I have the next task - I have a page where we have some interaction logic:
After a user clicks a button, my script redirects the user to another site where it must be populate 2 textfields then click button, after redirect to new page it must click on another button.
My project is based on ASP.NET MVC4.
My questions are:
May I do all of this?
If yes, how can I redirect to another page and run my script
P.S.: Second web site isn't my site and everything I know is id of buttons where I need to click.
Elaborating on my comment
You cannot do this in a normal browser. You could write a bookmarklet or two that would navigate and click but there is no script you can write in a web page that will do what you want for security reasons. A long time ago, it was possible in IE to load a banking site into an iFrame and script and monitor user interaction to steal credentials. This has been blocked.
If you save an HTML page with the extension HTA, it can be loaded from harddisk in windows and will have relaxed security so you could load the other site into an iFrame and script the interaction. This is likely not what you want.
The last method is to use for example CURL to get the foreign page, insert stuff and submit the form to the foreign site and return the result. This is not recommended either.
So the question to you is: Why do you need this and are there other ways to do what you want
1) location.href = "http://another.page.com"
2) impossible for security purposes
Related
There is one thing I don't understand about the UI Redressing attack. Basically what I understand is:
1- The user clicks on a external URL
2- The attackers webpage opens. Inside this webpage, the original webpage is loaded as an iframe in a transparent manner.
3- As the user interacts with the attackers webpage he will actually be interacting with the transparent iframe.
Here is where I am confused. Why does the user even need to interact with the loaded webpage? Once the inner iframe is loaded you can have a javascript code to automate clicks on the page. Since this is all happening on the victims browser the target site will receive the victims session cookie and assume everythings fine.
Am I missing something here? Thanks in advance
Note: Please note this is a UI Redressing attack also known as click-jacking. This is different than phishing attacks.
The user wants to interact with the loaded webpage, because the user is not aware they are visiting a fake (inauthentic) page. I'm not 100% certain about the javascript, but I'm pretty sure the attacker wants to log the user's activity (e.g, keystrokes for a password).
My requirement is to write one script when I run the script it opens the page and fill the fields and automatically take me to next page.
For e.g. Script for www.irctc.co.in. When we login to irctc it ask the user name and password and when click on submit it redirect to next page.
I want to write a script in such a way that I just click on the script it internally does all these things and I could see the next page.
I am unable form where I should start.
I think you are looking for something like Greasemonkey: https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/
Greasemonkey is a Mozilla Firefox extension that allows users to install scripts that make on-the-fly changes to web page content after or before the page is loaded in the browser.
If you use a different browser, then you can refer to: http://en.wikipedia.org/wiki/Greasemonkey#Equivalents_for_other_browsers
Check Watir - Web Application Testing in Ruby. Although it is used for automation, it might solve the purpose here. With Watir, you write scripts in ruby and execute it and then see the magic. More information can be found here
I'm writing an app which should load a website. After the website is loaded, I have to fire up a 2nd command to the web page, which is kind of Javascript scriptlet.
I did this manually in my browser and in generally it seems to work fine. They way I did it manually was I created two shortcuts in my browser:
the URL to this website (e.g. http://www.example.net/123456-e.aspx)
the shortcut to a Scriptlet which calls a function on this website (e.g. javascript:__doPostBack('Video_Info1$Rating_control1$lnk_star5','')).
I first click the URL shortcut and after its loaded, I fire up the 2nd shortcut.
But how can I do this in a C# application?
But, what I'm trying to do is quite the opposite I think.
I'd like to SEND a _postBack to an existing site.
I'm not writing my own site which contains a postBack control!
Let me explain a little in detail...
the site I'm loading in my app is an existing ASPX site in the web.
In this site, you'll find several _doPostback entries and in a browser, the postBack event (when I hit it manually within a bookmark/shortcut) will be send back and has its desired result (in this case, its assigning "5 stars" to tell everybody, that something is supergood ;-).
So, what I'd like to do is to write my C# App which will send this _postBack command every time I hit the OK button or some other events.
Just as it is with my link above
"javascript:__doPostBack('Video_Info1$Rating_control1$lnk_star5','')"
This is the bookmark I have on my browsers bookmark panel - a shortcut!
.... Just to be honest, its a kind of cheat, which will do an automatic voting on an external site...
My prob is now,... how can I send this _postBack straight to the site, to increase my stars?
I am not sure what exactly you are trying to achieve, The code which you are seeing (_doPastBack(..)) is actually going to invoke a server method (code in your codebehind of that page).
You can create a webpage and have an iframe and load your first page in that.The user will be able to click on any of the button and invoke the corresponding server code if there is one attached.
<html>
<body>
<iframe src="http://www.example.net/123456-e.aspx"></iframe>
</body>
I have a task that i do not know where to start, i hope Stack Overflowers can give me some ideas.
I want to read the html source code of the previously opened and still opening tab in my web page.
My approach was to grab the url of the targeted page, send that url to server and do something, then use it in my web page. But i am facing the "same domain policy" on the server side, i know that JSONP can be used, but i must use POST in this case (other reasons). So i think if the tab (page) has been opened and is still open, there must be some ways that i can read the HTML when my web page is opened.
The flow will be if there is Page1 opening, user opens mywebpage.html on the same Window, mywebpage.html finds there is Page1 opening, then grab the HTML source page and use it.
Thanks!
Edit:
This is the full story.
What I am planning to do is a FireFox plugin. And there is a Button (myPluginButton) on the tool bar.
If user click myPluginButton, the HTML code of the current page will be sent to the server, then server parse the HTML code and generate a report, a new tab then is opened to display this report.
My current approach is to read the HTML of current page using newTabBrowser.contentDocument and send it to server, then do the parsing on server side. But this approach creates extra traffic. The efficient way would be only the url of the current page is sent to the server, and we can read HTML and parse it on the server side. However, the same domain policy does not allow me to do this easily.
So, my question is if it is possible to do when user click myPluginButton to open a new tab, this new tab loop all the opening tabs on the browser and reads the HTML contents of them then generate the report, since these tabs are still opening and the HTML contents must be saved on somewhere ( or i am wrong).
Thanks.
The browsers have a built in protection called same origin policy that prevent a page to read the content of other origin(domain, subdomain, port,...)
If you want to gain access to the current page you can use a bookmarklet.
You ask your users to add it in their bookmarks bar, and each time they want to use it, they don't open a tab but click on the bookmark.
This will load your script in the page, with all access to read the page content.
And oddly enough you can POST from this page to your domain, by posting a FORM to an IFRAME hosted on your domain. But you won't be able to read the response of the POST. You can use a setInterval with a JSONP call to your domain to know if the POST was successful.
I want to help fill forms for my users with default values on other pages.
To do that I would like to show another page (from different domain) in an iframe and insert there default values when needed into fields.
But it is not possible because of cross site scripting protection.
I have checked http://sourceforge.net/projects/poxy/ and it almost works to view page through proxy but unfortunately not always. Is there another way to do that? Ie.
How to connect to fields in the iframe? Is it possible?
AFAIK, You cannot access fields from another page like iframe. If you want to fill form by using JS, you can try to write Bookmarklet for your browser. That's a bookmark which executes javascript on current page.