Results 1 to 10 of 10
  1. #1
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Formatting an HTTP POST message...

    I want to generate an HTTP POST message and send it to a server on the Internet. I want full control over what goes into the message -- and I THINK I know exactly what belongs in it...

    I can presently send a message to a server via their web page, and this message is an HTTP POST message. I can sniff the message and figure out the entire contents (I believe) of that message. However, I want to modify that message slightly and then send it out.
    ____________________

    I don't think I can realistically intercept the packets and modify them as they leave -- I am going to have CheckSum errors, and the messages will be rejected.

    So... is there a way to get the data that belongs in a message and craft my own HTTP Post message and send it to the server??

    Thanks for humoring me.

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Formatting an HTTP POST message...

    Yes, of course. <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

    There are some "security tools" that proxy your connection to web servers. You set IE to talk to them, they pause when you submit a page and allow you to edit the fields. Not sure what headers they let you change. I can give you a sample link by private mail (probably best not to just post it up here.)

    It is very important not to try to crash or mess with the destination server unless it is your server; it could be a violation of the Computer Fraud and Abuse Act. You wouldn't want to have a visit from John Ashcroft.

  3. #3
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Formatting an HTTP POST message...

    Thanks. All I need to do is modify a few bytes. I will give that a try.
    _________

    This is the real issue. My 8 year old son likes to play on on-line role playing game. The game has a glitch when you reach a certain scene -- you get to a spot that you cannot get out of, but you MUST go to this spot to finish the game. The only solution is to "Refresh" the screen. This allows you to move forward -- but then it deletes all your collected objects. This should not happen, but for some reason it does...

    The glitch does not hit every one who plays the game, but if it hits you, then you get it every time. The "fix" from the company is not supposed to be here for another month... Since it does not effect everyone, they don't see it as a big deal. However, it is a big deal to my son!!

    The collected items are stored on the game's server -- not in a cookie. Furthermore, the items are updated by the game sending an HTTP POST message to the server. If I could grab the HTTP POST message -- and modify it before sending -- I could re-collect my son's items and he could again enjoy the game. That would make MY life easier! (He expects his dad to be able to fix all computer problems!)

  4. #4
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Formatting an HTTP POST message...

    Jefferson - I found a competing tool that I like better -- I think. It is called Odysseus -- and it is located fairlly easily if the right key words are entered into Google. It gives a nice breakdown of the POST variables in a tabular format.

    However, I am having one problem. The use of a Proxy -- even if not in the Intercept mode -- seems to make the server believe that I am not logged in. So, the Post messages are ignorred -- even though they are unchanged.

    Hmmmm.... I have an idea. I will try to log on with the Proxy 'running' -- and see if I get the same problem. Normally I have been turning the Proxy on just before I wanted to Intercept.

  5. #5
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Indianapolis, Indiana, USA
    Posts
    1,862
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Formatting an HTTP POST message...

    It seems like what you're trying to do is exactly what I build my web applications to prevent - security breaches. As you may know, in any web application the server shares a session ID variable with each client. Your software app has no way of obtaining that session ID. In the case of the app you're trying to hack, the server/application is apparently designed to prevent this type of forgery.

    Despite your declaration of noble intentions, this type of hacking is exactly what less honest people might use to try to steal things like credit card numbers, passwords, and the like. For the sake of all web application developers out there, I sincerely hope it's not so easy to break into a "secured" web application...

  6. #6
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Formatting an HTTP POST message...

    I understand your concerns, but I generally wear the white-hat! (As you should know from my other posts). These free tools are out there for hackers to use -- and as such, you should use them to figure out where your security breeches lie. I feel this is useful information for web page authors to understand.

    I chose this forum because I don't think script kiddies are likely to come in here and learn anything new. If you think this is inappropriate I can certainly take this elsewhere. I appreciate and respect your opinion.

    "...in any web application the server shares a session ID variable with each client" -- quite possibly, but how am I interupting that if I am simply modifying a form name-value pair? The seesion is not being interupted -- it is a stateless connection at the time of the transmission. My computer is not even 'listening' on any port. It just sends out an update message when it is supposed to.

    There seems to be two issues:
    1) When using the Proxy, the web site believes I am not logged in. However, my correct cookie is being sent before the form fields. Somehow the Proxy is doing something that allows the host site to figure this out. OUt of interest, the Lounge does NOT do this. I can use the Proxy and connect to the lounge. It immediately knows who I am and I communicate to it perfectly well through the proxy. Does the lounge not use a "session ID variable"?

    2) I think there may be a checksum value used when the Post data is submitted. If this is the case, then even IF the Proxy was working, I may still have an issue when I try to modify the data. However, this should not be related to the first issue.

    Thanks for any input.

  7. #7
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Indianapolis, Indiana, USA
    Posts
    1,862
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Formatting an HTTP POST message...

    You have a good point - it IS a good idea to understand the potential security risks to web applications. I also agree that very few, if any, "script kiddies" will stumble onto this thread and gleam anything destructive from it.

    I should have been more clear in my last post. The SessionID is a semi-unique identifier assigned to each web session by the server (speaking strictly from a Microsoft environment). This variable, along with others, can be used as server-side variables that are often never sent to the browser via form variables. This would hopefully make it impossible to totally hack a well-written web application.

    As far as I can tell from the Lounge (and some other apps), in order to reduce the server-load many things are different. First of all, there are fewer, if any, server variables. Most or all application variables are either sent via querystring or client-side form variables. There's still a SessionID, but apparently it's not used for any secure purposes here.

    I'm not too familiar with the down-and-dirty aspects, like the checksum values.

    I hope you're able to accomplish your goal here and learn some in the process. Thanks for sharing your experiences with this process! <img src=/S/cheers.gif border=0 alt=cheers width=30 height=16>

  8. #8
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Formatting an HTTP POST message...

    > Your software app has no way of obtaining that session ID.

    I think this is not true, that it is just one of many variables that gets sent in clear text to the server in a POST. Most proxies don't do very well with SSL connections, of course, but regular hidden fields or cookies are all there for the viewing

  9. #9
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Indianapolis, Indiana, USA
    Posts
    1,862
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Formatting an HTTP POST message...

    Thanks for clearing the SessionID issue. I believe I was thinking more about Session variables rather than the SessionID. I sure hope there's no way for users to read Session variables!

  10. #10
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Formatting an HTTP POST message...

    Just for a quick follow up. I found out that I cannot modify their data base -- and I learned a lot in the process. They were using a "signature" field in the HTTP Post request. The value of this field was a calculated Hash that included a "salt" value. From what I can tell, this is a fairly secure method of preventing people from doing what I was trying to accomplish!

    Thanks for all the input.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •