Home arrow JavaScript arrow Page 5 - Programmatic POST Requests with JavaScript: A Functional Form Emulator
JAVASCRIPT

Programmatic POST Requests with JavaScript: A Functional Form Emulator


Welcome to the third part of this series, aimed at explaining specifically how http requests can be used by malicious users to launch attacks against unwarned websites. Since in the previous article I provided you with the core functions for building a JavaScript-based form emulator, this third part will be used to complete the definition for the remaining functions, and set up the basis for making the program fully functional.

Author Info:
By: Alejandro Gervasio
Rating: 4 stars4 stars4 stars4 stars4 stars / 20
July 27, 2005
TABLE OF CONTENTS:
  1. · Programmatic POST Requests with JavaScript: A Functional Form Emulator
  2. · Building a functional script: listing the “getXMLHTTPObject()” and “sendRequest()” functions
  3. · Getting the form’s (X)HTML markup: defining the “getFormCode()” function
  4. · Getting form data: defining the “getFormAction()” and “getFormVariables()” functions
  5. · Generating random data: defining the “getRandomValue()” and “getRandomEmail()” functions

print this article
SEARCH DEVARTICLES

Programmatic POST Requests with JavaScript: A Functional Form Emulator - Generating random data: defining the “getRandomValue()” and “getRandomEmail()” functions
(Page 5 of 5 )

As you’ve seen before, the “getFormVariables()” function populates form variables with random data, as a fairly basic method for emulating the way that real form fields are filled with user-provided information. Certainly, under real conditions malicious users implement more complex programs that very often include an extensive dictionary containing predefined values along with random data.

Regarding the program shown here, I won’t go so far in those complexities. I will only implement two functions to generate random values. The first one is “getRandomValue()”, which is listed below:

// function getRandomValue

function getRandomValue(){

    var chars='abcdefghiklmnopqrstuvwxyz0123456789';

    var rndstring='';

    var strlength=Math.floor(Math.random()*8)+2;

    for(var i=0;i<strlength;i++){

        var rndvalue=Math.floor(Math.random()*chars.length);

        rndstring+=chars.substring(rndvalue,rndvalue+1);

    }

    return rndstring;

}

As you can see, this function simply returns a random string that contains both alphanumeric and numeric characters. Since its logic is very simple, it might be modified to fit more specific needs, such as generating random values of a given length. To make the form emulator fully functional, this function is more than enough.

The next function to be reviewed is “getRandomEmail()”, which returns a well-formed email address by generating both the username and domain name parts using random strings along with a predefined user value. Below is its short definition:

// function getRandomEmail

function getRandomEmail(){

    return 'johndoe'+getRandomValue()+'@'+getRandomValue()+'.com';

}

With reference to the function above, the same rules applied to “getRandomValue()” are valid here. Definitely, more complex algorithms might be eventually introduced to generate “more realistic” email addresses, or even use real values. However, for keeping the program rather simple to understand, I’ll use this function as was originally defined.

By this point, the complete set of functions that compose the JavaScript-based form emulator have been properly defined and covered in detail. Also, I provided you with all of the required explanations to describe the logic implemented by the program precisely designed to emulate automated post form submissions.

The final step will be putting the pieces together and simulating a real attack condition, by using some illustrative sample files that will show the easiness of firing programmatic post requests with malicious purposes.

To wrap up

In the third part of this series, I’ve branched out to specifically define the whole functions that integrate the form emulator, by highlighting the basics of some http-based hacking techniques. Hopefully, by the end of this series you should have all the information to prevent this kind of attack within your existing or future Web programs. Thus, don’t miss the last article, since it’s where the real action takes place.


DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

blog comments powered by Disqus
JAVASCRIPT ARTICLES

- Project Nashorn to Make Java, JavaScript Wor...
- JavaScript Virus Attacks Tumblr Blogs
- Google Releases Stable Dart Version, JavaScr...
- Khan Academy Unveils New JavaScript Learning...
- Accessing Nitro? There`s an App for That
- JQuery 2.0 Leaving Older IE Versions Behind
- Fastest JavaScript Engine Might Surprise You
- Microsoft Adjusting Chakra for IE 10
- Brendan Eich: We Don`t Need Google Native Cl...
- An Overview of JavaScript Statements
- An Overview of JavaScript Operators
- Overview of JavaScript Variables
- More of the Top jQuery Social Plugins
- The Top jQuery Social Plugins
- More of the Top jQuery Slider Plugins

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 

Developer Shed Affiliates

 




© 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials