Why do I get an error 500 when I send POST data to an ASP.NET MVC site through Android?

Question

I'm trying to create an android app to check my tests scores of my engineering school. In order to download the Word containing the scores, I need to login to the portal.

I thought it would be simple to do it by sending a POST request.

After bypassing the problem of the self-signed certificate (or whatever) thanks to the code on this page : Self-signed SSL acceptance on Android

I still get an 500 error while trying to send any POST request to the login page, which is here : https://e-campus.hei.fr/ERP-prod/pc_mv_login.aspx

I tried various codes from the web to send the POST data (especially How to do a HTTP Post in Android? this one). And even on a pure java app, I get a 500.

When I point the URL to another testing page, I manage to get it working, but not on https://e-campus.hei.fr/ERP-prod/pc_mv_login.aspx

Could anyone explain to me why it doesn't work or help me get rid of this error ?

EDIT: This is what is being sent through my browser (According to chrome developper tools)

__EVENTTARGET:
__EVENTARGUMENT:
__VIEWSTATE:dDwxNDU4ODc4MDI5O3Q8O2w8aTwwPjs+O2w8dDw7bDxpPDE+O2k8Nz47aTwxMz47aTwxNT47aTwxNz47aTwxOT47PjtsPHQ8cDxwPGw8VGV4dDs+O2w8SWRlbnRpZmlhbnQgOjs+Pjs+Ozs+O3Q8cDxwPGw8VGV4dDs+O2w8TW90IGRlIHBhc3NlIDo7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPExhbmd1ZSA6Oz4+Oz47Oz47dDx0PDt0PGk8Mj47QDxBbmdsYWlzO0ZyYW7Dp2Fpczs+O0A8ZW47ZnI7Pj47bDxpPDE+Oz4+Ozs+O3Q8cDxwPGw8VGV4dDs+O2w8Vm91cyBuJ8OqdGVzIHBhcyBhdXRvcmlzw6kgIMOgIHZvdXMgY29ubmVjdGVyLjs+Pjs+Ozs+O3Q8cDxwPGw8VGV4dDs+O2w8Q29ubmVjdGVyIDo7Pj47Pjs7Pjs+Pjs+Pjs+inmhCwE9zfymuEXDXGORShkB1GI=
Username:******
Password:******
Langues:fr
Button1:Connecter :

This is the string that i send :

String parameters = "__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE="
            + URLEncoder
                    .encode("dDwxNDU4ODc4MDI5O3Q8O2w8aTwwPjs+O2w8dDw7bDxpPDE+O2k8Nz47aTwxMz47aTwxNT47aTwxNz47aTwxOT47PjtsPHQ8cDxwPGw8VGV4dDs+O2w8SWRlbnRpZmlhbnQgOjs+Pjs+Ozs+O3Q8cDxwPGw8VGV4dDs+O2w8TW90IGRlIHBhc3NlIDo7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPExhbmd1ZSA6Oz4+Oz47Oz47dDx0PDt0PGk8Mj47QDxBbmdsYWlzO0ZyYW7Dp2Fpczs+O0A8ZW47ZnI7Pj47bDxpPDE+Oz4+Ozs+O3Q8cDxwPGw8VGV4dDs+O2w8Vm91cyBuJ8OqdGVzIHBhcyBhdXRvcmlzw6kgIMOgIHZvdXMgY29ubmVjdGVyLjs+Pjs+Ozs+O3Q8cDxwPGw8VGV4dDs+O2w8Q29ubmVjdGVyIDo7Pj47Pjs7Pjs+Pjs+Pjs+inmhCwE9zfymuEXDXGORShkB1GI=",
                            "UTF-8") + "&Username="
            + URLEncoder.encode(mUsername, "UTF-8") + "&Password="
            + URLEncoder.encode(mPassword, "UTF-8")
            + "&Langues=fr&Button1="
            + URLEncoder.encode("Connecter :", "UTF-8");

I was going through the Page Source. In the Form fields, there are 3 more fields apart from username and password, __EVENTTARGET, __EVENTARGUMENT and __VIEWSTATE. In your code are you also sending these values in the POST request? — varuaa, May 21 '11 at 16:38

BalusC · Accepted Answer · 2011-05-21T16:48:04.170

1

HTTP error 500 just means that the server side code failed. It has a bug, for example a NullPointerException was been thrown over there. If the response body doesn't contain anything sensible (e.g. a stacktrace) so that you could learn how it is caused and so change the request accordingly, then your best bet is to contact the server admin and report about this bug in the server code and ask how to correctly perform a programmatic login.

If that is not an option for some reason, then you should doublecheck if you don't forget to send a specific cookie, header and/or parameter. Probably the server side code was expecting it, but it was null and the code was buggy and hence it totally broke with a 500. I'd suggest to use Firebug to track the entire HTTP traffic and compare it with the headers/parameters you've set. Probably you need to send a specific cookie back? Or you need to send the name=value pair of the submit button? Etcetera.

Update: you're sending the wrong __VIEWSTATE value along. The website runs on ASP.NET MVC which is a component based MVC framework (like as JSF in Java EE). It stores the component tree as "view state". You should not send a random/non-existing/invalidated view state back as paramter, but a valid one. You need to rewrite the HTTP client so that it first fires a GET request on the page with the form and then use a HTML parser (Jsoup?) to extract the value of the hidden __VIEWSTATE input field and finally fire a POST request with exactly that value (and exactly the same cookie in the request header!).

Like as in JSF, the view state is part of CSRF attack prevention. You cannot submit the form without first requesting the form from the website itself in the same session.

edited May 21 '11 at 16:48

answered May 21 '11 at 15:52

BalusC

1,082,665
372
3,610
3,555

I see perfectly how to extract the __VIEWSTATE, but how can I do to pass the same cookie ? – ldavin May 21 '11 at 17:01
On the first request, the server should have added a `Set-Cookie` header to the response which indicates the session ID. You need to send exactly that cookie name=value back in the `Cookie` header of the subsequent request so that the session will be maintained. For some examples see also http://stackoverflow.com/questions/2793150/how-to-use-java-net-urlconnection-to-fire-and-handle-http-requests – BalusC May 21 '11 at 17:05
Is this problem on second HTTPS request? Try setting the following system property before you send the first request: `System.setProperty("http.keepAlive", "false");` – BalusC May 21 '11 at 22:21
But you said that you got a HTTP 500? Have things changed? – BalusC May 22 '11 at 12:00
When I was only trying to do the POST request from my laptop or from Android I always had a HTTP500. Since your advice, I erased everything and started from scratch, and when I simply try a GET, I obtain a HTTP500 from my laptop and whether a "No trusted server certificate" or a file not found exception from Android. I don't understand what's going on. I think I might drop ... – ldavin May 22 '11 at 12:13
Does the HTTP 500 also come with a sensible message in the `getErrorStream()`? As to SSL errors, you should have kept your SSL manager and/or truststore. – BalusC May 22 '11 at 12:24
Try setting the `User-Agent` header. See also http://stackoverflow.com/questions/2793150/how-to-use-java-net-urlconnection-to-fire-and-handle-http-requests – BalusC May 22 '11 at 13:01

Why do I get an error 500 when I send POST data to an ASP.NET MVC site through Android?

1 Answers1