Home arrow JavaScript arrow Page 4 - Programmatic POST Requests with JavaScript: Automated Form Submissions
JAVASCRIPT

Programmatic POST Requests with JavaScript: Automated Form Submissions


In the first part of this article series, Alejandro Gervasio explained how the XMLHttpRequest object and be used to generate massive GET requests to a targeted server, in order to launch denial of service attacks. In this article, he shows how http POST requests, commonly used on Web forms to collect user data, can be automated, again leaving your system vulnerable to attack. With the information you learn from this series, you should be able to build more robust and safer Web applications, making your system less of a target.

Author Info:
By: Alejandro Gervasio
Rating: 5 stars5 stars5 stars5 stars5 stars / 42
July 20, 2005
TABLE OF CONTENTS:
  1. · Programmatic POST Requests with JavaScript: Automated Form Submissions
  2. · Automated POST requests: the basics of a JavaScript-based form emulator
  3. · Building the form emulator: defining the core functions “getXMLHTTPObject()” and “sendRequest()”
  4. · Tracking the request’s status: defining the “displayStatus()” function

print this article
SEARCH DEVARTICLES

Programmatic POST Requests with JavaScript: Automated Form Submissions - Tracking the request’s status: defining the “displayStatus()” function
(Page 4 of 4 )

Certainly, the program needs to be capable of tracking the status of the current http request. For doing that,  I’ve defined the “displayStatus()” function, useful for tracking the request status. Its code looks like this:

// function displayStatus

function displayStatus(){

    // check XMLHttpRequest object status

    if(objhttp.readyState==4){

        // create paragraph elements

        var parStat=document.createElement('p');

        var parText=document.createElement('p');

        var parResp=document.createElement('p');

        // assign ID attributes

        parStat.id='status';

        parText.id='text';

        parResp.id='response';

        // append text nodes

        parStat.appendChild(document.createTextNode('Status : '+objhttp.status));

        parText.appendChild(document.createTextNode('Status text : '+objhttp.statusText));

        parResp.appendChild(document.createTextNode('Document code : '+objhttp.responseText));

        // insert <p> elements into document tree

        document.body.appendChild(parStat);

        document.body.appendChild(parText);

        document.body.appendChild(parResp);

    }

}

The task that the above function must perform is simply to verify the status of the XMLHttpRequest object, by checking the value of the “readyState” property. Once the request has been completed, the function will append dynamically three regular paragraphs to the document tree, in order to display basic information about the status of the request.

As you can see, the values for the “status”, “statusText” and “responseText” properties are displayed, useful for tracking the server response. In particular, I’ve defined this function to show information in a rather rough way, but it might be improved by adding a more polished look and feel.

At this point, I’ve specified generically the complete set of functions that composes the JavaScript program to generate post form submissions. Aside from exposing in detail the core logic of the script, the key functions have been covered, in order to get an accurate idea about how http requests can be handled in the background, as a transparent execution process.

Certainly, there are a few functions that need to be deeply reviewed yet, to complete the program and make it fully functional. Also, a working example is definitely highly desired, so you can see how a visitor with bad intentions may use this technique for firing attacks, by exploiting the fairly weak structure present in Web forms.

Wrapping up

In the next part of the series, I’ll be covering all of the above mentioned topics, by providing you with all of the makings of a functional JavaScript-based form emulator. Since the logic of the program is based on real hacking techniques, I strongly encourage you to pay close attention to the concepts explained here. It never hurts to learn; you can then take what you learned here and translate it into building more robust and safer web applications.


DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

blog comments powered by Disqus
JAVASCRIPT ARTICLES

- Project Nashorn to Make Java, JavaScript Wor...
- JavaScript Virus Attacks Tumblr Blogs
- Google Releases Stable Dart Version, JavaScr...
- Khan Academy Unveils New JavaScript Learning...
- Accessing Nitro? There`s an App for That
- JQuery 2.0 Leaving Older IE Versions Behind
- Fastest JavaScript Engine Might Surprise You
- Microsoft Adjusting Chakra for IE 10
- Brendan Eich: We Don`t Need Google Native Cl...
- An Overview of JavaScript Statements
- An Overview of JavaScript Operators
- Overview of JavaScript Variables
- More of the Top jQuery Social Plugins
- The Top jQuery Social Plugins
- More of the Top jQuery Slider Plugins

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 

Developer Shed Affiliates

 




© 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials