bypassing web form hardcoding login and password

[cgian31]

I need to hide the complexity from users to access an information
webpage, which is normally accessible after filling in a web
form with the correct data.

The address of the information webpage is like
https://external.address.com/info.asp?<numeric code>
where <numeric code> is a number generated by the server.

This number (always different) is generated by the server only when you
open the first web page in your browser, fill in the right values in 2
fields (user, password) and click Login.

Any advices?

 

[Oliver Wong]

I need to hide the complexity from users to access an information
webpage, which is normally accessible after filling in a web
form with the correct data.

The address of the information webpage is like
https://external.address.com/info.asp?<numeric code>
where <numeric code> is a number generated by the server.

This number (always different) is generated by the server only when you
open the first web page in your browser, fill in the right values in 2
fields (user, password) and click Login.

Any advices?

Are you in control of the source code for info.asp?

- Oliver

 

[cgian31]

no, it is the site of one our service provider. We have an account for
our department (350 users) but plenty of people keep forgetting the
password, so I would like to let them access through our intranet page,
hardcoding login and password.

 

[Oliver Wong]

no, it is the site of one our service provider. We have an account for
our department (350 users) but plenty of people keep forgetting the
password, so I would like to let them access through our intranet page,
hardcoding login and password.

You can try looking at the ACTION attribute of the form, and creating a
similar form with <INPUT TYPE="HIDDEN"> with the values pre-filled in.

- Oliver

 

[cgian31]

I have tried that, but when I post it just displays the original remote
form without login and password values filled in!

 

[Andrew Thompson]

I have tried that, but when I post it just displays the original remote
form without login and password values filled in!

Sheesh! Did you post to the log-in form's target,
or the form itself?

To solve this you need to get..
- a book on HTML

Once you can do it in HTML, you can do it in JSP.

[ And if you have futher questions on this matter, please
post them to an HTML forum, like..
<http://groups.google.com/group/comp.infosystems.www.authoring.html> ]

 

[Andrew Thompson]

post them to an HTML forum,

or rather, Usenet Newsgroup,

.. like..
<http://groups.google.com/group/comp.infosystems.www.authoring.html> ]

 

[Oliver Wong]

Sheesh! Did you post to the log-in form's target,
or the form itself?

To solve this you need to get..
- a book on HTML

Once you can do it in HTML, you can do it in JSP.

It's conceivable the ASP form is doing something tricky like checking
the browser reported referrer, or doing strange things with JavaScript, etc.

A simpler, low tech solution might be to just post the password
somewhere on your intranet website (this has about the same security as
hardcoding it into an HTML form anyway). Then people can just read the
password and login.

- Oliver

 

[cgian31]

OK, got the message, thanks anyway for your help.

 

[Jon Martin Solaas]

OK, got the message, thanks anyway for your help.

Maybe someone at some microsoftish group could help you, it's after all
a microsoftish url we are looking at ...

We are ofcourse flattered that you went to a java group for help first

 

[cgian31]

The thing is that it is not my website I am trying to bypass. And since
I am better at Java I thought maybe I can do something with it to
compile a generic form!

 

[Oliver Wong]

The thing is that it is not my website I am trying to bypass. And since
I am better at Java I thought maybe I can do something with it to
compile a generic form!

Unless JSP is somehow getting involved, I don't think there's a
compilation step in writing an HTML form with the inputs pre-filled-out.

- Oliver