By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,716 Members | 1,317 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,716 IT Pros & Developers. It's quick & easy.

faking post data

P: n/a
i've copied my bank's login form and saved a copy on my computer.
However when i try to submit it, i get a 405 method not allowed error.
Can't for the life of me figure out why, it's posting exactly the same
data from exactly the same html code. Any ideas? It's a https (SSL)
site.

cheers
dave

Jul 17 '05 #1
Share this Question
Share on Google+
6 Replies


P: n/a
ma**********@hotmail.com wrote:
i've copied my bank's login form and saved a copy on my computer.
However when i try to submit it, i get a 405 method not allowed error.
Can't for the life of me figure out why, it's posting exactly the same
data from exactly the same html code. Any ideas? It's a https (SSL)
site.


First a little speech. When you got the error "method not allowed",
didn't some bells and whistles go off in you head, followed by a thought
of "the bank probably doesn't want me to be doing this". Obviously they
are doing some additional checking to prevent misuse, not just to annoy
people.

Anyway, if you just copied the form and changed action to point to the
appropriate page, then the first obstacle is the referer[sic]-header. I
dont know of any ordinary browser which lets you fake that header, but
you can try cli-type webclients like wget and curl to explore that.
They (the bank) might require an ongoing session or kind of checksum, so
you would need to check for an id or other data in cookies, url or
hidden form-fields, which was related to the original loginform. I think
both wget and curl can help you there.
And there can be other "things".

As you probably suspect, anyhow they have done it, you would probably
need to write a mediator-script between your local form and the bank's
webserver. PHP has curl extensions which is useful for this purpose.

But seriously, check with the bank first. If they dont mind, they could
give you the information you need. If they do mind, then you shouldn't
be doing it in the first place.

/Bent
Jul 17 '05 #2

P: n/a
In article <41*********************@dread14.news.tele.dk>,
Bent Stigsen <ng**@thevoid.dk> wrote:
ma**********@hotmail.com wrote:
i've copied my bank's login form and saved a copy on my computer.
However when i try to submit it, i get a 405 method not allowed error.
Can't for the life of me figure out why, it's posting exactly the same
data from exactly the same html code. Any ideas? It's a https (SSL)
site.


First a little speech. When you got the error "method not allowed",
didn't some bells and whistles go off in you head, followed by a thought
of "the bank probably doesn't want me to be doing this". Obviously they
are doing some additional checking to prevent misuse, not just to annoy
people.

Anyway, if you just copied the form and changed action to point to the
appropriate page, then the first obstacle is the referer[sic]-header. I
dont know of any ordinary browser which lets you fake that header, but
you can try cli-type webclients like wget and curl to explore that.
They (the bank) might require an ongoing session or kind of checksum, so
you would need to check for an id or other data in cookies, url or
hidden form-fields, which was related to the original loginform. I think
both wget and curl can help you there.
And there can be other "things".

As you probably suspect, anyhow they have done it, you would probably
need to write a mediator-script between your local form and the bank's
webserver. PHP has curl extensions which is useful for this purpose.

But seriously, check with the bank first. If they dont mind, they could
give you the information you need. If they do mind, then you shouldn't
be doing it in the first place.

/Bent


Gee, Brent. That was great. You just told someone how to setup a
phishing scam.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

Jul 17 '05 #3

P: n/a
Hello,

On 10/09/2004 06:45 AM, ma**********@hotmail.com wrote:
i've copied my bank's login form and saved a copy on my computer.
However when i try to submit it, i get a 405 method not allowed error.
Can't for the life of me figure out why, it's posting exactly the same
data from exactly the same html code. Any ideas? It's a https (SSL)
site.


Error 405 usually happens when you try to submit a POST request to a URL
that serves a static page (read HTML page or something like that), not
really a dynamically generated page, there for submitting form requests
to a static page URL does not make sense, thus the 405 error.

If you want to emulate a login form using SSL or not, you may want to
try this HTTP client class. It supports SSL request, POST form
submissions as well cookie collecting and redirection which you
eventually also need.

http://www.phpclasses.org/httpclient
--

Regards,
Manuel Lemos

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

PHP Reviews - Reviews of PHP books and other products
http://www.phpclasses.org/reviews/

Metastorage - Data object relational mapping layer generator
http://www.meta-language.net/metastorage.html
Jul 17 '05 #4

P: n/a
<Michael Vilain <vi****@spamcop.net>> wrote in message
news:vi**************************@comcast.dca.giga news.com...
-snip-
Gee, Brent. That was great. You just told someone how to setup a
phishing scam.


No for a phishing scam, all you need to is copy the bank's form to your web
server and point it to your own CGI script.

Jul 17 '05 #5

P: n/a
"Michael Vilain <vi****@spamcop.net>" wrote:
In article <41*********************@dread14.news.tele.dk>,
Bent Stigsen <ng**@thevoid.dk> wrote:

ma**********@hotmail.com wrote:
i've copied my bank's login form and saved a copy on my computer.
However when i try to submit it, i get a 405 method not allowed error.
Can't for the life of me figure out why, it's posting exactly the same
data from exactly the same html code. Any ideas? It's a https (SSL)
site.


First a little speech. When you got the error "method not allowed",
didn't some bells and whistles go off in you head, followed by a thought
of "the bank probably doesn't want me to be doing this". Obviously they
are doing some additional checking to prevent misuse, not just to annoy
people.

Anyway, if you just copied the form and changed action to point to the
appropriate page, then the first obstacle is the referer[sic]-header. I
dont know of any ordinary browser which lets you fake that header, but
you can try cli-type webclients like wget and curl to explore that.
They (the bank) might require an ongoing session or kind of checksum, so
you would need to check for an id or other data in cookies, url or
hidden form-fields, which was related to the original loginform. I think
both wget and curl can help you there.
And there can be other "things".

As you probably suspect, anyhow they have done it, you would probably
need to write a mediator-script between your local form and the bank's
webserver. PHP has curl extensions which is useful for this purpose.

But seriously, check with the bank first. If they dont mind, they could
give you the information you need. If they do mind, then you shouldn't
be doing it in the first place.

/Bent

Gee, Brent. That was great. You just told someone how to setup a
phishing scam.


Well, the way I see it...
<rant>
Keeping something a secret will not protect anybody. And this is just
too easy for anybody to do. The only difference is, if they are smart
enough to avoid getting caught. And the smart ones probably know this in
the first place. I think beating some decency into people, instead of
keeping secrets is far better.

About security and phishing. Banks and others who require tight security
really needs to do other "things" as I hinted. If they dont, then they
are a joke. In general if people got over this sense of false security
and where more alert, and service providers took it more seriously, then
phishing would be dead.

Secrecy has never ever been a substitute for security.
</rant>

Dont get me wrong though, like you, I am also worried about people being
scammed, but I just think that in the long run this is better.

/Bent
Jul 17 '05 #6

P: n/a

Bent Stigsen wrote:
"Michael Vilain <vi****@spamcop.net>" wrote:
In article <41*********************@dread14.news.tele.dk>,
Bent Stigsen <ng**@thevoid.dk> wrote:

ma**********@hotmail.com wrote:

i've copied my bank's login form and saved a copy on my computer.
However when i try to submit it, i get a 405 method not allowed error.Can't for the life of me figure out why, it's posting exactly the samedata from exactly the same html code. Any ideas? It's a https (SSL)site.

First a little speech. When you got the error "method not allowed", didn't some bells and whistles go off in you head, followed by a thoughtof "the bank probably doesn't want me to be doing this". Obviously theyare doing some additional checking to prevent misuse, not just to annoypeople.

Anyway, if you just copied the form and changed action to point to theappropriate page, then the first obstacle is the referer[sic]-header. Idont know of any ordinary browser which lets you fake that header, butyou can try cli-type webclients like wget and curl to explore that.
They (the bank) might require an ongoing session or kind of checksum, soyou would need to check for an id or other data in cookies, url or
hidden form-fields, which was related to the original loginform. I thinkboth wget and curl can help you there.
And there can be other "things".

As you probably suspect, anyhow they have done it, you would probablyneed to write a mediator-script between your local form and the bank'swebserver. PHP has curl extensions which is useful for this purpose.
But seriously, check with the bank first. If they dont mind, they couldgive you the information you need. If they do mind, then you shouldn'tbe doing it in the first place.

/Bent

Gee, Brent. That was great. You just told someone how to setup a
phishing scam.


Well, the way I see it...
<rant>
Keeping something a secret will not protect anybody. And this is just

too easy for anybody to do. The only difference is, if they are smart enough to avoid getting caught. And the smart ones probably know this in the first place. I think beating some decency into people, instead of keeping secrets is far better.

About security and phishing. Banks and others who require tight security really needs to do other "things" as I hinted. If they dont, then they are a joke. In general if people got over this sense of false security and where more alert, and service providers took it more seriously, then phishing would be dead.

Secrecy has never ever been a substitute for security.
</rant>

Dont get me wrong though, like you, I am also worried about people being scammed, but I just think that in the long run this is better.

/Bent


Jul 17 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.