0

I noticed that when performing a POST request from certain sites, it passes along my form data (normal) and some extra params in a query string. These extra params are not coming from hidden form inputs and appear to be somewhat random. For example, if you go to the American Airlines homepage and click on the search button, it sends a POST request to /find-flights with extra form data keys X-6LdxA4pr-uniqueStateKey, X-6LdxA4pr-b, X-6LdxA4pr-c, X-6LdxA4pr-d, and X-6LdxA4pr-a. The script code responsible for this seems to have been rendered unreadable and is at the start of the page.

How is this possible? I thought the form data was generated only from the form element at the time of submission. I tried to find documentation detailing how exactly the query string is generated, but nothing would explain these extra params. They appear to be locally generated since there are no requests in between pressing the button and the POST request.

Darshan
  • 2,272
  • 3
  • 31
  • 43
trashcan_maan
  • 3
  • 2

1 Answers1

1

Odds are these additional params are generated from the page's Javascript. I would think these keys are used for security or as a unique identifier to your session. Tough to say without having accessed to the source code.

The reason the script is unreadable is likely because it is obfuscated and minified (more info here).

Edit: Pseudocode to address the comment:

form.onsubmit = function(event) {
    event.preventDefault(); //stop the form submission that would send a post request with just form data.
    const firstname = form.getElementById("FirstName").value;
    const lastname = form.getElementById("LastName").value;
    //...etc

    let security_token = {
        'X-6LdxA4pr': foo,
        'X-6:dxA4pr-a': bar,
        //...etc
        }
    let request = new HTTPPostRequest({ //fake class name
        firstname,
        lastname,
        ...security_token
    }) 
    request.submit(); // send the POST request
}
Tanner
  • 2,232
  • 13
  • 22
  • I agree that they are probably for security or some identifier. But what I'm trying to figure out is how they are able to be inserted into the form data despite not being a part of the form. I don't care about how those specific key/values are generated, but in general, how would one go about adding params in this secret manner. – trashcan_maan Oct 09 '19 at 15:29
  • I added some pseudocode to explain it - basically the webpage prevents form submission, collects the data from the form, adds the additional values to the request, then submits it. – Tanner Oct 09 '19 at 15:37
  • @trashcan_maan Go check out the form element for AA, it has a js handler attached: onsubmit="submitSearch(getCurrentSearch())" . Now you get to search through the tons of js files they have attached to track back those methods to see the whole picture. – Travis Acton Oct 09 '19 at 15:44
  • @TravisActon Oddly enough that onsubmit handler doesn't actually have anything to do with these extra params. I made a stripped down version of their page to test it, and removing the handler doesn't stop it from appending the keys. It looks like on pages where the function is defined it just caches the result in a list, so you can quickly fill the form at a later date. – trashcan_maan Oct 09 '19 at 21:24