</script></span></td>
Akshay
  • 81
  • 5
  • This is not something jsf does by default from what I know so it is impossible to help. And how is this 'problem' python related, other than you using it... or can you get it to work from perl? Or shellscripts or? – Kukeltje Jul 22 '19 at 17:17
  • The HEX ID should be somewhere for it to be generated. There is a file downloaded in the get request with the hex ID which im trying to access.Even with Perl I would get stuck with debugging the HEX ID.I saw posts related to hex ID in POST request with Python ,but none answered my question. So i thought somebody with Python Knowledge would be able to help – Akshay Jul 22 '19 at 17:53
  • @Kukeltje : It seems JSF is generating Client ID. Specifically(JSF2.0). I need to now know how to extract value of Client ID – Akshay Jul 22 '19 at 18:48
  • But then the question is not jsf related. It could even be something that someone build to prevent doing what you are trying to do ;-) Did you check what is IN the resource? – Kukeltje Jul 22 '19 at 18:53
  • This is not client-id... where did you read it is? And if it is... use it as it is – Kukeltje Jul 22 '19 at 18:53
  • @Kukeltje : The resource is a CSV File. Im just downloading the CSV File and storing it.Thats it. The source of the page contains Client ID function that generates it.Even the preview Chrome Dev Tools show the same thing.Here is source code for Client ID – Akshay Jul 22 '19 at 19:07
  • @Kukeltje : https://stackoverflow.com/questions/28351976/when-and-how-is-clientid-generated-in-jsf This one seems similar to what im looking for and the source code of my page is similar too – Akshay Jul 22 '19 at 19:14
  • Yes, that link is about client-id's of which the guid like string on your question is not an example. – Kukeltje Jul 22 '19 at 19:24
  • @Kukeltje : Okay. How is it different from the Client ID function in my JSF? I pasted the clientid tag above – Akshay Jul 22 '19 at 19:43
  • that is sort of like asking why are a Boolean and an Integer not the same... because they are not the same, they look different, serve different purposes etc) Learn the basics of JSF and you'll know. The function you show in the code is an `escapeClientID` funtion with as a parameter a real clientId that in no way resembles the 'guid' in the (download?) Link – Kukeltje Jul 22 '19 at 19:51
  • @Kukeltje : Forgive me. I dunno anything about JSF though I know some Java. In my dev tools though ,the call to escapeClient ID generates the ID as I see in the .jsf URL – Akshay Jul 22 '19 at 19:53
  • But why do you still think you NEED to decode it? It is most likely just some generated guid to make aynamic download link. Generated by the Icefaces dataexporter. Just use it, download it's content and you are done – Kukeltje Jul 22 '19 at 19:57
  • @Kukeltje I cant use the ID since its dynamic. Using a previous ID gives a webpage with error contact your security team.Each time I perform a POST the Dynamic ID Changes.If i extract ID I can feed it to a GET request after a POST request. The ID is nowhere to be found in source page too. Im trying to programatically do it using Python than doing manually – Akshay Jul 22 '19 at 20:00
  • you should use the url with the guid that is generated... each time... you can't decode it,there is no info in it. It is a guid, use it like that, you can't guess or predict or know in other ways what the next one will be. It is meant to be that way. Effectively you ask: _"There is this server that generates a complex secure random download link. Can you tell me what the next link will be when I get the next dowload"_ – Kukeltje Jul 22 '19 at 20:21
  • @Kukeltje :Yeah I get that. How do i know the ID of next download ?Ineed to extract that to automate the script if Im right? – Akshay Jul 22 '19 at 20:55

0 Answers0