Home arrow JavaScript arrow Programmatic POST Requests with JavaScript: Automated Form Submissions
JAVASCRIPT

Programmatic POST Requests with JavaScript: Automated Form Submissions


In the first part of this article series, Alejandro Gervasio explained how the XMLHttpRequest object and be used to generate massive GET requests to a targeted server, in order to launch denial of service attacks. In this article, he shows how http POST requests, commonly used on Web forms to collect user data, can be automated, again leaving your system vulnerable to attack. With the information you learn from this series, you should be able to build more robust and safer Web applications, making your system less of a target.

Author Info:
By: Alejandro Gervasio
Rating: 5 stars5 stars5 stars5 stars5 stars / 42
July 20, 2005
TABLE OF CONTENTS:
  1. · Programmatic POST Requests with JavaScript: Automated Form Submissions
  2. · Automated POST requests: the basics of a JavaScript-based form emulator
  3. · Building the form emulator: defining the core functions “getXMLHTTPObject()” and “sendRequest()”
  4. · Tracking the request’s status: defining the “displayStatus()” function

print this article
SEARCH DEVARTICLES

Programmatic POST Requests with JavaScript: Automated Form Submissions
(Page 1 of 4 )

Introduction

Welcome to the second part of the series “Programmatic POST requests with JavaScript.” As you surely remember, in the first part I explained in detail how the XMLHttpRequest object is used to generate massive GET requests to a targeted server, with the malicious purpose of launching denial of service attacks, as well as turning URL manipulation into an automated process.

If you’re used to working with this object in JavaScript, then the simple program that I wrote previously should be pretty straightforward. First, I defined a couple of functions to send http requests to a specified URL, and then wrapped up the code in a timer, in order to implement program execution within a given time interval.

As a result, the snippet was capable of sending multiple http requests in asynchronous mode, by causing possibly heavy server overloads, and eventually complete system hangs.

From an attacker’s point of view, it’s extremely easy to use http-based hacking tools to launch attacks against unprotected websites, through the usage of scripts that implement iteration as the core logic for shooting harmful requests. After all, a Web server is an inherently public system, capable of handling limited resources, so the idea of using brute force techniques to consume computational resources is fairly logical.

Generally speaking, if http get requests are quite easily introduced as an automated process, the same concept can be applied to post requests. As you know, post requests are commonly used on Web forms as the default method of collecting user data, and certainly because of their inherent public access, they’re one of the most vulnerable points within the structure of a website.

Despite the fact that some methods are currently applied to make Web forms a safer structure, there are still plenty of websites that expose themselves to users by making the wrong assumption that they will never be used for hacking purposes. Of course, the situation gets more critical if form data is used directly to add or modify in some way sensitive information, without performing strict server-side validation.

However, even in cases where severe form validation is carried out, it’s possible to emulate form submissions that are considered valid and genuine by existing verification mechanisms. Taking into account this critical condition, different techniques are applied in order to reduce hacking possibilities, which range from noisy image generation, on-the-fly creation of Web pages (mostly using the DOM), to cryptographic methods, or a combination of techniques.

Now that I’ve described the conflictive scenario when working with Web forms, in this second part of the series, I’ll explain the basics of automated post requests, by using again the XMLHttpRequest object, and then writing a JavaScript program that roughly simulates human-based form submissions.

As I explicitly said in the first part of this series, this tutorial is not intended to promote the use of hacking techniques. It simply demonstrates how a potential attack can be launched against websites, in order to encourage developers to build up safer and more efficient Web programs.

With the preliminaries out of the way, let’s get started.


blog comments powered by Disqus
JAVASCRIPT ARTICLES

- Project Nashorn to Make Java, JavaScript Wor...
- JavaScript Virus Attacks Tumblr Blogs
- Google Releases Stable Dart Version, JavaScr...
- Khan Academy Unveils New JavaScript Learning...
- Accessing Nitro? There`s an App for That
- JQuery 2.0 Leaving Older IE Versions Behind
- Fastest JavaScript Engine Might Surprise You
- Microsoft Adjusting Chakra for IE 10
- Brendan Eich: We Don`t Need Google Native Cl...
- An Overview of JavaScript Statements
- An Overview of JavaScript Operators
- Overview of JavaScript Variables
- More of the Top jQuery Social Plugins
- The Top jQuery Social Plugins
- More of the Top jQuery Slider Plugins

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 

Developer Shed Affiliates

 




© 2003-2014 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials