Hi all,

Cryptic subject I realise, but what I'm trying to achieve seems unorthodox at best.

Let me try explaining it in a simple way. And above all, no server side scripting allowed - the webserver has nothing installed that can do it.

So, I've got this page (let's call it "pageA") that has some content. I want to inject something invisible to it, that will post information a variable ("varA") from pageA to a remote URL (let's call it "pageB").

However, the tricky bit is that for pageB to accept the content that I ultimately want to post, I must first generate a variable ("varB") in pageB using a particular form, form1.Once this is done I can then call pageB again, but this time form2, and post the value of varB into it.

This will tell my remote pageB to store the value of varA associated with a dinamically created varB, used for reference.

Note, pageB already exists and I cannot change it, hence why everything has to be coded in pageA, perhaps using JavaScript and iframes, or the like, so that nothing gets diplayed there and we do not navigate away from it.

Any ideas how to make it in a simple way?


EDIT:

In line with the comments below, I agree it would make it clearer to open up a bit more on what I'm trying to achieve.

I have a product in house that filters URLs. If a URL does not exist on the database, access to it is blocked.

I want to report this automatically to the manufacturer's website, rather than doing it manually, so they can add the URL to the database. They provide a facility on their website that allows you to do it manually, but that gets confusing to my non experienced IT users and puts some burden on us to do it ourselves. The manufactures does not yet have an automated facility to aid with this.

So I though about automating it myself.

By modifying my local block page, I could POST the URL to the manufacturer's website, saving me from doing the manual process.

Analysing the manufaturer's URL submission page, I've identified the following two FORMS.

The form "single_ check_form" allows you to check if a URL is categorised:

<form name="single_check_form" action="http://manufacturer.com/en/feedback/url" method="post" enctype="multipart/form-data">
            <input type="hidden" name="sid" value="" />
            <input type="hidden" name="action" value="checksingle" />
        <input class="inputfield" type="text" name="url" value="http://uncategorisedURL.com" />
<a href="javascript: document.single_check_form.submit();">Check URL</a>
</form>

The result of the above form, populates the variable "sid" with what I believe to be a dynamically generated value, associated with "url", and is then used by the form "result" below:

<form name="result" action="http://manufacturer.com/en/feedback/url" method="post" enctype="multipart/form-data">
            <input type="hidden" name="sid" value="77A9D5998388384509C5A241188C8A39" />
            <input type="hidden" name="action" value="feedback" />
          <a href="javascript: document.result.submit();">Submit</a>

</form> 

This form would then submit the sid for categorisation - which must tell it in the back end that "sid" is associated with "url" submitted on the previous form. The reason why they do a two step thing, and the fact that on step two the page displays "confirm that you wish to submit this URL for categorisation" must be to force people to double-check their entries.

Now the key is still that I don't display anything locally on my block pages, as to not confuse my users. As far as they are concerned, they would get a message like:

"The page you are trying to access has been blocked because the URL you have requested is not categorised. Please check again in a few hours"

The page would then submit the uncategorised URL to the manufacturer, and in the next database update, we would hopefully get the URL categorised.

Makes sense?

Hope this clears confusion and concerns of any other not so dignified intentions.

Thanks,

Joao

  • Oh, just to clarify something: on the first iteration of posting information to pageB, we need to include varA in the post. varA tells pageB to create varB as a reference to varA. :-) Joao Duraes almost 7 years ago
  • Couldn't you just contact the manufacturer's web master and get them to help you? If nothing else they can provide you the format of the submit string and maybe even help you test it. Mottie almost 7 years ago
  • Well, if only it was that easy... They won't help me by implementing changes on their pages in reasonable timescales - "planning on doing it, but no ETA at the moment". Even if they did, I would still have to submit from my end, without changing the look on the block pages that my users got used to. It's also about perception. I know (I mean, I think) I would have to use iframes to do this on my end, but I'm not that much of an expert in HTML/JavaScript coding. I was really hoping to look for some positive pointers in this forum. Joao Duraes almost 7 years ago
  • Can you use PHP or Python for pageA? that would allow you to submit the form server-side rather than messing around with javascript in the browser. Justin Hileman almost 7 years ago
  • The web server is not actually a web server. It is a closed device that serves HTML pages only. I can't add any server side logic to it, I'm afraid. Trust me, if I could do some server side scripting, that woukld have been my preferred route and you wouldn't see me here asking for help... :-( Scratched a hole down my head pondering on this one. Always reach the same conclusion: run the first form hidden inside a local page, get the value of "sid", run the other remote form with "sid" and post the result. The theory sounds simple, eh? :-) Joao Duraes almost 7 years ago

2 answers

0
points

Your attempts to simplify the problem to make it easier to understand makes your whole question very difficult to understand at all. Is there any way that you can maybe explain exactly what you are trying to accomplish in reality, instead of renaming things as pageA, varB, etc?

Also, when you say "in the post" do you mean as a POST variable?

Finally, you understand that you won't be able to permanently change anything if there is no server-side scripting, right? Yes, with some Javascript you can change what it says on the page for a single session with a single user, but it's not possible to do anything more without server scripting.

Answered almost 7 years ago by Timothy Armstrong
  • Appreciate your comments. Nothing needs to be permanent on my local side. I just want to send the information using a POST method to another location. See my EDIT above for the full explanation. Thanks, Joao Duraes almost 7 years ago
0
points

Why don't you change the title to something like "How do I perform a Cross-Site Request Forgery?"

I understand what you're asking, I just don't know that I should tell you how to do it...

Answered almost 7 years ago by Justin Hileman
  • Hi Justin. I appreciate your concerns. Pleae see my EDIT above to see if that clarifies things enough for you to be able to help me. Thanks, Joao Joao Duraes almost 7 years ago