Download a webpage with related scripts and execute two javascript function from it

Hi there!

Sorry to bother you again but I’m having some troubles with a login webpage. I need to pass a user/password combo but whoever did the page went overkill with security, implementing srp. Alas i’m unable to just send a get/post like usual but i need to execute the srp authentication routine from the webpage. I can download all the files required(index page and two js with the service code on it) with no major problems with a httpsocket but how can i progress from there? I can paste the pages if required.

It doesn’t sound like overkill to me. It sounds like it’s doing exactly what it’s supposed to do… prevent automated logins.

To answer your question, you would need at least a JavaScript engine to run the scripts, and probably a DOM engine of some kind to make that work. At that point you might as well use an HTMLViewer.

I tried opening the page with htmlviewer but I’m unable to extract the cookie I need to run my data flow. Is there any code sample (cookie extraction from htmlviewer) I can use to jumpstart developing?

Ps: I can understand Srp on a serious site, but I think that using it on the user facing side of a home router is a bit overspecced :slight_smile:

Matteo have you tried HTMLViewer1.ExecuteJavaScript(“document.title=document.cookie”) ?

I have just created a htmlviewer and deployed your code snippet onto a documentcomplete event for the htmlviewer object. I created a titlechanged event to execute a msgbox with the page title. I am getting the title of the document loaded onto the htmlviewer but i’m not seeing the cookie. Should I use a different event to check for document.title modification?

I think i may have found the culprit, the cookie is a HTTPOnly cookie so javascript cannot touch it :frowning: The lack of integrated cookie management/extraction from htmlviewer is kinda limiting…

Ask the vendor for an API.

It’s my ISP heavily customized modem/router, so pretty much impossible :frowning:

You should use that code in a button when you view the logged page

The cookie is sent to you, whether using a browser, the HTMLViewer class, or a HTTPSocket, and you need to grab it out of the HTTP headers… You need to send it back with every request… The HTTPOnly will only mean something to a web browser that supports it, in other words, for your HTMLViewer or HTTPSocket, it is meaningless…

[quote]If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script.[/quote]

There are open source versions of SRP that you could probably port over to Xojo, or you could take a look to see how to use OpenSSL (apparently SRP is available since version 1.0.1 of OpenSSL), through the shell class…

@shao sean Let’s say i want to track the httpheaders of a htmlviewer(which is set to use webkit). What code should i use to read to get the http headers of the current loaded page? Is there any code sample i can explore upon? :slight_smile:

Through the HTMLViewer, this would require declares, and each platform is different… You would probably be better off using a HTTPSocket and doing the SRP through OpenSSL (or looking at porting the SRP code to Xojo)…

@shao sean Porting the srp code is way above my paygrade :slight_smile: I’ll keep that in mind in case i wanted to explore the issue again. Hopefully someone more skilled than me will have solved the problem by then :smiley: