I'm sure I'm missing something basic here, but I just can't get my finger behind it..
If I land on a url that is say domain.com?key=123 and there is a form on domain.com that has a field called key. I thought it would fill in that field with the value 123 by itself, since it's been passed. Am I missing something here?...
thank you!
The webmaster may decide to pass the variable inside of the html form, but that may also be not the case. Most often, GET requests are used to send data from a form to a php script but it's more rare to see the an html form compiled with a php script.
If you want a form field that pulls in your URL parameters then do something like this:
PHP
<label>Key:</label>
<input type="text" value="<?php echo $_GET["key"]; ?>">
Coldfusion
<label>Key:</label>
<input type="text" value="<cfoutput>#URL.key#</cfoutput>">
What language are you using? Normally you start with a question mark...
domain.com/?key=123
If you have other variables you use an ampersand.
domain.com/?key=123&anotherKey=456&lastKey=789
UPDATED: Here is a link to parse the query string using Javascript:
How can I get query string values in JavaScript?
Something else happens on that page - you fill the form, and when posted, server GETs your variable KEY for use for whatever page author saw fit. It is a whole other story, whether you will see this variable on the form when it is reloaded after posting
What you see in the browser address bar is an HTTP URL which is just indicative of the HTTP Request being made.To see the complete HTTP Request - use Chrome - Developer tools. (HTTP Request /Response / Body / Cookie)
Your HTML page is formed by the Server you send the HTTP Request to. This HTML page is send back to the Browser in HTTP Response Body. Your browser which has layout (HTML) Engine running "just parses/renders the HTML in the HTTP Response".
The engine would - Parse to check for any HTML inconsistencies , to build DOM tree, to load scripts/images/css
Its purely you and only you who would decide as how to use the data. This data can either be used by JavaScript or Server Side code like JSP.
Other users have already suggested to you the way this can be achieved like running some script.
You need to print the value from the GET array into the value attribute of the input element. (ie. if you are using php use <input name="key" value="<?php echo $_GET["key"]; ?>" />)
Related
I'm trying to embed a value into the textbox at the USCIS government website to check my application status number. Suppose it's LIN1234. After inspecting the element of the webpage I see that the HTML wrapper for the textbox is:
<input id="receipt_number" name="appReceiptNum" class="form-control textbox initial-focus" maxlength="13" type="text">
I tried opening up this URL with a suffix added on, but to no avail:
https://egov.uscis.gov/casestatus/landing.do?receipt_num=LIN1234
Is there a way to to this?
Before that, you must understand what means adding ?receipt_num=LIN1234 to the url.
When sending a request (By default and in this context) from your browser, it'll be a GET request (see here) where you send as a get argument your receipt number, setting its key to receipt_num.
What is done to this data on the server side, however, is up to itself.
Just understand that unless the server is made to auto-fill the field with that value in case it receives it, it won't do anything except sending some more data.
I think you want to load this page in your browser with auto-filled field.
In that case you should look into extensions for your browser that would do that automatically.
You probably won't be able to embed a value into the textbox... Just because you are sending values by GET (which is what the landing.do?receipt_num=LIN1234 syntax is doing) doesn't mean that they have something set up to process it, so the GET variable will probably not do anything.
You might be able to see how their URLs work ordinarily, what the page URL that you are aiming to land on looks like, and either decode something from that or set a bookmark there. That said, if they are submitting that data via POST (which they probably are, for security reasons), that probably won't work.
I would suggest looking at reputable form-filling plugins for your web browser, if that's an option. That might allow you to work around that.
I tried to look through SO for similar question but I couldn't find one, also searched through the web with my best effort, sorry if it's a silly/duplicate question
The focus of my question is :
If I have a form with a unencoded password in it, is it "safe" to pass the form back to [self] i.e. <form action="">
EDIT: I would like to focus on security regarding third parties, assuming the user himself is NOT the hacker.
I this is a broad question, so I would like to narrow it down to:
does server handle submit form to self as a internal-forward thing or do it actually treat is as a normal server-to-server http call?
Is it possible to somehow intercept the form submit and extract the password from this action? (including things like tapping the connect between server and client??)
If anyone knows any potential security problem in general for [submit to self], feel free to leave it as answer so that future SO user might benefit from it, thanks.
The only thing safe regarding submitting data to a webpage is to never trust the users input.
Now regarding your 2 questions:
submitting the form will be handled as a regular request, albeit a POST request probably.
internet traffic can be captured, so if you're sending password data over the internet you'd better make sure it's over HTTPS.
Using a developer tool like Mozilla's FireBug it's pretty easy to change all the data that is submitted through the form. You don't even have to use your webpage, one can easily spoof a POST request to your page by using a tool like Telnet.
So I'd say it doesn't really matter what the action of the form is; use HTTPS if possible and always validate the input...
Whether you submit your form to the same page or not has no security implications. There are many other things you can/should do to secure your forms. Submitting-to-self is irrelevant. It could however pose a UX annoyance. Have you ever tried refreshing a page only to have the browser try to resubmit the form.
Not a redirect. Normal post. However to mitigate this UX annoyance I
mentioned, you would redirect to the same page after doing whatever
you need to to with the data.
It depends on many other things other than whether the form submits to itself or not. Starting with is your form on a secure (https) server.
I was just searching for this types of posts.
Yeah..
As far as i know, this is not a valid approach,
attacker can change the methods to download the content like he can use the parameters from POST to GET.
We actually have tools like tamper data which is an addon to the firefox browser. We can post the data or tamper the data which is in form submit. You can add this addon to your browser and you can check out that the data can be modified by clicking tamper before submitting the form. You can also check out the online http tampers, tamper data, modifying live headers to change your data. This may also result in sql injection.
Correct me if im wrong. :)
Cheers.
After many updates:
The action="" is the same as action="somefile" in sense of security. So there is nothing wrong with action="", and as far I know most websites treats forms like that. The most popular solution is to:
At first check with PHP if there is any post data
Check if this data is OK (safety, server side verification)
Make something with data (save to database, mail to someone)
Render the form with action="".
A quick example:
<?php
$name = '';
if (isset $_POST['name']) {
$name = $_POST['name'];
if (ctype_alpha(str_replace(' ', '', $name)) !== false) { // verify data
// in that case name consist only letters and spaces, it is ok.
// do something with data here, for example save to database
header('Location: successfile'); // Remove post data after all
}
}
// render form
$name = htmlspecialchars($name); // if name was in POST, here it is!
echo '<form action="" method="post" />'
echo '<label id="name" name="name" value="'.$name.'" />';
echo '</form>';
?>
In that case one file is doing two jobs. It checks for data and do something with it, and render form.
Please, remember that the form can be rendered using the "partly" data from submit (POST). So for example if someone enter his name with special characters, while you need name only with letters and spaces, the data is not missed. You can render form, and in input name value, you can enter the wrong posted data.
So the form "remember" what was filled, and what was not filled.
Hope it helps
Suppose that my form looks like this:
<form name="myform" method="post" action="index.html">
<input type="hidden" name="work" id="work1" value="20">
<input type="hidden" name="play" id="play1" value="10">
<input type="submit" name="submit">
</form>
Clicking submit sends form.work and form.play to index.html. There the values of work and play are used in a certain formula.
Now, I need to send out link to this page to several people with
predefined values of work and play. I tried this:
www.mysite.com/index.html?work=20&play=10
Unfortunately this did not work. Any way to accomplish this?
Just for information, I am using a ColdFusion server.
ColdFusion has a scope known as URL and a scope known as FORM, one for each HTTP method post/get respectively. Other languages jumble them together. Pros/cons aside, some CFML frameworks will actually combine them for you and make them available as part of the "request context."
What you need to do in this instance, is check the URL and the FORM scope for your values. Alternatively, you can change your form method to "get" so that you'll always have URL variables instead of form variables. In this way, you'll always use URL.variables instead of Form.variable
cfparam> sets default values for you so that the variables are there. It's like cfset>, but only sets whenever the value is missing.
So, in the top of your code:
//this sets the url value to always be blank unless something is passed in
<cfparam name="url.work" default="" />
//this sets the form value to the url value by default
<cfparam name="form.work" default="#url.work#" />
//you should never actually output user content to the screen, but here it is
<cfoutput>#form.work#</cfoutput>
As always, never trust what the user provides, sanitize the data before using it in the database or sending the content back to the browser.
The problem you have is that your attempting to use ColdFusion on an HTML page. 'index.html' will not be parsed by ColdFusion unless you've specifically altered your web server to direct .html files to be parsed by ColdFusion.
Change your 'index.html' to 'index.cfm'
Access the incoming variables via the URL or FORM scope. If the form was POSTED then use the FORM scope (form.work or form.play). If the form was done via url (?work=20&play=10) then use the URL scope.
Yes, you can pass the query string parameters in general. They simply form part of the requested URL.
Whether or not the server-side framework makes them available is framework dependent. I would expect that most frameworks would expose them, even if the request is a POST request. The are available in ASP.Net. I'm not sure about Cold Fusion.
method="post"
informs the browser to place the form variables as post parameters in the HTTP request. It does not preclude you from also including query string variables.
variables in the urls are called GET variables, there must be some way in ColdFusion to retrieve them.
I have a site where users upload content and they can name what they upload. Some users have included "&" in their name and I get an html validation error. Is there any way to allow the "&" to stay and yet also validate the page? This would be very helpful. If not, what other measures can I take to allow my page to validate? Thanks!
No, there is no way to make the page validate with invalid content.
And, YOU SHOULD NOT DISPLAY THE CONTENT WITHOUT ENCODING IT PROPERLY!
Sorry for shouting, but your site is wide open for cross site scripting attacks. Anyone can put harmful content in a name, and it will be run in other peoples browsers.
How you do this depends on what platform you are using. For example in ASP.NET webforms you would use the Server.HtmlEncode method to HTML encode the string. In ASP.NET MVC you would use the same, or simply the <%: %> server tag that does that automatically.
In php you will want to use the htmlentities method:
<?= htmlentities($username, ENT_QUOTES) ?>
Which will output me&myself (the correct way to display the value on the html page) if the user had entered me&myself
ALWAYS ALWAYS ALWAYS sanitize user inputs. Never trust any data that a client's browser has sent you. If someone entered something in a form field, NEVER stick it directly in a database query (sanitize it with something like my_real_escape_string($user_input)). Never print text to the browser directly if it was originally submitted by a client, always escape it (with htmlentities).
The reason you do this is because malicious users could execute cross-site scripting attacks on your site by submitting data that fires some javascript, and phishes or steals data from your other customers. If I set my name to <script type='javascript' src='http://mysite.com/bad-js.js' /> then anyone that loaded that page would have that unknown and potentially malicious javascript execute on their browser with access to their cookies and their session.
In HTML, you can send data from one page to another using a GET request in a couple of ways:
http://www.example.com/somepage.php?data=1
...or...
<form action="somepage.php" method="get">
<input type="hidden" name="data" value="1" />
<input type="submit" value="Submit">
</form>
With a POST request though, I've only seen data being sent through form elements like this:
<form action="somepage.php" method="post">
<input type="hidden" name="data" value="1" />
<input type="submit" value="Submit">
</form>
If I only have one parameter I want to send to another page using POST, is there an easier way than wrapping it in a form?
There are only two ways to POST from a browser - a form, or an Ajax request.
Using HTML only, a form is the only way to generate a POST request. You can use server side scripting / Javascript to generate POST requests in other ways, but no other ways to do with plain HTML only.
As you've already discovered, there are exactly two ways to transmit data over the http protocol: GET or POST. There is also a third type of HTTP message called HEAD, but that's really only used to get the meta data around a resource without downloading it and isn't widely implemented.
Obviously both GET and POST are easily accessible through the use of a <form> tag. The GET is also easily accessible by manually adding query parameters to the URL in the form of name-value pairs (foo.html?a=1&b=2).
The beauty and complexity of the POST, however, is that the name-value pairs are communicated from the browser to the web server enclosed within the HTTP request header which is not as easily accessible. The only way to accomplish the POST without using a <form> tag is to manually alter the HTTP request header and add the name-value pairs in yourself.
Also keep in mind that an HTTP server doesn't intrinsically know whether a request (GET or POST) came from a main browser window or an AJAX call. Regardless, the web server will read the request, will decipher if it's a GET or POST request, look for name-value pairs as appropriate, and generate a response.
If you'd like additional detail on how to properly format a POST request you can go to jmarshall.com/easy/http/ or perhaps tcpipguide.com/free/t_HTTPRequestMessageFormat.htm. The definitive resource is always the W3C, but sometimes the RFCs can be terribly confusing for us mere mortals to read.
In HTML only it's with a form.
But you can do it if you play with your server side. Here is a good article that show you how to manipulate the Get to Change it to Post via PHP. This will require you to play with fsockopen... This way to do it will use your parameter ?id=1¶m=2 ... and will create a POST request on the server side. You can make it generic, once it setups it will works, but it's a little work to setup everything first.
You can of course always do a GET to a page which contains server-side (or AJAX) logic which will create a POST request (e.g. GET /pageWhichCreatesAPost.py). Very messy of course, but there can be cases where such a work-around could maybe be useful.