• Welcome to Valhalla Legends Archive.
 

[VB6] Submitting text into a masked HTML field?

Started by Sixen, July 09, 2008, 03:33 AM

Previous topic - Next topic

Sixen

So hmph? Is it possible? Here's the current code i've got that fills the information for everything else, however if the field is masked then I cannot input text into the textbox this way. If it matters, the issue is the password textbox.

Private Sub cmdGo_Click()
        Dim Gateway As String
        Dim Account As String
        Dim Password As String
        Dim Subject As String
        Dim Body As String
        Dim Signature As String
        Dim URL As String
        Dim flags As Long
        Dim targetFrame As String
        Dim Postdata() As Byte
        Dim Headers As String

        Gateway = cbGateway.Text
        Account = txtAccount.Text
        Password = txtPassword.Text
        Subject = txtSubject.Text
        Body = txtBody.Text
        Signature = chkSignature.Value

        URL = txtURL.Text
        targetFrame = ""
        Postdata = "Cluster=" & Gateway & "&Account=" & Account & "&Password=" & Password & "&Subject=" & Subject & "&Body=" & Body & "&AutoSignature=" & Signature
        Postdata = StrConv(Postdata, vbFromUnicode)
        Headers = "Content-Type: application/x-www-form-urlencoded " & vbCrLf
        WebBrowser1.Navigate URL, flags, targetFrame, Postdata, Headers
End Sub
Blizzard Tech Support/Op W@R - FallenArms
The Chat Gem Lives!
http://www.diablofans.com
http://www.sixen.org

iago

Hidden fields are submitted the exact same as any other field.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


MyndFyre

Quote from: iago on July 30, 2008, 08:35 AM
Hidden fields are submitted the exact same as any other field.
So are password fields.  Interestingly though, your code appears to be subject to a number of potential security flaws based on URL encoding.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

iago

Right, password fields.

Incidentally, you're missing the "Content-length" header, which is required for post data.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Sixen

It wasn't anything serious, was just testing some stuff out. Also, didn't know Length was required, =/.

Anyway, apparently I need to make a secure connection somehow.
Blizzard Tech Support/Op W@R - FallenArms
The Chat Gem Lives!
http://www.diablofans.com
http://www.sixen.org

MyndFyre

Quote from: Sixen on August 01, 2008, 12:36 AM
It wasn't anything serious, was just testing some stuff out. Also, didn't know Length was required, =/.

Anyway, apparently I need to make a secure connection somehow.
Making a secure connection wouldn't address the underlying security issues.  The one about URL encoding - if a user enters an ampersand, for instance, into any of your text boxes, you'll get hosed because you're just using unchecked input.

Securing the password can be done fairly straightforwardly by implementing a server-side and client-side token.  The tokens can be exchanged in cleartext and it still prevents a man-in-the-middle attack; however, it requires that the server already have a hashed version of the password without having had tokens applied to it.  (This happens to be why SRP is a better key exchange than Battle.net's original implementation, for instance; SRP is secure even if the communication is intercepted at account creation).
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

iago

Quote from: Sixen on August 01, 2008, 12:36 AM
It wasn't anything serious, was just testing some stuff out. Also, didn't know Length was required, =/.
Content-length is required when you're submitting POST data, but not for GET requests.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


iago

Quote from: MyndFyre[vL] on August 01, 2008, 04:30 AM
Quote from: Sixen on August 01, 2008, 12:36 AM
It wasn't anything serious, was just testing some stuff out. Also, didn't know Length was required, =/.

Anyway, apparently I need to make a secure connection somehow.
Making a secure connection wouldn't address the underlying security issues.  The one about URL encoding - if a user enters an ampersand, for instance, into any of your text boxes, you'll get hosed because you're just using unchecked input.

Securing the password can be done fairly straightforwardly by implementing a server-side and client-side token.  The tokens can be exchanged in cleartext and it still prevents a man-in-the-middle attack; however, it requires that the server already have a hashed version of the password without having had tokens applied to it.  (This happens to be why SRP is a better key exchange than Battle.net's original implementation, for instance; SRP is secure even if the communication is intercepted at account creation).
You're assuming he controls both the client and the server, though, this may not be the case. Although maybe it is, I don't really know. :)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


MyndFyre

Quote from: iago on August 01, 2008, 08:44 AM
You're assuming he controls both the client and the server, though, this may not be the case. Although maybe it is, I don't really know. :)
You're correct!  I was in fact making that assumption.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

Sixen

Quote from: MyndFyre[vL] on August 01, 2008, 07:46 PM
Quote from: iago on August 01, 2008, 08:44 AM
You're assuming he controls both the client and the server, though, this may not be the case. Although maybe it is, I don't really know. :)
You're correct!  I was in fact making that assumption.

I don't, :(. Blizzard's website servers control the server, hence why this really wouldn't be possible, Mynd.. =/.


Quote from: iago on August 01, 2008, 08:43 AM
Content-length is required when you're submitting POST data, but not for GET requests.

Understood, <3.
Blizzard Tech Support/Op W@R - FallenArms
The Chat Gem Lives!
http://www.diablofans.com
http://www.sixen.org

Barabajagal


Sixen

Quote from: Andy on August 04, 2008, 01:40 AM
Oh, you're making a blizzard.com/account creator to get 26 digit keys?

Was actually just making a forum AI Bot, heh.

Problem is, I can't get the password field to get sent through.
Blizzard Tech Support/Op W@R - FallenArms
The Chat Gem Lives!
http://www.diablofans.com
http://www.sixen.org

Barabajagal

Oh... Why not just emulate HTTP connections entirely instead of using the web browser control? I find it a lot easier and more reliable.

iago

Quote from: Sixen on August 04, 2008, 06:09 PM
Quote from: Andy on August 04, 2008, 01:40 AM
Oh, you're making a blizzard.com/account creator to get 26 digit keys?

Was actually just making a forum AI Bot, heh.

Problem is, I can't get the password field to get sent through.
Some forums (SMF, for example) don't send the password directly. They use some kind of Javascript sorcery to send it. I'm guessing it's hashed or encrypted or something first.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Sixen

Quote from: Andy on August 04, 2008, 07:22 PM
Oh... Why not just emulate HTTP connections entirely instead of using the web browser control? I find it a lot easier and more reliable.

Care to explain a little bit more?

Quote from: iago on August 04, 2008, 10:28 PM
Some forums (SMF, for example) don't send the password directly. They use some kind of Javascript sorcery to send it. I'm guessing it's hashed or encrypted or something first.

Yeah, that's correct, iago. I found that out shortly after originally making this thread. Anyway, it is in fact encrypted, which is why I said I need to figure out how to make a secure connection. It uses SSL.
Blizzard Tech Support/Op W@R - FallenArms
The Chat Gem Lives!
http://www.diablofans.com
http://www.sixen.org