Programmatic POST Requests with JavaScript: Automated Form Submissions
In the first part of this article series, Alejandro Gervasio explained how the XMLHttpRequest object and be used to generate massive GET requests to a targeted server, in order to launch denial of service attacks. In this article, he shows how http POST requests, commonly used on Web forms to collect user data, can be automated, again leaving your system vulnerable to attack. With the information you learn from this series, you should be able to build more robust and safer Web applications, making your system less of a target.
Programmatic POST Requests with JavaScript: Automated Form Submissions - Automated POST requests: the basics of a JavaScript-based form emulator (Page 2 of 4 )
To set up the general structure for a JavaScript-based form emulator, first I need to define the program’s core logic. Considering this, I’ll describe below the required functions to implement the application.
Keeping in mind that the program needs to use the functionality of the XMLHttpRequest object, I’ll use the same “getXMLHTTPObject()” function which we used in the first part of this series.
Next, as you might guess, post requests need to be sent to a specific server, so I’ll reuse the same “sendRequest()” function previously written, this time by specifying post data along with the proper http header for emulating form submissions. Also, this function will alternate the http requests either in synchronous or asynchronous mode.
Now that the program has available the above-described functions, I’ll cover in a step-by-step process, the way that a form sending process will be emulated, with the purpose of illustrating each task as clearly as possible.
First, the script will be pointed to a given file that contains the form itself to be submitted. For example, say the program targets an URL that looks like http://www.domain-to-be-hacked/contact/contact.php, where “contact.php” is the file that includes a contact form.
Then, a synchronous get request will be made to this file, for getting its (X)HTML code and obtaining the form action attribute, along with the names of the form fields. If you think about this process, it’s fairly equivalent to clicking on a link that takes you to the given contact form page.
Next, having retrieved the form action (the URL where the form is submitted), as well as the form variables, the program will make a post request to that file, and send the post variables populated with pseudo randomly-generated data.
Finally, as an optional step, subsequent post requests will be made to the same address, each time by sending out random post data.
As you can see, the required steps to automate form submissions can be fairly simply implemented. Therefore you have yet another reason to pay strong attention, as you develop Web programs, to building safer forms and writing robust user input verification code.
Based on the above explained program logic, below is the list of functions tasked with each relevant operation:
// function getXMLHTTPObject - returns instances of the XMLHttpRequest object
function getXMLHTTPObject(){}
// function sendRequest – makes get/post request to a specified URL
function sendRequest(){}
// function displayStatus – display the status of the requests
function displayStatus(){}
// function getFormCode – returns the form page’s (X)HTML code
function getFormCode(){}
// function getFormVariables – returns the form variables
function getFormVariables(){}
// function getFormAction – returns the form action attribute
function getFormAction(){}
// function getRandomValue – return a random string value
function getRandomValue(){}
// function getRandomEmail
function getRandomEmail(){} – returns a pseudo random email address
With all the required functions listed, we can move on and see in detail the code for some of them, as the next stage for turning the program fully functional. Just keep on reading.
JavaScript 
/ 28 
Programmatic POST Requests with JavaScript: Form Emulator in Action
