0

I want to fill a form on a webpage to send some files via the command line instead of using the browser. I found cURL could do that for me but I’m not sure how. Besides that, I found out the "authenticity_token" changes for every request. How would I successfully authenticate and post my files?

I stripped down the html code to present only the inputs, see below. Thanks for having a look.

<form action="https://XXXXXXXX.com/aspera/faspex/test/dropbox_submissions" class="well form-horizontal form-horizontal-small-labels" id="send" method="post"><div style="margin:0;padding:0;display:inline"><input name="authenticity_token" type="hidden" value="cU/zhZKnbjk90v57Phmdgewq97lKclj63MtzfCHhEqc=" /></div>

<input id="dropbox_id" name="dropbox[id]" type="hidden" value="738" />

<input id="passcode" name="passcode" type="hidden" value="1738d1bc02755019655dd424Xf2717f1c8a7c579" />

<input id="delivery_title" maxlength="100" name="delivery[title]" size="100" type="text" value="" />

<input id="fileupload" multiple="multiple" name="file" type="file" />

<input id="delivery_source_paths_list" name="delivery[source_paths_list]" type="hidden" />

<input class="btn large primary" data-prompt_password="true" disabled="disabled" id="send_button" name="commit" type="submit" value="Send Package" />

<label>Passphrase:</label>
<input autocomplete="off" id="password" type="password" />

<label>Confirmation:</label>
<input autocomplete="off" id="password_confirmation" type="password" />

</form>
florit
  • 325
  • 2
  • 13
  • so, there is a website with a form described in your question, and you are trying to achieve this by sending POST request from your own application. Is it what you are trying to do? – dropyourcoffee Nov 27 '19 at 10:42
  • Yes this is it essentially. But I figured, it would be more complicated than that. In the browser, when I click „submit“ it actually triggers an external application (Aspera Connect) to start a file transfer. So there must be some javascript running on the website, I guess. What I am trying to achieve is the following: Instead of opening the website in the browser, fill the form and submit, I’d like to select some files in the finder, fill the form with the according path and initiate the transfer. – florit Nov 28 '19 at 11:16
  • How about just using iframe in your application? – dropyourcoffee Nov 28 '19 at 17:02
  • I don’t want to fill the form manually as most fields stay the same, only the files to post need to be filled. This should be the files, currently selected in finder on a mac. – florit Nov 29 '19 at 10:03

3 Answers3

0

This looks like a CSRF defence.

You need to make two requests and use a cookie jar to store cookies between them.

The first request you'll need to run through an HTML parser (e.g. pup) to extract the authenticity_token.

Then you'll need to make a second request and use the data and cookie jar from the first.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • So I’d do the first request without posting anything, store the authenticity_token and then do the second request posting the data and add --cookie? – florit Nov 27 '19 at 13:09
  • You need to use the same cookie jar for **both** requests. The first request needs to be to get the form. The second request needs to be to wherever the form submits to. – Quentin Nov 27 '19 at 13:12
0

This seems to be an IBM Aspera Faspex submission page.

In fact the actual file transfer will be done using IBM Aspera FASP protocol (free on client side).

You can use the following free client which will allow you to send to faspex, using either an authenticated access or a public access (with passcode in url):

https://www.rubydoc.info/gems/asperalm

example:

mlia faspex package send --link='https://faspex.org.com/aspera/faspex/external/dropbox_submissions/new?passcode=xxx123xxx.........' --delivery-info=@json:'{"title":"my title"}' /path/to/files
laurent
  • 111
  • 6
  • exactly what I was looking for. I was trying to do that with the aspera CLI but even the IBM support confirmed it was not possible to submit to a public dropbox. So I gave up on it … Thanks a lot! – florit Dec 10 '19 at 16:19
  • I have one more question regarding encryption / decryption. When I use the webform to upload / download files to the system it prompts for a passphrase. I tried to include this with mlia by adding the following Transfer Specification: `ts=@json:'{"content_protection":"decrypt","content_protection_passphrase":"PASS"}'` But I get: `ERROR -- : unrecognized parameter: content_protection_passphrase = "PASS"` What am I doing wrong? – florit Dec 16 '19 at 09:39
-1

You can open debugger in any browser (developer mode) to demonstrate a html form and capture network request and copy it as curl.

Destination host must exist though since you need some response from the POST action.

This is what I got from my chrome browser.

curl 'https://XXXXXXXX.com/aspera/faspex/test/dropbox_submissions'  -X POST \
-H 'Connection: keep-alive'  \
-H 'Cache-Control: max-age=0' -H 'Upgrade-Insecure-Requests: 1' -H 'Origin: null'  \
-H 'Content-Type: application/x-www-form-urlencoded'  \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36'  \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3'  \
-H 'Accept-Encoding: gzip, deflate'  \
-H 'Accept-Language: en-US,en;q=0.9,ko;q=0.8,la;q=0.7'  \
--data 'authenticity_token=cU%2FzhZKnbjk90v57Phmdgewq97lKclj63MtzfCHhEqc%3D&dropbox%5Bid%5D=738&passcode=1738d1bc02755019655dd424Xf2717f1c8a7c579&delivery%5Btitle%5D=&file=&delivery%5Bsource_paths_list%5D=' --compressed --insecure
dropyourcoffee
  • 318
  • 1
  • 5
  • 13