Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 14 of 14
  1. #1
    New Coder
    Join Date
    Oct 2008
    Posts
    47
    Thanks
    6
    Thanked 2 Times in 2 Posts

    Exclamation Why something like this doesn't work anymore?

    PHP Code:
    <SCRIPT>
    document.write('<form action="http://www.htmlforums.com/newthread.php?do=newthread&f=20" method="post" name="vbform">');
    document.write('<input type="hidden" class="bginput" name="subject" value="' Who() + '" size="40" maxlength="85" tabindex="1">');
    document.write('<textarea name="message" id="vB_Editor_001_textarea" rows="10" cols="60" style="width:540px; height:250px" tabindex="1" dir="ltr">' Who2() + '</textarea>');
    document.write('<input type="hidden" name="wysiwyg" id="vB_Editor_001_mode" value="0" />');
    document.write('<input type="radio" name="iconid" value="0" id="rb_iconid_0" tabindex="1" checked="checked">');
    document.write('<input type="hidden" name="s" value="" />');
    document.write('<input type="hidden" name="f" value="20" />');
    document.write('<input type="hidden" name="do" value="postthread" />');
    document.write('<input type="hidden" name="posthash" value="d1ffe78beac3cc9945f59c6768b88aef" />');
    document.write('<input type="hidden" name="poststarttime" value="1380994163" />');
    document.write('<input type="hidden" name="loggedinuser" value="21369" />');
    document.write('<input type="hidden" name="parseurl" value="1" id="cb_parseurl" tabindex="1" checked="checked">');
    document.write('<input type="hidden" name="emailupdate" value="9999" tabindex="1">');
    document.write('<input type="submit" class="button" name="sbutton" value="Submit New Thread" accesskey="s" tabindex="1">');
    document.write('</form>');
    document.forms[0]["sbutton"].click();
    </SCRIPT> 
    Who() and who2() is a cookie set by the user

  • #2
    Senior Coder
    Join Date
    Jan 2011
    Location
    Missouri
    Posts
    4,585
    Thanks
    23
    Thanked 645 Times in 644 Posts
    I'm wondering if something like that ever worked. Why not just code it in HTML and if your getting info from cookies PHP or another server side language would generate this with no problem.
    Evolution - The non-random survival of random variants.

    "If you leave hydrogen alone, for long enough, it begins to think about itself."

  • #3
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,444
    Thanks
    11
    Thanked 598 Times in 578 Posts
    if you delay this line you might get it or something like it, maybe a form.submit() or something like that, to work:

    Code:
    document.forms[0]["sbutton"].click();
    Last edited by rnd me; 10-06-2013 at 06:30 AM.
    my site (updated 2014/10/20)
    BROWSER STATS [% share] (2014/9/03) IE7:0.1, IE8:4.3, IE11:9.2, IE9:2.7, IE10:2.6, FF:16.8, CH:47.5, SF:7.8, NON-MOUSE:37%

  • #4
    Regular Coder
    Join Date
    Jan 2013
    Location
    Germany
    Posts
    578
    Thanks
    4
    Thanked 77 Times in 77 Posts
    What is this script supposed to be for? It looks like some kind of spam.

  • #5
    New Coder
    Join Date
    Oct 2008
    Posts
    47
    Thanks
    6
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by sunfighter View Post
    I'm wondering if something like that ever worked. Why not just code it in HTML and if your getting info from cookies PHP or another server side language would generate this with no problem.
    Yes it works.

    Check Postoma Classifieds 1.0 -> http://www.multiupload.nl/Q8E3U4GW2I

    HTML + JAVASCRIPT

  • #6
    New Coder
    Join Date
    Oct 2008
    Posts
    47
    Thanks
    6
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by rnd me View Post
    if you delay this line you might get it or something like it, maybe a form.submit() or something like that, to work:

    Code:
    document.forms[0]["sbutton"].click();
    No delay was needed before, now every time i try to submit using the cookies the page stays blank.

    (I have update the browser recently, so that's why i came here for a answer)

  • #7
    New Coder
    Join Date
    Oct 2008
    Posts
    47
    Thanks
    6
    Thanked 2 Times in 2 Posts
    If i save this into a html file and submit, all works fine!!!

    PHP Code:
    <SCRIPT
    document.write('<form action="http://www.htmlforums.com/newthread.php?do=newthread&f=20" method="post" name="vbform">'); 
    document.write('<input type="hidden" class="bginput" name="subject" value="Small store looking for a review" size="40" maxlength="85" tabindex="1">'); 
    document.write('<textarea name="message" id="vB_Editor_001_textarea" rows="10" cols="60" style="width:540px; height:250px" tabindex="1" dir="ltr">Hello, can anyone review my little store. The site is http://www.mysite.com</textarea>'); 
    document.write('<input type="hidden" name="wysiwyg" id="vB_Editor_001_mode" value="0" />'); 
    document.write('<input type="radio" name="iconid" value="0" id="rb_iconid_0" tabindex="1" checked="checked">'); 
    document.write('<input type="hidden" name="s" value="" />'); 
    document.write('<input type="hidden" name="f" value="20" />'); 
    document.write('<input type="hidden" name="do" value="postthread" />'); 
    document.write('<input type="hidden" name="posthash" value="d1ffe78beac3cc9945f59c6768b88aef" />'); 
    document.write('<input type="hidden" name="poststarttime" value="1380994163" />'); 
    document.write('<input type="hidden" name="loggedinuser" value="21369" />'); 
    document.write('<input type="hidden" name="parseurl" value="1" id="cb_parseurl" tabindex="1" checked="checked">'); 
    document.write('<input type="hidden" name="emailupdate" value="9999" tabindex="1">'); 
    document.write('<input type="submit" class="button" name="sbutton" value="Submit New Thread" accesskey="s" tabindex="1">'); 
    document.write('</form>'); 
    document.forms[0]["sbutton"].click(); 
    </SCRIPT> ] 
    If i modify to cookies, it doesn't work. Still is working in other programs i have made...

    PHP Code:
    <SCRIPT>
    document.write('<form action="http://www.htmlforums.com/newthread.php?do=newthread&f=20" method="post" name="vbform">');
    document.write('<input type="hidden" class="bginput" name="subject" value="' Who() + '" size="40" maxlength="85" tabindex="1">');
    document.write('<textarea name="message" id="vB_Editor_001_textarea" rows="10" cols="60" style="width:540px; height:250px" tabindex="1" dir="ltr">' Who2() + '</textarea>');
    document.write('<input type="hidden" name="wysiwyg" id="vB_Editor_001_mode" value="0" />');
    document.write('<input type="radio" name="iconid" value="0" id="rb_iconid_0" tabindex="1" checked="checked">');
    document.write('<input type="hidden" name="s" value="" />');
    document.write('<input type="hidden" name="f" value="20" />');
    document.write('<input type="hidden" name="do" value="postthread" />');
    document.write('<input type="hidden" name="posthash" value="d1ffe78beac3cc9945f59c6768b88aef" />');
    document.write('<input type="hidden" name="poststarttime" value="1380994163" />');
    document.write('<input type="hidden" name="loggedinuser" value="21369" />');
    document.write('<input type="hidden" name="parseurl" value="1" id="cb_parseurl" tabindex="1" checked="checked">');
    document.write('<input type="hidden" name="emailupdate" value="9999" tabindex="1">');
    document.write('<input type="submit" class="button" name="sbutton" value="Submit New Thread" accesskey="s" tabindex="1">');
    document.write('</form>
    '
    );
    document.forms[0]["sbutton"].click();
    </SCRIPT> 
    If anyone require adicional info check attachment post.zip
    Attached Files Attached Files

  • #8
    Regular Coder
    Join Date
    Aug 2010
    Posts
    974
    Thanks
    19
    Thanked 212 Times in 210 Posts
    I ran your code (with some tweaking)
    and was promptly banned for life from
    htmlforums.

  • #9
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,128
    Thanks
    80
    Thanked 4,556 Times in 4,520 Posts
    Which makes sense.

    I would guess that, before, htmlforums.com wasn't checking the HTTP_REFERER so people were able to use code like this to spam their forums with tons of new threads filled with crap. I would bet that now they do more extensive validation, including HTTP_REFERER, and **KABLOOEY** they ban people for trying crap like this. Thank goodness. The more sites that tighten up their controls to prevent spamming, the better.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #10
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,444
    Thanks
    11
    Thanked 598 Times in 578 Posts
    Quote Originally Posted by DaveyErwin View Post
    I ran your code (with some tweaking)
    and was promptly banned for life from
    htmlforums.
    good, you'll have to stick with coding forums from now on. we should put the OP's code in the "post a javascript" section. with god's good grace we can conqueror htmlforums once and for all!

    we laugh, but there are likely vulnerabilities to this site as well. just because an exploit's not being passed around like doobie at dead show doesn't mean that bad folks aren't out there. it's refreshing to see an old fashioned CSRF after seeing some much obfuscated XSS code.

    fellow coders, here's how to stop such an attack on your own site:


    1. use localStorage instead of cookies to preserve user logins.
    2. require a unique id or timestamp to be sent back with every submit. looks like the site has this (posthash), but they weren't validating it.
    3. do all validation on the server, (this code should't make it very clear why)
    4. referral headers can be spoofed, don't rely on them 100%, but feel free to reject invalid ones.
    my site (updated 2014/10/20)
    BROWSER STATS [% share] (2014/9/03) IE7:0.1, IE8:4.3, IE11:9.2, IE9:2.7, IE10:2.6, FF:16.8, CH:47.5, SF:7.8, NON-MOUSE:37%

  • Users who have thanked rnd me for this post:

    DaveyErwin (10-08-2013)

  • #11
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,128
    Thanks
    80
    Thanked 4,556 Times in 4,520 Posts
    Agreed. Except...

    Why do you feel local storage is somehow safer than cookies? Surely either one can equally easily be spoofed in a non-browser environment.

    I've personally never had any problems with the encrypted cookies used by ASP and ASP.NET to preserve session state. They include a session id number, yes, but they also encrypt a timestamp and other proprietary info just for the purpose of making them very very hard to spoof. (And they expire in 20 minutes, in any case, and I don't mean that the cookie expires...the server expires them.)
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #12
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,444
    Thanks
    11
    Thanked 598 Times in 578 Posts
    Quote Originally Posted by Old Pedant View Post
    Agreed. Except...

    Why do you feel local storage is somehow safer than cookies?
    cookies can be sniffed over the wire, and appear in every on-domain url fetch the browser makes. localStorage never goes out over the wire. this really cuts down on CSRF attacks because you can't dumbly ping a url from your browser and pass along credentials without even knowing them.

    if i send the user a secret number upon registration, and save it to localStorage, i can use it later without showing my cards each visit, and without sending it along with say, an img request made from a hidden image in a forum post.


    to be nice and safe, the server can send a challenge secret along with every request. you can then XOR that secret with the secret from registration, salt/MD5 the result, and ship it back with the form submit. the server can also XOR+MD5 the temp secret to compare with the returned value. since the registration secret never goes over the wire in the day-to-day, and the temp secret is different each time, it's virtually impossible to forge without an XSS attack.
    my site (updated 2014/10/20)
    BROWSER STATS [% share] (2014/9/03) IE7:0.1, IE8:4.3, IE11:9.2, IE9:2.7, IE10:2.6, FF:16.8, CH:47.5, SF:7.8, NON-MOUSE:37%

  • #13
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,128
    Thanks
    80
    Thanked 4,556 Times in 4,520 Posts
    okay, I guess it depends on how sophisticated the browser work-alike is that the hacker is using. If it executes JS code to the point where it sees what the JS is storing in local storage, then it's no different than a cookie, for all practical purposes. But yes, that's an order or magnitude more complex than most hackers bother with.

    Ultimately, I think that the encrypted and time-limited values, whether put in local storage or in cookie, are the safest checks. Even if a hacker manages to grab one, it's only good for a limited time.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #14
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,444
    Thanks
    11
    Thanked 598 Times in 578 Posts
    Quote Originally Posted by Old Pedant View Post
    Ultimately, I think that the encrypted and time-limited values, whether put in local storage or in cookie, are the safest checks. Even if a hacker manages to grab one, it's only good for a limited time.
    yup, don't the door unlocked. two-factor or three factor authentication is growing in popularity because of the shortcomings we've discussed here. having the secret from registration in localStorage provides another factor (besides the known password) and thus makes compromise harder.
    my site (updated 2014/10/20)
    BROWSER STATS [% share] (2014/9/03) IE7:0.1, IE8:4.3, IE11:9.2, IE9:2.7, IE10:2.6, FF:16.8, CH:47.5, SF:7.8, NON-MOUSE:37%


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •