As you’ve seen before, the “getFormVariables()” function populates form variables with random data, as a fairly basic method for emulating the way that real form fields are filled with user-provided information. Certainly, under real conditions malicious users implement more complex programs that very often include an extensive dictionary containing predefined values along with random data.
Regarding the program shown here, I won’t go so far in those complexities. I will only implement two functions to generate random values. The first one is “getRandomValue()”, which is listed below:
// function getRandomValue
As you can see, this function simply returns a random string that contains both alphanumeric and numeric characters. Since its logic is very simple, it might be modified to fit more specific needs, such as generating random values of a given length. To make the form emulator fully functional, this function is more than enough.
The next function to be reviewed is “getRandomEmail()”, which returns a well-formed email address by generating both the username and domain name parts using random strings along with a predefined user value. Below is its short definition:
With reference to the function above, the same rules applied to “getRandomValue()” are valid here. Definitely, more complex algorithms might be eventually introduced to generate “more realistic” email addresses, or even use real values. However, for keeping the program rather simple to understand, I’ll use this function as was originally defined.
The final step will be putting the pieces together and simulating a real attack condition, by using some illustrative sample files that will show the easiness of firing programmatic post requests with malicious purposes.
To wrap up
In the third part of this series, I’ve branched out to specifically define the whole functions that integrate the form emulator, by highlighting the basics of some http-based hacking techniques. Hopefully, by the end of this series you should have all the information to prevent this kind of attack within your existing or future Web programs. Thus, don’t miss the last article, since it’s where the real action takes place.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.