I'm working on a Java application that need's to be able to connect to my University's websites containing my student information. I'm not exactly sure how to go about doing this as the websites framework is Seam which I don't have any experience with.
This is the main link
https://elion.psu.edu/
and after clicking on student this is the link that I actually need to login to.
https://webaccess.psu.edu/?cosign-elionnx.ais.psu.edu&https://elionnx.ais.psu.edu/eLionStudent/secure/elionHome.seam
Does anyone know how to open the second link (student login page) and programmatically enter the username/password, thne 'click' log in?
There's a lot more stuff that needs to be done after the log in but I'm sure I can figure it out if someone could shed a little light on how I should go about doing this.
Thanks,
-Justin
Basically it looks like an application/x-www-form-urlencoded 'POST' to the URL:
https://webaccess.psu.edu/?cosign-elionnx.ais.psu.edu&https://elionnx.ais.psu.edu/eLionStudent/secure/elionHome.seam
It could be reproduced programatically by making an HTTP POST request (ensure to set the Content-Type Header to application/x-www-form-urlencoded) to that address, and posting the encoded form data. Which would look like this if you tried to submit the login 'asd' and password 'sdf':
ref=https%3A%2F%2Felionnx.ais.psu.edu%2FeLionStudent%2Fsecure%2FelionHome.seam&service=cosign-elionnx.ais.psu.edu&required=&login=asd&password=sdf
A good way to figure out this information (If you are using Chrome) is open the developer-tools and go to the network tab. Check the 'preserve-log' box and then try to submit something on the web page. The very first thing in the list for me was the POST request it attempted to login. By clicking on that you can see lots of detailed information about the actual request itself.
Hope this helps!
Related
I have a little problem: I need to get the source of a website in an android app, but to view the website I have to be logged in. I tried some ways, but it is not working. It is a little bit complicated, because it must work like this:
1. Log in on domain abcd.ef
2. Go to ghij.kl/internal
3. Go to ghij.kl/secure/data.php
3. Go to ghij.kl/secure/data/1.html and save source as string
I already tried to login via POST on abcd.ef, save cookies etc and use them on a new connection to ghij.kl, but that is not working, I receive error 403 from the website. I think the website checks the referrer, but I am not sure and I really need help of (or from?) some experts.
Sincerely,
atom_dad
I was preventing my application from cross site scripting defect. I have done the validation part for all the fields present in my application, but I don't know how to prevent this defect if someone injects the code in the url, please help me how to get rid of this defect.
Eg:
Script:
javascript:alert(document.cookie)
like if we inject the above code in the url we can get the username and the session id after logout.
Please suggest me the solution.
html decoding/encoding cant help in this, I tested this on most of the web application (like Atlassian JIRA, Slack) all were allowing this and it was being printed in html page. This tag will only work i following cases:
if it is being printed
in href attribute-
Test
in Onclick attribute
<a href=# onclick="javascript:alert(document.cookie)" >test</a>
So make sure that you are not printing anything directly in href or onClick attribute, if you are doing than add any filter there which can manually detect javascript or dont forgot to append http:// before the link.
Someone entering javascript:alert(document.cookie) in the address bar is not a vulnerability.
If an attacker put a href in their website linking to javascript:alert(document.cookie) then it would simply show the cookies on the attacker's site.
Only the user can enter the code in their own browser. This is known as Self-XSS.
If this is not what you mean, please update your question with an example of a working URL (you could change your domain to example.com for privacy), and then add a comment to let me know and I'll update my answer to help.
I'm trying to make a e-commerce page and I have a login form in all pages (included in the header). What I whant is to do a secure connection between the client and the server when the user logins for the password don't be sent in plain text string. The problem here is I don't want to use https for all pages, but just for the form submission.
Because I'm using spring security I did a little bit resarch and I found the requires-channel="https" for the intercept-url, but I notice that the form sent first the login information in plain text and just then the connections is "converted" to https.
One other way I found was to change the action of my form to use the https link
<form id="login" action="https://localhost:8443/j_spring_security_check" method="POST" >
Everything was sent in a secure way (like I expected), the loadUserByUsername is called, everything worked as expected, but when the job was done, the user appears to be not authenticated. Looks like nothing happens...
Maybe I'm missing something or I'm not following the right pad... someone knows what I need to do or point me in the right direction?
Edit: I dig a little bit more about this subject and I start wondering if the best will be to secure the full website rather than the login or registration form. This will be an e-commerce website, so a few extra security is always welcome. My worries are about the bennefits/performance (pros and cons) that the https will have compared to http use (anyone knows??) !!
After many days of researching and testing (almost a month) I arrived to conclusion that the best approach for this problem is not use a secure connection for the form but for the entire application (in my case need to be the entire because the login form is present in all app as a popup element).
For others, the reason to change was to give the customer the assurance that the data is secure and the website is trusted (the symbol in the address link)... Also, I read somewhere is good for SEO!!
I hope with this answer I could clarify someone with the same issue as mine!!
I am working on a homework assignment that is due shortly and I have searched and searched and searched for the answer to this and I just don't know where to go at this point.
I am using Eclipse Juno, with Tomcat 7.0 and a MySql database. I have to develop a web application for a pizza place. I have pretty much everything working so will only post the code here if requested since there is a ton.
My problem is I have a login form that calls the j_security_check, which works just fine. However, when the user is logged in they are taken to a customer form which is supposed to display their name, address, phone number and give them the option of editing any of it or just starting their order. My problem is I need to get the j_username and pull the customer information from my database to populate the form when the user is redirected from the login page to the customer.jsp page. We are not supposed to use <% ----- %> in our code if we can help it and to keep that in servlets. I just am lost on how to get that j_username and then call a servlet to populate the form (I can do the population if I can get the data).
HELP PLEASE!!! I know I am missing something really simple here and it is driving me nuts.
Ok I have tried the demo you sent and actually found another demo with the FORM like my project. I still cannot get it to work. I am a little lost. When I do the demo exactly as they have it the servlet generates text and outputs it. I was able to change it to a requestDispatcher and send it to the page I need it to go to on the login. The demo just has it going to the url host.../YourProject/test not an actual page. I am lost on how to get it to call the servlet so I can grab the header information with my project. I have the servlet LoginUser I want the user to login on login.jsp and there is a login_error.jsp in case of an error. When the user successfully log's in they should be taken to customer.jsp and the fields on the page populated with their data. I need to change this to use SSL too but haven't got there yet I am still trying to get the data for the customer.
I suspect what you're using is basic authentication in Tomcat. Check out this post for instructions. In summary, you'll need to grab the authentication header from the servlet request and parse it to grab the username (first you'll likely need to base64 decode it). Then you can use that username to look up the necessary information in the database.
I would be grateful if someone could please show me an example of how to login to a phpBB forum remotely and perform a search.
The language i am using is java however, i just need to know the steps involved.
even some pointers on what to google to get the answers i need would be great i have googled everything i can think of.
I'm unable to give you code samples for this, but the general process would be
Use a POST request to send the login details to {forumLocation}/ucp?mode=login, this requires the inputs "username" and "password"
Once your are logged in using this method you should just be able to perform searches by sending requests to this url
/search.php?keywords={value1}+{value2}+{value3}&terms=all&submit=Search
Where value1, value2, value3 are your search items.
There is a Java libary which should be able to help you with this called HTTPCLient, which should make maintaining the session once your logged in easy.
This page will give you some more details of sending post inputs HTML forms.
Hope this at least puts you on the right track.