Geek Answers Handbook

Can I make a form from another website

I have a user on website A, and I need to bring him to website B (not under my control), but without compromising his password on website B. Website B does not have an API, which makes this more complicated than it should be.

My first option is to display my own form on website A, the user enters the password of their website B into my form, and I somehow securely pass his web password B to website B to register his. This means that I must first pass the password securely from the client to my server, and then securely transfer it from my server to the end of the website. This is what I’m guessing what I need to do, but I don’t have a plan on how to implement these 2 heppers safely, so I worry that somehow I can provide the user password.

So, I was thinking of the second option, which should display the same website B from website B on my website. But the form on website B is part of a larger page, so what can this be done?

  • How would I extract the code for the form itself from the code for the full page
  • how to submit a form on my website. I want the user to see this. iframe comes to mind but never worked with it.
  • whether the form will remain valid when the user clicks the submit button or does the visualization of the form on my website somehow invalidate it.

These are two different solutions that I was thinking about. I welcome the answers for each of them, and also welcome the answers that offer an alternative third approach, which could be simpler.

+6
security php forms csrf
source share
7 answers

As long as you use SSL on your site, there is no significant risk in terms of compromising the user's password (if you are not doing any financial transactions, please clarify).

My suggestion would be, do not copy their form. Instead, repeat the HTTP POST generated by this form. You can do this completely programmatically, and the user will never leave YOUR site, but (in most cases) the result will be that the user also logs into the site of THEIR website.

If there are any hashed fields for processing, request their form page (programmatically) and use any values ​​that you get to send back to the second site so that the request is verified. Their server does not know that the request does not come from the browser (indeed, you can add a user agent to the HTTP headers if you want).

I used this methodology on Verizon and LinkedIn (both for legitimate purposes) and it works.

Repeat:

  • Learn the structure of your HTTP POST.

  • Add a form to enter your site.

  • Manipulate the request in your code so that it looks like the POST site is expecting.

  • POST to your site from your code.

  • Display the response to the user on your site (if necessary), redirect anything.

+7
source share

It all depends on how the server you are running POSTING processes the CSRF [Cross-Site Request Subprocesses], since that is basically what you do. For example, if they use the relatively recent Django, then POST requests from an external server will fail by default if they do not contain the csrf cookie.

You can get around this if you have control over the server to which you also post POSTing.

+3
source share

I will try to outline a solution, but it may be wrong or even what you wanted, and this is definitely not practical.

From what I know about XSRF, if the recipient site has done their homework, you will not be able to simulate submitting a form from your domain.

The only one who has access to the user credentials, in addition to the target site, is the browser. So what you really need to do is a browser. This means that you must convince the user that he can transfer you his registration information to another site. I have no idea how you can do this, I would not trust something like that. (Another option would be to trick him (phishing), but that’s illegal, and I don’t think you would even think about it.)

Once you manage to convince the user to provide you with their data, you still have to act as a browser. You will need to implement a cookie storage system for each user so that you can create a session when you log in.

After that, you will be logged in with the user data , but the user will not . Thus, you will need to perform any other operation that the user will have to use on your site.

What I recommend:

Or contact the target site and configure the protocol that you can use to authenticate the user from your site. There are some really cool iframes to do this. Read this article for a competent presentation http://softwareas.com/cross-domain-communication-with-iframes .

Or ask the user to open a pop-up window with the login page for this site. Make sure the popup has a visible address bar.

+3
source share

I really don’t get what you want to do, if it just goes to the site, you can do something like this:
Mainsite:

<iframe id="logon" src="/logonto-other.html"></iframe>

/logonto-other.html:

 <form onsubmit="top.logon.style.visibility='none';" action="http://other-site.com/login" method="post"> <dl> <dt><label for="user">Name</label></dt> <dd><input name="user" /> <dt><label for="pass">Password</label></dt> <dd><input name="pass" /> </dl> <?php //code that acquires hash from other site // Don't know site B so can't write this one yet. ?> <input type="submit" value="Login" /> </form>

Thus, the user will simply be registered on another site, your options for interacting with him will still be limited (or I must have thought that I never studied the policies of the same origin, since I never felt that there was any -or restriction to what I do. Perhaps today's browsers are more strict).

On the "2-hop", do you have a certificate and SSL / HTTPS support on your server A? Does server B have this? Do you think you can make users trust you with their password? One piece of advice will be that you add a paragraph explaining the situation and a link where the user can contact site B to add pressure on them to implement OAuth and / or OpenID?

Perhaps it is possible that something can be improved, even if you do not have HTTPS on your server, you can use JavaScript or the Java applet to encrypt the password (there must be PGP in JavaScript somewhere on the network. If the address bar of the browser becomes green, it’s easier for users to decide whether you will trust you.

There seem to be some answers to my questions, and can we know what Site B is? And what exactly are you trying to do, maybe we can work together.

Good luck.

+2
source share

To isolate a form from a larger page, find the <form> and </form> tags, and just copy any and elements between them. Now place this form on your page, and its action still points to the URL that it provided on the original website. Password never goes through your server.

+1
source share

See: Sockets

  • Examine SiteB to enter the HTML form for a list of field names, expected values, and the action URL.
  • Name the form on your own site using the same field names. The action URL should point to script processing on your own server. The caveat in this case is that if site B uses a specific special token field or cookie when their login form page is loaded. In this case, use sockets to connect and get a new copy of the login page to site B. You will need to know the HTTP message standards and the correct structure of the request body in order to remove this. Then analyze the resulting text for the marker field or cookie names and values ​​that will be used on your own page.
  • The user enters their username and password for site B in your form. When submitted, the form results are passed to your script handler.
  • Your script handler uses Sockets to connect to the URL of the site B action URL as a regular POST request. This POST request includes any cookies and token names / values. Site B gave it to the previous few steps. You will need to follow the recommendations of the HTTP protocol protocol structure again to remove this.
  • Site B authenticates using your user information. Your script handler is sitting there, waiting for a response.
  • Site B responds to the script handler. You will need to study typical answers. Site B returns to know how to parse any response text (and again learn how to parse HTTP messages), including the returned cookie headers.
  • Your script handler should store a log matching the user match with any cookie returned after successful authentication by site B. In any future requests to site B, again use sockets for dullness as the user, passing the cookie header / val is used to Identify your (IE: your ) B site login session.

Keep in mind that you can leave an open and honest dialogue about what you are doing with site B, or you can be responsible for civil action .

+1
source share

The scenario you are describing can be tricky. The main problem you are facing is how you send login credentials to site B so that the cookies returned by the successful login go to the user browser and belong to site B, so site B receives them when the user is actually navigating.

Several people suggested that the form be submitted to a PHP file on your server and allow them to log in from server to server. This solution almost never works. Even if site B accepts your server-to-server login (which will probably be how you can fake any browser you want), it will be your web server, which will receive new cookies, and your web server IP, with which the session will be associated. Even if you return the cookie to the browser, it will save it for your site (site A) and will not send it to site B when the browser gets there, so the user will remain in site B.

So, the only thing you can do here is post the login form for your site on your server. This means that you will need to submit the form to a browser that has an ACTION that points to the login form of site B. It also means that whenever the user clicks the login button, the control is transferred to site B: user will move from your site and you will lose it.

There are two main technical problems in this second method: one of them is that site B may have an XSS warning and actually blocks you from publishing material on the login page. Another problem is that if your site is in SSL mode, browsers will take a long time to click to submit the form to another website. None of this can decide.

The only clean solution is to really go to Site B and create a general authentication plan, or at least an authentication API. You can try the solution at the intersection of the form, but there are good chances that you will have problems with it that you do not like.

0
source share

More articles:


All Articles