So hmph? Is it possible? Here's the current code i've got that fills the information for everything else, however if the field is masked then I cannot input text into the textbox this way. If it matters, the issue is the password textbox.
Private Sub cmdGo_Click()
Dim Gateway As String
Dim Account As String
Dim Password As String
Dim Subject As String
Dim Body As String
Dim Signature As String
Dim URL As String
Dim flags As Long
Dim targetFrame As String
Dim Postdata() As Byte
Dim Headers As String
Gateway = cbGateway.Text
Account = txtAccount.Text
Password = txtPassword.Text
Subject = txtSubject.Text
Body = txtBody.Text
Signature = chkSignature.Value
URL = txtURL.Text
targetFrame = ""
Postdata = "Cluster=" & Gateway & "&Account=" & Account & "&Password=" & Password & "&Subject=" & Subject & "&Body=" & Body & "&AutoSignature=" & Signature
Postdata = StrConv(Postdata, vbFromUnicode)
Headers = "Content-Type: application/x-www-form-urlencoded " & vbCrLf
WebBrowser1.Navigate URL, flags, targetFrame, Postdata, Headers
End Sub
Hidden fields are submitted the exact same as any other field.
Quote from: iago on July 30, 2008, 08:35 AM
Hidden fields are submitted the exact same as any other field.
So are password fields. Interestingly though, your code appears to be subject to a number of potential security flaws based on URL encoding.
Right, password fields.
Incidentally, you're missing the "Content-length" header, which is required for post data.
It wasn't anything serious, was just testing some stuff out. Also, didn't know Length was required, =/.
Anyway, apparently I need to make a secure connection somehow.
Quote from: Sixen on August 01, 2008, 12:36 AM
It wasn't anything serious, was just testing some stuff out. Also, didn't know Length was required, =/.
Anyway, apparently I need to make a secure connection somehow.
Making a secure connection wouldn't address the underlying security issues. The one about URL encoding - if a user enters an ampersand, for instance, into any of your text boxes, you'll get hosed because you're just using unchecked input.
Securing the password can be done fairly straightforwardly by implementing a server-side and client-side token. The tokens can be exchanged in cleartext and it still prevents a man-in-the-middle attack; however, it requires that the server already have a hashed version of the password without having had tokens applied to it. (This happens to be why SRP is a better key exchange than Battle.net's original implementation, for instance; SRP is secure even if the communication is intercepted at account creation).
Quote from: Sixen on August 01, 2008, 12:36 AM
It wasn't anything serious, was just testing some stuff out. Also, didn't know Length was required, =/.
Content-length is required when you're submitting POST data, but not for GET requests.
Quote from: MyndFyre[vL] on August 01, 2008, 04:30 AM
Quote from: Sixen on August 01, 2008, 12:36 AM
It wasn't anything serious, was just testing some stuff out. Also, didn't know Length was required, =/.
Anyway, apparently I need to make a secure connection somehow.
Making a secure connection wouldn't address the underlying security issues. The one about URL encoding - if a user enters an ampersand, for instance, into any of your text boxes, you'll get hosed because you're just using unchecked input.
Securing the password can be done fairly straightforwardly by implementing a server-side and client-side token. The tokens can be exchanged in cleartext and it still prevents a man-in-the-middle attack; however, it requires that the server already have a hashed version of the password without having had tokens applied to it. (This happens to be why SRP is a better key exchange than Battle.net's original implementation, for instance; SRP is secure even if the communication is intercepted at account creation).
You're assuming he controls both the client and the server, though, this may not be the case. Although maybe it is, I don't really know. :)
Quote from: iago on August 01, 2008, 08:44 AM
You're assuming he controls both the client and the server, though, this may not be the case. Although maybe it is, I don't really know. :)
You're correct! I was in fact making that assumption.
Quote from: MyndFyre[vL] on August 01, 2008, 07:46 PM
Quote from: iago on August 01, 2008, 08:44 AM
You're assuming he controls both the client and the server, though, this may not be the case. Although maybe it is, I don't really know. :)
You're correct! I was in fact making that assumption.
I don't, :(. Blizzard's website servers control the server, hence why this really wouldn't be possible, Mynd.. =/.
Quote from: iago on August 01, 2008, 08:43 AM
Content-length is required when you're submitting POST data, but not for GET requests.
Understood, <3.
Oh, you're making a blizzard.com/account creator to get 26 digit keys?
Quote from: Andy on August 04, 2008, 01:40 AM
Oh, you're making a blizzard.com/account creator to get 26 digit keys?
Was actually just making a forum AI Bot, heh.
Problem is, I can't get the password field to get sent through.
Oh... Why not just emulate HTTP connections entirely instead of using the web browser control? I find it a lot easier and more reliable.
Quote from: Sixen on August 04, 2008, 06:09 PM
Quote from: Andy on August 04, 2008, 01:40 AM
Oh, you're making a blizzard.com/account creator to get 26 digit keys?
Was actually just making a forum AI Bot, heh.
Problem is, I can't get the password field to get sent through.
Some forums (SMF, for example) don't send the password directly. They use some kind of Javascript sorcery to send it. I'm guessing it's hashed or encrypted or something first.
Quote from: Andy on August 04, 2008, 07:22 PM
Oh... Why not just emulate HTTP connections entirely instead of using the web browser control? I find it a lot easier and more reliable.
Care to explain a little bit more?
Quote from: iago on August 04, 2008, 10:28 PM
Some forums (SMF, for example) don't send the password directly. They use some kind of Javascript sorcery to send it. I'm guessing it's hashed or encrypted or something first.
Yeah, that's correct, iago. I found that out shortly after originally making this thread. Anyway, it is in fact encrypted, which is why I said I need to figure out how to make a secure connection. It uses SSL.
Quote from: Sixen on August 05, 2008, 12:38 AM
Quote from: Andy on August 04, 2008, 07:22 PM
Oh... Why not just emulate HTTP connections entirely instead of using the web browser control? I find it a lot easier and more reliable.
Care to explain a little bit more?
Quote from: iago on August 04, 2008, 10:28 PM
Some forums (SMF, for example) don't send the password directly. They use some kind of Javascript sorcery to send it. I'm guessing it's hashed or encrypted or something first.
Yeah, that's correct, iago. I found that out shortly after originally making this thread. Anyway, it is in fact encrypted, which is why I said I need to figure out how to make a secure connection. It uses SSL.
SMF doesn't necessarily use SSL. I use SMF on a couple servers on which I don't have server certificates. It encrypts the password using JavaScript.
Quote from: MyndFyre[vL] on August 05, 2008, 02:30 AM
SMF doesn't necessarily use SSL. I use SMF on a couple servers on which I don't have server certificates. It encrypts the password using JavaScript.
Myndfyre's right, this has nothing to do with SSL and everything to do with Javascript.
Just use .NET and the webbrowsercontrol, you could do it in less than 10 lines of code.
Quote from: iago on August 05, 2008, 07:21 AM
Quote from: MyndFyre[vL] on August 05, 2008, 02:30 AM
SMF doesn't necessarily use SSL. I use SMF on a couple servers on which I don't have server certificates. It encrypts the password using JavaScript.
Myndfyre's right, this has nothing to do with SSL and everything to do with Javascript.
Hmph..
Quote from: Dale on August 05, 2008, 01:41 PM
Just use .NET and the webbrowsercontrol, you could do it in less than 10 lines of code.
Wouldn't I still be stuck at this part though? =P.
W
Quote from: Sixen on August 06, 2008, 03:17 PM
Quote from: iago on August 05, 2008, 07:21 AM
Quote from: MyndFyre[vL] on August 05, 2008, 02:30 AM
SMF doesn't necessarily use SSL. I use SMF on a couple servers on which I don't have server certificates. It encrypts the password using JavaScript.
Myndfyre's right, this has nothing to do with SSL and everything to do with Javascript.
Hmph..
Quote from: Dale on August 05, 2008, 01:41 PM
Just use .NET and the webbrowsercontrol, you could do it in less than 10 lines of code.
Wouldn't I still be stuck at this part though? =P.
Well no, Not that I'd think, you just get the element id and set it's innerText
*EDIT: I just read back to your original post, and I'm pretty sure this would solve your problem considering I made an auto-login bot for a website without a problem.