I want to make a script to send my username and password to hotmail so I can be logged in without going through the login page. I don't want to use the "sign me in automatically" option for various reasons. I took a look at the source code to figure try to understand how Hotmail sends the credentials to the server for validation, but I cannot make heads from tails from the source code. Any help is appreciated.
I read a post here asking something very similar, but for different purpose--though the answer given is not what I'm looking for.
Using firefox I just create a bookmark called hm
in the "location" box paste in the code below,
when I load the hotmail page I just click on the bookmark.
javascript:%20document.getElementsByName('login').item(0).value='yourname#hotmail.co.uk';%20document.getElementsByName('passwd').item(0).value='yourpass';%20document.getElementsByName('SI').item(0).click();%20void(0);
Solution to automate this through a browser
Suggested by User574632. This is not the only solution, but it is an easier one.
I've come up with two solutions; one for use with Internet Explorer and the other for use with Firefox. Both solutions work with the browser to automate this task.
Solution 1--Internet Explorer and AutoIt
As it just so happens, AutoIt is very good at automating IE's functions. After reading a similar question on the AutoIt help forum here, I found most of what I needed. I just added support for command line parameters and voila. Here is the code written in AutoIt:
#include <IE.au3>
Opt("WinTitleMatchMode", 2)
$oIE = _IECreate ("http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1227208038&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D1521319951&id=64855")
_IELoadWait ($oIE)
$o_form = _IEFormGetObjByName ($oIE, "f1")
$o_login = _IEFormElementGetObjByName ($o_form, "login")
$o_password = _IEFormElementGetObjByName ($o_form, "passwd")
$o_signin = _IEFormElementGetObjByName ($o_form, "SI")
$username = $CmdLine[1] ; "YOUR_HOTMAIL_ADDRESS#hotmail.com"
$password = $CmdLine[2] ;"YOUR_PASSWORD"
_IEFormElementCheckBoxSelect ( $o_form, "remMe", "", 0)
_IEFormElementSetValue ($o_login, $username)
_IEFormElementSetValue ($o_password, $password)
_IEAction ($o_signin, "click")
WinSetState ( "Internet", "", #SW_MAXIMIZE )
Note that this was not written by me, I only modified it to accept command line parameters.
After compiling, usage is: Executable.exe "EmailAddress#hotmail.com" "Password"
Solution 2--Firefox and iMacros
Install iMacros here: https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox/
Open iMacros and create a marco
Insert the following script, replacing the email address and password with your own:
VERSION BUILD=8601111 RECORDER=FX
TAB T=1
URL GOTO=https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv=12&ct=1391468097&rver=6.4.6456.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1&bk=1391468099&uaid=9d4d29da2c304ed581e61d3fc51be1eb
TAG POS=1 TYPE=DIV ATTR=ID:idDiv_PWD_UsernameExample
TAG POS=1 TYPE=INPUT:EMAIL FORM=NAME:f1 ATTR=ID:i0116 CONTENT=EMAILADDRESS#hotmail.com
SET !ENCRYPTION NO
TAG POS=1 TYPE=INPUT:PASSWORD FORM=NAME:f1 ATTR=ID:i0118 CONTENT=PASSWORD
TAG POS=1 TYPE=INPUT:SUBMIT FORM=NAME:f1 ATTR=ID:idSIButton9
Then name the macro as "HotmailLogin.iim"
All you need to do to use it is create a shortcut with command line parameters like this:
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" imacros://run/?m=HotmailLogon.iim
This is not possible without actually having your browser visit the hotmail.com login page, for various reasons:
You can not use PHP to do this, since PHP is fully serverside and logging in a server has absolutely no effect on you (the client). It would log itself in, not you.
You can also not use javascript to set any type of cookie / session for hotmail.com from a different domain (that is not hotmail.com) due to security preventions which make sure you can't set a cookie for domain A from a page on domain B.
Making a POST request from a different domain is also not allowed by the HTTP protocol, so no here as well. Your browser will block any POST request from a page at A.com trying to post to server B.com
Hotmail forces you to first go to their login page to get a special cookie with a session-ID. Only if this special session-ID is sent back with the POST request will hotmail allow the request to go through. So you still have to get the sessionID first.
So in short: no.
Related
I want to prepare a Chrome Extension for my password manager program. The password manager program keeps the usernames and passwords encrypted locally and is therefore not on any server. Instead of copying and pasting every time, I send the usernames and passwords to the Google address line as follows:
https://stackoverflow.com/users/login?user_name=USERNAME&password=PASSWORD
I want the Google Extension to automatically add the username and password in the address line to the corresponding textboxes. Unfortunately, I have no idea for this. I downloaded and reviewed Google Extensions like Daslane, but they are all very complicated and I could not understand. Your ideas and examples, if possible, on how to do this very simply are very valuable for me.
First you need to find simple chrome extension sample code.
This is the simple source from chrome developer page.
After that, you have to detect the control name using chrome developer tool and use this script to auto fill and click login button.
function AutoFill() {
var html = window.location.href + "\n\n";
if (html.includes("example.com") == true)
{
document.getElementById("username").value = "username"
document.getElementById("password").value = "password"
document.getElementsByName("login")[0].click();
}
return html;
}
chrome.extension.sendRequest(AutoFill());
To fill the form on the document you need access to the document. You can use for this content scripts - https://developer.chrome.com/extensions/content_scripts
I'm not sure why you would like to pass credentials via URL. I think it is a bad practice and it can break website behavior. It is better to get credentials from background script - https://developer.chrome.com/extensions/background_pages
Communication between content script and background page can be implemented via chrome.runtime.onMessage event.
If you really need to get parameters from URL, you can do this in the content script by using URLSerachParams - https://developer.mozilla.org/en-US/docs/Web/API/URLSearchParams
Example:
var url = new URL(location.href);
console.log(url.searchParams.get('user_name'));
I've researched this up the wazoo but to no avail. I have a page internally that requires TLS 1.1 or 1.2. If they're not on, you get an error:
This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try
connecting to https://SITEADDRESS again. If this error
persists, it is possible that this site uses an unsupported protocol
or cipher suite such as RC4 (link for the details), which is not
considered secure. Please contact your site administrator.
Obviously the fix is to turn on those cipher suites in IE. However what I would like to put into the page is a check, to preload something from the site, make sure it's visible/readable/loadable/whatever, then allow the user to move forward, OR, if whatever it is I'm checking cannot be rendered/read/etc, direct them elsewhere.
So what I've tried was doing a PHP file_get_contents of the SAME address
<?php
$contents = file_get_contents('https://SITEADDRESS');
echo "<pre>";
var_dump($contents);
echo "</pre>";
?>
However, it ends up being able to pull the page code and dump it out?!?!!? Which means it CAN access the page, yet, I know it can't because I get a TLS error when trying to load it normally.
The question is, how can I precheck a URL with TLS as a consideration before forwarding the user on to a page that might not render?
It appears you're mixing server-side and client-side.
I assume PHP is running server-side, and it definitely will not be affected by IE's (which I'm assuming is running client-side) choice of ciphers.
If that doesn't make sense, let me know and I'll give further utterance...
If I'm understanding correctly, you want your own logic running on the client (IE) to detect if the client (IE) can reach the URL.
You could try firing an asynchronous request via Javascript (e.g. https://api.jquery.com/jquery.get/ )
YMMV, I'm not sure if IE will pass the TLS error into your Javascript code or not. Assuming it does, you should be able to at least handle any error events (arising from the Javascript HTTP request) and assume the client should not try to proceed.
Loading this file in the head...
<script type="text/javascript" src="https://SITEADDRESS/api/start_session.js"></script>
Then checking for the existence of variable BG, where BG is a var from the loaded file. IF BG is undefined (doesn't exist) then something blocked access to the external domain and as such show/hide the DIV's appropriately so the user is never sent to the wrong site!
window.onload = function() {
if (typeof BG !== 'undefined') {
document.getElementById('test1').style.display = 'block';
document.getElementById('test2').style.display = 'none';
} else {
document.getElementById('test1').style.display = 'none';
document.getElementById('test2').style.display = 'block';
}
};
I have an old html page that creates a script file and executes it using:
fsoObject = new ActiveXObject("Scripting.FileSystemObject")
wshObject = new ActiveXObject("WScript.Shell")
I am trying to modify it and make it usable also from other browsers. If you know the answer stop reading and please answer. If there is no quick answer, here is the description of my attempts. I was successful in doing the job, but only when the script is shorter than 2000 characters. I need help for scripts longer than 2000 characters.
The webpage is for internal use only, so it is easy for me to create a custom URL protocol on each computer that runs a VBScript file from a network drive.
I created my custom URL Protocol that starts a VBScript file like this:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\MyUrlProtocol]
"URL Protocol"=""
#="Url:MyUrlProtocol"
"UseOriginalUrlEncoding"=dword:00000001
[HKEY_CLASSES_ROOT\MyUrlProtocol\DefaultIcon]
#="C:\\Windows\\System32\\WScript.exe"
[HKEY_CLASSES_ROOT\MyUrlProtocol\shell]
[HKEY_CLASSES_ROOT\MyUrlProtocol\shell\open]
[HKEY_CLASSES_ROOT\MyUrlProtocol\shell\open\command]
#="C:\\Windows\\System32\\WScript.exe \"X:\\MyUrlProtocol.vbs\" \"%1\""
In MyUrlProtocol.vbs I have this:
MsgBox "The length of the link is " & Len(WScript.Arguments(0)) & " characters"
MsgBox "The content of the link is: " & WScript.Arguments(0)
When I click on click me I see two messages, so everything works well (tested with Chrome and IE in Windows 7.)
It works also when I execute document.getElementById("test").click()
I thought this could be the solution: I would pass the text of the script to the VBS static script, which would create the dynamic script and run it, but with this system I can't pass more than ~2000 characters.
So I tried to split the text of the script in chunks smaller than 2000 characters and simulate several clicks on the link, but only the first one works.
So I tried with xmlhttp.open("GET","MyUrlProtocol:test",false);, but Chrome says Cross origin requests are only supported for HTTP.
Is it possible to pass more than 2000 characters to a VBScript script via a custom URL protocol?
If not, is it possible to call several custom URL protocols in sequence?
If not, is there another way to create a script file and run it from Javascript?
EDIT 1
I found a solution, but in Chrome only works when it likes, so I'm back to square one.
The code below in IE executes the script 4 times (correct), but in Chrome only the first execution runs.
If I change it to delay += 2000, then Chrome usually runs the script 2 times, but sometimes 1 and sometimes 3 or even 4 times.
If I change it to delay += 10000, then it usually runs the script 4 times, but sometimes misses one.
The function is always executed 4 times, both in Chrome and IE. What is weird is that the sr.click() sometimes does nothing and the function execution continues.
<HTML>
<HEAD>
<script>
var delay;
function runScript(text) {
setTimeout(function(){runScript2(text)}, delay);
delay += 100;
}
function runScript2(text) {
var sr = document.getElementById('scriptRunner');
sr.href='intelliclad:'+text;
sr.click();
}
function test(){
delay = 0;
runScript("uno");
runScript("due");
runScript("tre");
runScript("quattro");
}
</script>
</HEAD>
<BODY>
<input type="button" value="Run test" onclick="test()">
scriptRunner
</BODY>
</HMTL>
EDIT 2
I tried with Luke's suggestion of setting the next timeout from inside the call back but nothing changed (IE works always, Chrome whenever it likes).
Here is the new code:
var scripts;
var delay = 2000;
function runScript() {
var sr = document.getElementById('scriptRunner');
sr.href = 'intelliclad:' + scripts.shift();
sr.click();
if(scripts.length)
setTimeout(function() {runScript()}, delay);
}
function test(){
scripts = ["uno", "due", "tre", "quattro"];
runScript();
}
Some background: The page asks for the shape of a panel, which can be just a few parameters [nfaces=1, shape1='square', width1=100] or hundreds of parameters for panels with many faces, many slots, many fasteners, etc. After asking for all the parameters a script for our internal 3D CAD (which can be larger than 20KB) is generated and the CAD is started and asked to execute the script.
I would like to do all on the client side, because the page is served by a Domino web server, which can't even dream of managing such a complex script.
I didn't read your whole post...have an answer:
I too wish that custom url protocols can handle long urls. They simply do not. IE is even worse as some OSs only accept 800 chars.
So, here's the solution:
For long urls, only pass a single use token. The vbscript uses the token
and does a url get to your web server to get all of the data.
This is the only way I've been able to successfully pass lots of data around. If you ever find a clearer solution, please remember to post it here.
Update:
Note that this is the best way I have found to deal with the url protocol limitations. I too wish this was not necessary. This does work and works well.
You mentioned Dominos, so possibly you need something in a POS environment... I create a web based POS system, so we could face a lot of the same issues.
Suppose you want a custom url to print a pdf to the default printer without the annoying popup window. We need to do this thousands of times a day...
When building the web page, add the print button which when pressed calls the custom url: myproto://printpdf?id=12345&tocken=onetimetoken
this will execute your vbscript on the local desktop
in your vbscript, parse the arguments and react. In this case, your command is printpdf and the id is 123456 and you have a onetime tocken key.
have the vb script to an https get to: https://mydomain.com/APIs/printpdf.whatever?id=12345&key=onetimetoken
check the credentials based on the ip address and token, if all aligns, then return the contents of the pdf (you may want to convert the pdf to a byte array string)
now the vbscript has the pdf, assemble it and write it to a temp folder then execute a silent pdf print command (I use Sumatra PDF http://blog.kowalczyk.info/software/sumatrapdf/free-pdf-reader.html)
mission accomplished.
Since I do know what you what to do in your custom url and the general workflow, I can only describe how I've solved the sort url issue.
Using this technique, the possibilities are limitless. You have full control over the local computer running the web browser, you have a onetime use token which grants access to a web API with can return any sort of information you program.
You could write a custom url protocol to turn on the pizza oven if you wanted :)
If you are not able to create the server side code which is listening for vbscript's get request then this would not work.
You might be able to pass the data from the browser to the vbscript using the clipboard.
Update 2:
Since in this case the data is on the client (one single form can define hundreds of parameters), the server API doesn't know what to answer to the vb script request. So the workflow described above must be preceded by these two steps:
The onkeypress event executes a submit to send the current parameters to the server
The server replies with the refreshed form, adding to the body onload a call to a function which uses another submit to call the custom url, as described on point 1 listed above.
Update 3:
stenci, what you've added (in Update 2) will work. I would do it like this:
user presses a button saying I'm done editing the form
ajax post the form to the server
the server saves the data and attaches unique key to the datastore
the server returns the key to ajax callback function
now the client has a single use key and invokes the url schema passing the key
vbscript does an https get to the server and passes the key
server returns the data to the vbscript
It is a bit long winded. Once coded it will work like a charm.
The only other alternative I can see is to copy the form data to the clipboard using something like: http://zeroclipboard.org/
and then in vbscript see if you can read the clipboard like: Use clipboard from VBScript
How about creating an iFrame for each instance?
Something like this:
function runScript(text) {
var iframe = document.createElement('iframe');
iframe.src = 'intelliclad:'+text;
document.body.appendChild(iframe);
}
function test(){
runScript("uno");
runScript("due");
runScript("tre");
runScript("quattro");
}
You can then use css styling to make these iframes transparent / hidden.
You might not like this answer, but I've used this method in the past and it works.
Instead of relying on ActiveX, consider using a Java Applet, and JNI.
Basically, you have to make sure the native scripts you want to run are available on your client machine, along with a JNI wrapper.
The applet will have to be at least self signed, for the browser to allow it to load and access a native library. Once the JNI libraries are loaded, you can easily call methods from the page / applet.
As a consequence of using Java, you could possibly use the same applet for windows as well as linux clients, provided of course you have native libraries present on the respective clients.
This series of articles talks about precisely your problem : http://www.javaworld.com/article/2076775/java-security/escape-the-sandbox--access-native-methods-from-an-applet.html
P.S the article is really old, but the concept remains unchanged.
I found an nice script while searching and inspecting the elements of some websites.
This is what I have found:
<script type="text/javascript">
//redirect browser to fullscreen preview
if (/^http:\/\/codecanyon\.net/.test(document.referrer))
window.top.location.href = 'http://www.gravitysign.com/backslider/';
</script>
So if I understood from this script it tells jquery if the website is opened over codecanyon redirect them to specifed website for preview.
Now... I was wondering if there is possibility to make something like this.
If we specify an website for example http://google.com and we input that into javascript... And then if that website is uploaded to any other domain, other then google.com ... It will redirect to specified site (google) ?
So to clear things out a little bit let me make an example.
If I made a website for "an-website.com" and then someone take their website and upload it to "another-website.com", it will automatically redirect all visitors from another-website.com to an-website.com.
Hope I was clear enough and hope that this is possible. Cheers!
You can of course redirect any user accessing your site from a domain not matching yours but using javascript. This should work just fine:
if (window.location.hostname !== 'yourdomain.com'){
window.top.location.href = 'http://yourdomain.com';
}
You can also use match, if you host your site on a subdomain, etc.
Keep in mind that any person with write access to the file on the server will be able to remove this "copy protection". Copy protecting client side content is impossible, as you need to serve the content in a way a browser understands, effectively making the content available to anyone.
If you are looking for solution for single domain protection, here you can see my
Redirect Website if its not specified domain in script - Protection using Javascript
I am looking for solution for multiple domain.
Is there a way to check in JavaScript if given a host its SSL certificate is valid? (non blocking)
In my case, I want to display: "you can also use https://.." if via JavaScript I can make a request to https://my_url without being asked to accept an untrusted certificate.
Can this be done asynchronously?
Take a look here: https://support.mozilla.org/pl/questions/923494
<img src="https://the_site/the_image" onerror="redirectToCertPage()">
This solution is tested and working in current versions of FF and Chrome (as of 2022):
<script> var sslCertTrusted = false; </script>
<script src="https://example.com/ssltest.js"></script>
<script>
if (!sslCertTrusted)
{
alert('Sorry, you need to install the certificate first.');
window.location.replace('http://example.com/cert_install_instructions/');
}
else
{
// alert('Redirecting to secure connection')
window.location.replace('https://example.com/');
}
<script>
You of course need to make your web server return this code under the URL https://example.com/ssltest.js:
sslCertTrusted = true;
I'm not exactly sure about the details. But I've seen similar technology used to detect adblocking etc. You may need to piggyback on the window object maybe, if the variable can't be modified by another script, but generally making the above proof of concept work is left as an exercise to the reader.
What I've found up to now - it is possible with Firefox, don't know yet about other browsers:
https://developer.mozilla.org/En/How_to_check_the_security_state_of_an_XMLHTTPRequest_over_SSL
The straight answer is no. Javascript does not provide any means of validating certificates. This is a job left to the browser.
A better approach to this problem is from the server side. If you are controlling the site, than you can render down a variable on the page with information gleaned on the server side.
In .Net something like
var canSecure = <%= MySiteHasSsl ? "true" : "false" %>;
if (canSecure) {
if (confirm("This site supports SSL encryption. Would you like to switch to a secure connection?")) {
location.href = "https://mysite.com";
}
}
I'm not quite sure what your use case is. If you are just trying to "check ahead of time" before you provide a link to someone for another website then the other answers here will be more relevant than mine.
If you are expecting mysite.com to use an SSL certificate that isn't trusted by default in the browser but you have another way of knowing it should be trusted, then you could use a JavaScript TLS implementation to make cross-domain requests to that other site. However, this requires that your website be served on https and trusted in the browser to begin with and the other site to provide a Flash cross-domain policy file.
If this sounds anything like what you want to do, check out the open source Forge project at github:
http://github.com/digitalbazaar/forge/blob/master/README.md
Useful notice: navigator.clipboard will be undefined on Chrome browsers if there's no valid SSL certificate.
The question doesn't make sense. You can't get the server's SSL certificate without opening an SSL connection to it, and once you've done that, telling the user they can do that too is a bit pointless.
You could run a server elsewhere that handles certificate checks based on whatever you want, then your javascript application sends a request to that server asking for a checkup. This does require that you have at least one server somewhere in the world that you can trust.
A query of this nature can be done in the background quite easily.