i've copied my bank's login form and saved a copy on my computer.
However when i try to submit it, i get a 405 method not allowed error.
Can't for the life of me figure out why, it's posting exactly the same
data from exactly the same html code. Any ideas? It's a https (SSL)
site.
cheers
dave
6  2680  ma**********@ho tmail.com wrote: i've copied my bank's login form and saved a copy on my computer.
However when i try to submit it, i get a 405 method not allowed error.
Can't for the life of me figure out why, it's posting exactly the same
data from exactly the same html code. Any ideas? It's a https (SSL)
site.
First a little speech. When you got the error "method not allowed",
didn't some bells and whistles go off in you head, followed by a thought
of "the bank probably doesn't want me to be doing this". Obviously they
are doing some additional checking to prevent misuse, not just to annoy
people.
Anyway, if you just copied the form and changed action to point to the
appropriate page, then the first obstacle is the referer[sic]-header. I
dont know of any ordinary browser which lets you fake that header, but
you can try cli-type webclients like wget and curl to explore that.
They (the bank) might require an ongoing session or kind of checksum, so
you would need to check for an id or other data in cookies, url or
hidden form-fields, which was related to the original loginform. I think
both wget and curl can help you there.
And there can be other "things".
As you probably suspect, anyhow they have done it, you would probably
need to write a mediator-script between your local form and the bank's
webserver. PHP has curl extensions which is useful for this purpose.
But seriously, check with the bank first. If they dont mind, they could
give you the information you need. If they do mind, then you shouldn't
be doing it in the first place.
/Bent
In article <41************ *********@dread 14.news.tele.dk >,
Bent Stigsen <ng**@thevoid.d k> wrote: ma**********@ho tmail.com wrote: i've copied my bank's login form and saved a copy on my computer.
However when i try to submit it, i get a 405 method not allowed error.
Can't for the life of me figure out why, it's posting exactly the same
data from exactly the same html code. Any ideas? It's a https (SSL)
site.
First a little speech. When you got the error "method not allowed",
didn't some bells and whistles go off in you head, followed by a thought
of "the bank probably doesn't want me to be doing this". Obviously they
are doing some additional checking to prevent misuse, not just to annoy
people.
Anyway, if you just copied the form and changed action to point to the
appropriate page, then the first obstacle is the referer[sic]-header. I
dont know of any ordinary browser which lets you fake that header, but
you can try cli-type webclients like wget and curl to explore that.
They (the bank) might require an ongoing session or kind of checksum, so
you would need to check for an id or other data in cookies, url or
hidden form-fields, which was related to the original loginform. I think
both wget and curl can help you there.
And there can be other "things".
As you probably suspect, anyhow they have done it, you would probably
need to write a mediator-script between your local form and the bank's
webserver. PHP has curl extensions which is useful for this purpose.
But seriously, check with the bank first. If they dont mind, they could
give you the information you need. If they do mind, then you shouldn't
be doing it in the first place.
/Bent
Gee, Brent. That was great. You just told someone how to setup a
phishing scam.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
Hello,
On 10/09/2004 06:45 AM, ma**********@ho tmail.com wrote: i've copied my bank's login form and saved a copy on my computer.
However when i try to submit it, i get a 405 method not allowed error.
Can't for the life of me figure out why, it's posting exactly the same
data from exactly the same html code. Any ideas? It's a https (SSL)
site.
Error 405 usually happens when you try to submit a POST request to a URL
that serves a static page (read HTML page or something like that), not
really a dynamically generated page, there for submitting form requests
to a static page URL does not make sense, thus the 405 error.
If you want to emulate a login form using SSL or not, you may want to
try this HTTP client class. It supports SSL request, POST form
submissions as well cookie collecting and redirection which you
eventually also need. http://www.phpclasses.org/httpclient
--
Regards,
Manuel Lemos
PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/
PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/
Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html
<Michael Vilain <vi****@spamcop .net>> wrote in message
news:vi******** *************** ***@comcast.dca .giganews.com.. .
-snip- Gee, Brent. That was great. You just told someone how to setup a
phishing scam.
No for a phishing scam, all you need to is copy the bank's form to your web
server and point it to your own CGI script.
"Michael Vilain <vi****@spamcop .net>" wrote: In article <41************ *********@dread 14.news.tele.dk >,
Bent Stigsen <ng**@thevoid.d k> wrote:
ma**********@ hotmail.com wrote:
i've copied my bank's login form and saved a copy on my computer.
However when i try to submit it, i get a 405 method not allowed error.
Can't for the life of me figure out why, it's posting exactly the same
data from exactly the same html code. Any ideas? It's a https (SSL)
site.
First a little speech. When you got the error "method not allowed",
didn't some bells and whistles go off in you head, followed by a thought
of "the bank probably doesn't want me to be doing this". Obviously they
are doing some additional checking to prevent misuse, not just to annoy
people.
Anyway, if you just copied the form and changed action to point to the
appropriate page, then the first obstacle is the referer[sic]-header. I
dont know of any ordinary browser which lets you fake that header, but
you can try cli-type webclients like wget and curl to explore that.
They (the bank) might require an ongoing session or kind of checksum, so
you would need to check for an id or other data in cookies, url or
hidden form-fields, which was related to the original loginform. I think
both wget and curl can help you there.
And there can be other "things".
As you probably suspect, anyhow they have done it, you would probably
need to write a mediator-script between your local form and the bank's
webserver. PHP has curl extensions which is useful for this purpose.
But seriously, check with the bank first. If they dont mind, they could
give you the information you need. If they do mind, then you shouldn't
be doing it in the first place.
/Bent
Gee, Brent. That was great. You just told someone how to setup a
phishing scam.
Well, the way I see it...
<rant>
Keeping something a secret will not protect anybody. And this is just
too easy for anybody to do. The only difference is, if they are smart
enough to avoid getting caught. And the smart ones probably know this in
the first place. I think beating some decency into people, instead of
keeping secrets is far better.
About security and phishing. Banks and others who require tight security
really needs to do other "things" as I hinted. If they dont, then they
are a joke. In general if people got over this sense of false security
and where more alert, and service providers took it more seriously, then
phishing would be dead.
Secrecy has never ever been a substitute for security.
</rant>
Dont get me wrong though, like you, I am also worried about people being
scammed, but I just think that in the long run this is better.
/Bent
Bent Stigsen wrote: "Michael Vilain <vi****@spamcop .net>" wrote: In article <41************ *********@dread 14.news.tele.dk >,
Bent Stigsen <ng**@thevoid.d k> wrote:
ma**********@ hotmail.com wrote:
i've copied my bank's login form and saved a copy on my computer.
However when i try to submit it, i get a 405 method not allowed
error.Can't for the life of me figure out why, it's posting exactly the
samedata from exactly the same html code. Any ideas? It's a https
(SSL)site.
First a little speech. When you got the error "method not allowed",
didn't some bells and whistles go off in you head, followed by a
thoughtof "the bank probably doesn't want me to be doing this". Obviously
theyare doing some additional checking to prevent misuse, not just to
annoypeople.
Anyway, if you just copied the form and changed action to point to
theappropriate page, then the first obstacle is the
referer[sic]-header. Idont know of any ordinary browser which lets you fake that header,
butyou can try cli-type webclients like wget and curl to explore that.
They (the bank) might require an ongoing session or kind of
checksum, soyou would need to check for an id or other data in cookies, url or
hidden form-fields, which was related to the original loginform. I
thinkboth wget and curl can help you there.
And there can be other "things".
As you probably suspect, anyhow they have done it, you would
probablyneed to write a mediator-script between your local form and the
bank'swebserver. PHP has curl extensions which is useful for this
purpose.
But seriously, check with the bank first. If they dont mind, they
couldgive you the information you need. If they do mind, then you
shouldn'tbe doing it in the first place.
/Bent
Gee, Brent. That was great. You just told someone how to setup a
phishing scam.
Well, the way I see it...
<rant>
Keeping something a secret will not protect anybody. And this is just
too easy for anybody to do. The only difference is, if they are smart
enough to avoid getting caught. And the smart ones probably know this
in the first place. I think beating some decency into people, instead of
keeping secrets is far better.
About security and phishing. Banks and others who require tight
security really needs to do other "things" as I hinted. If they dont, then
they are a joke. In general if people got over this sense of false
security and where more alert, and service providers took it more seriously,
then phishing would be dead.
Secrecy has never ever been a substitute for security.
</rant>
Dont get me wrong though, like you, I am also worried about people
being scammed, but I just think that in the long run this is better.
/Bent This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Steve Robbins |
last post by:
I have played with this some unsuccessfully and can't find any
references to it on-line.
What I have is a forms-based application where I POST the form. This
was decided on because of security and the length limits of a URL. Now
I have a need where I would like to link to a form and "fake" some of
the variables that are normally posted.
For example, I have a form that normally comes up where the user
selects information from a...
|
by: Ed Leafe |
last post by:
I'm working on creating a generic runtime engine for the Dabo
framework. Right now I'm focusing on Windows, since many of our
potential users are running on that platform. I've got py2exe and Inno
Setup running, so all that is well and good.
My question concerns the ability to generically run scripts as if they
were being run on an installed copy of Python. Many scripts have the
following structure:
if __name__ == "__main__":
|
by: Chris Smith |
last post by:
Good morning,
Is there a good way to use JavaScript to send a form submission, but get
back the response as a string, rather than loading it into a page? I
could write the code to send the submission via XMLHttpRequest, but that
seems hard... especially implementing multipart-encoded form submission
such as required for file upload.
Ideas?
|
by: Marcus |
last post by:
Hello all,
I have written numerous functions that check all user entered data on my
site via POST and GET. My question is this: once my data checks out as
being valid, I sometimes store it in SESSION as I move between pages,
and eventually use the values in SESSION to update my database. Do I
need to re-check the values in SESSION to make sure they are still valid
before updating the database? In other words, I know session data...
|
by: Steve Jorgensen |
last post by:
A while back, I started boning up on Software Engineering best practices and
learning about Agile programming. In the process, I've become much more
committed to removing duplication in code at a much finer level. As such,
it's very frustrating to be working in VBA which lacks inheritance, one of the
more powerful tools for eliminating duplication at the level I'm talking
about.
I've recently come up with a technique to emulate one...
| | |
by: |
last post by:
I am working on a web/webservice application that has a service layer. Most
service methods will perform an access-check before executing. This check
uses the IPrincipal credentials available in HttpContext.Current. This works
great.
My issue is that I need to write unit tests for those service methods. These
tests then run outside of IIS, thus there is no HttpContext.Current
available - and the servicemethod will not execute.
The two...
|
by: frizzle |
last post by:
Hi there,
i have a site with fake folders & files.
htaccess rewrites everything to index.php?vars
now in index.php i decide what file to include with a switch/case
statement.
to define where i am, i explode the query string, and check $array
where i am for the main section.
Only now if there are two slashes behind each other
|
by: Danielle |
last post by:
All -
I was asked to work on a project converting some weather data. The
program used to convert the data is written in Quick Basic. I am only a
novice programmer and while I can see from the .BAS file what is
happening, I don't have the time bandwidth to rewrite the program in VB
..NET and I'm not sure it would do a proper conversion even if I did.
The compiled QB program asks for three inputs... 1) source file
location (string), 2)...
|
by: CCLeasing |
last post by:
For an application I'm creating I want to create a 'fake' progress
bar.
By fake I mean a progress bar that looks like it's doing something but
actually isn't.
I know philosophically this isn't sound. But my little app is a 'fake'
app and is designed to look like another - hence this seeming crazy
situation of needing to fake a progess bar.
PROBLEM.
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
