hmtl form - block script sccess

slemons

Hi there,
I was just wondering what how or is it possible to write a html form (say a login to a website, with username and password fields) that can know if its a perl or python script thats filling it out, and then reject that connection?

This is something ive been looking into this last while and trying it out myself with some perl/python on some site's im a member of. It works on most sites (using a script to login that is) but not on others and i was wondering whats the difference?

Thanks for your help

forbairt

could be as simple as POST instead of GET .... if you have the username and password I wouldn't see why you wouldn't be able to connect to a page using a script

seamus

Yes and no. It's a bit of a black art.

It's definitely possible.
There are a number of server headers that you can use to check who is attempting to log in:

Referer - This is the name of the page that you were last at (i.e. the page that contained the link to this one). You can specify that "If the referer isn't one of these pagesm then, don't continue". This item can be spoofed, so it's not foolproof.
User-Agent - This is an identifier of who is accessing the script. Browsers have big long identifying pieces of text, scripting languages tend to just use thing like "PHP/5.0". This too can be spoofed, so again it's not foolproof.

One way to do it is to rely on something that browser have but scripting languages don't - Javascript.

Put simply, you add a hidden field to your form, "validate" or something. Set this to false, and then when the submit button is pressed, change it to "true", using javascript. Of course, if the user has Javascript disabled, they'll never be able to log in.

slemons

thanks for the help.

I am actually trying to replicate some of this myself to see whats going on.

Here is the form im trying to access using a python script

[PHP] <td align=left valign=bottom nowrap>
<form action="http://www.easynews.com/login/&quot; method=post name="login">
<font face=arial size="+1"><u><b>MEMBERS LOGIN</b></u></font><br><br>
<font face=arial size=-1>USERNAME:</font><br>
<input type="text" name="username" size=15 maxlength=15><br>
<font face=arial size=-1>PASSWORD:</font><br>
<input type="password" name="password" size=15 maxlength=15><br>
<input type="submit" value="login"><br>
</form>
</td>[/PHP]

this must be a post method! and the two fields are username and password.
so my python script is :




[PHP]#!/usr/bin/python
import urllib

data = urllib.urlencode({"username" : "XXXXXX", "password" : "XXXXXXX"})
f = urllib.urlopen("http://www.easynews.com",data)
s = f.read()
print s[/PHP]


from my limitedknowledge of python, that should work but it doesnt and infact the print s statment prints the exact same html for
f = urllib.urlopen("http://www.easynews.com")
as
f = urllib.urlopen("http://www.easynews.com",data)

which is very strange. Its as if the form is just totally ignoring my request!

any idea's whats going on?

Or how i can find out what exactly the form is doing nehind the scenes?

Seamus - you raised some good points? Any idea how i can find out for sure what the form is actually checking for?

I mean it should always be possible to get this form to submit using a script since there's no authenication image or anything like that
thanks!

phil

All Javascript does it mimick client behaviour. Any intelligent developer can decode the Javascript on the page, see it's setting that variable to true and simply do so on their script automatically.

If you want to programatically simulate client browsers through Python use Mechanize:

http://wwwsearch.sourceforge.net/mechanize/

If you're still having problems I can knock something up quick that would log you in and get a page on an example site.

Phil.

forbairt

slemons wrote:

[PHP] <td align=left valign=bottom nowrap>
<form action="http://www.easynews.com/login/&quot; method=post name="login">
<font face=arial size="+1"><u><b>MEMBERS LOGIN</b></u></font><br><br>
<font face=arial size=-1>USERNAME:</font><br>
<input type="text" name="username" size=15 maxlength=15><br>
<font face=arial size=-1>PASSWORD:</font><br>
<input type="password" name="password" size=15 maxlength=15><br>
<input type="submit" value="login"><br>
</form>
</td>[/PHP]

Not going into too much detail as I don't know all the details and haven't used python much ... but you haven't submitted the "submit" with value "login" ... potentially they are looking for this in the POST variables ...

phil

Nope, that's incorrect. The name attribute on the relevant input tag hasn't been set and therefore the submit button isn't passed along through the form.

Phil.

forbairt

had missed that ... I stand corrected

forbairt

From that site easynews btw ...

* You must have session cookies enabled to access the site.

So its looking for a cookie ... and not seeing one ... ?

phil

Yup, as I said, use mechanize it will make your life much easier, it will take care of cookies and other such things.

Something like the following should work:

import mechanize

br = mechanize.Browser()
br.open("http://www.easynews.com/")
br.select_form(name="login")
br["username"] = "testing"
br["password"] = "pass123"
r = br.submit()

print r.read()

Beware, not tested

slemons

lads ye are legends!
ive no idea about all this stuff
I was actually going to try using perl's mechanize before you said this since its in that 02sms script and that works fine.
Id like to stick with python though so i'll give that last bit of code a whirl as soon as i get mechanize and easy install for python going.
thanks!
i'll report back soon

slemons

na seriously lads ye are legends!! esp yourself phil!
5 full seconds of work using that code and its flying it.
I was messing with that for about 6 weeks and got nothing

Im really starting to loev python. Forget perl!!

Thanks again
Looks like the cookie monster struck but i got tha last laugh! lol

phil

All you're really doing there is utilizing the Mechanize module , it's available in perl as well

Anyways, no problem, enjoy!