tags:

views:

144

answers:

3
+3  Q: 

Cross domain javascript form filling, reverse proxy

Hi,

I need a javascript form filler that can bypass the 'same origin policy' most modern browsers implement.

I made a script that opens the desired website/form in a new browser. With the handler, returned by the window.open method, I want to retrieve the inputs with theWindowHandler.document.getElementById('inputx') and fill them (access denied).

Is it possible to solve this problem by using Isapi Rewrite (official site) in IIS 6 acting like a reverse proxy? If so, how would I configure the reverse proxy?

This is how far I got:

RewriteEngine on
RewriteLogLevel 9
LogLevel debug 

RewriteRule CarChecker https://the.actualcarchecker.com/CheckCar.aspx$1 [NC,P]

The rewrite works, http://ourcompany.com/ourapplication/CarChecker, as evident in the logging. From within our companysite I can run the carchecker as if it was in our own domain. Except, the 'same origin policy' is still in force.

Update,

I stopped using Isapi Rewrite as the free version does not include a proxy component. I started to use the url rewriter from Managed Fusion.

My current working rewriterule:

RewriteRule /MySecuredSite/CarChecker https://the.actualcarchecker.com [NC,P]

Now I get the error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

I think this occurs because our ssl-certificate is passed on to the carchecker site. How can I configure the reverse proxy so that the certificate of the carchecker site is passed on?

Regards,

Michel

A: 

Which server side language are you using? Using it you can create a proxy which should easily bypass the one domain policy...

PHP

<?php
    $handle = fopen("https://the.actualcarchecker.com/CheckCar.aspx", "r");
    $contents = '';
    while (!feof($handle)) {
        $contents .= fread($handle, 8192);
    }
    fclose($handle);
    echo $contents;
?>

I'd imagine it would be a similar process with other languages.

Andrew Dunn  2010-09-22 08:18:00
Hi Andrew,I use asp.net. I don't want to screen scrape the page, I want to fill the formvariables on it and submit the form. I've got the filling part, now I need the proxy part.
Michel van Engelen  2010-09-22 14:56:40
Would it be possible for you to send any form data directly to the forms target url, bypassing the iframe? Or do you need to submit the form in the iframe?
Andrew Dunn  2010-09-22 22:21:48
I can send form data directly to the url. But the targetpage reads some sort of session variable from the subtmitted viewstate. If I post it myself I have no corresponding session. If the session doesn't add up, the page returns an error. That's why I want to load the page (get the correct and actual viewstate), fill and submit it. I decoded the viewstate but the session variable looks random.
Michel van Engelen  2010-09-23 07:10:21
Can you post your custom form to your website, have your website grab the aspx page, replace the appropriate fields in the html and then submit the form back to the aspx page and finally return the result? If not ... you said you've already got the filling part ... how did you accomplish that part? If you've done it client-side then maybe you can take advantage of using the window.name variable to communicate between windows.
dlongley  2010-09-23 16:50:53
The other domain is not under our control, so we can't open a communication channel. The filling part is the GetElementById etc. code I mentioned in my question, it returns access denied.
Michel van Engelen  2010-09-24 07:08:20
+1  A: 

Without knowing a few more details I decided that it might just be helpful to list some of the restrictions you face and some of the tricks you could take advantage of:

  1. I'm not an ASP developer but I'm aware that, as you mentioned, there is some kind of viewstate variable that must be submitted along with a ASP form. I assume that this viewstate can be validated using only the form fields that are to be resubmitted. That's all that I'd expect (unless it's super complex) since the form the browser receives is all it sends back (along with values). So the point is that you'll need a valid viewstate when you submit to the aspx page, but maybe you can grab any viewstate you want from the server so long as the form fields you submit are identical.

  2. You can write a webpage that acts just like your browser does. It can grab the aspx page (thus establishing a valid viewstate), then you can create all of the fields necessary to POST to the aspx page, including the viewstate, and do so. Whatever the results are can be returned from your webpage to the browser. Unless you have the ability to modify the other server I really don't see another option at this point, but maybe someone else can be more helpful.

  3. If you can modify the other server then you have a few other options. One of them involves a trick for passing data between iframes. If you're using a hidden iframe to get the aspx page then you won't be able to get the result back to the parent page due to the cross-domain restriction. But since you can modify the other server (running on the.actualcarchecker.com), you can get around this. To do so just make that server provide JavaScript to submit the form asynchronously and then set the result (serialized to a string) to window.name.

    Now to get access to window.name from your domain, you set the iframe's window.location to a page on your domain that will simply call a function you wrote in the JavaScript loaded in the parent window. Like window.parent.process(window.name). Since the iframe loaded a page on your domain it will have access to window.name which will not have been changed even though you changed window locations. Then the process() function in the parent window can deserialize the string, remove the hidden iframe, show the results, do whatever you want, etc.

  4. You won't be able to populate the aspx form that's loaded in the hidden iframe unless you do a similar trick on the other domain's server. That server's JavaScript will need to read from window.name to receive the inputs to populate the form with. However, if both servers are in on the trick then you don't have to write a proxy, you can just pass data via window.name.

dlongley  2010-09-23 17:51:07
1+2 are, mostly, correct. I already had a version that works for an hour, then the session in the viewstate times out and I need to get a new one. 3+4 I can't modify the other server. +1 for your super effort, but I want the reverse proxy to work for the +100 (cleaner solution, works for all sites).
Michel van Engelen  2010-09-24 07:02:21
You say the viewstate times out ... can't you just grab a new viewstate each time someone posts their form to your web page? ie: someone posts their fields to you, you grab the aspx form (w/new view state), populate it, post it back to aspx, and then return the result to the browser? I don't see why you'd need to cache/reuse a viewstate for more than one form POST, but maybe there's some ASP stuff going on that I'm not aware of.
dlongley  2010-09-24 20:04:40
A: 

Why don't you use JSONP approach instead? I.e. use JavaScript to read the values entered into your form and sent it to the server-side handler via a dynamically generated <script> element (<script> and img elements can refer to resources from external domains).

var e = document.createElement("script");
e.setAttribute("type", "text/javascript");
e.setAttribute("src", "https://the.actualcarchecker.com/CheckCar.aspx?input1=value1&amp;input2=value2");
document.getElementsByTagName('head')[0].appendChild(e);

Likely, you will not need any serious URL rewriting at all if you use this approach - just make sure that CheckCar.aspx returns valid JSON.

JQuery even has several convenience functions for this: AFAIK $.getJSON will transparently switch from XHR to dynamic script insertion method if the request is cross-domain. Also, it supports specifying callbacks. See jQuery docs and this IBM article for more info.

Will this method work for you?

David Parunakian  2010-09-27 07:58:00
Interesting read. But can I actually see the external site in a pop up and populate the form variables? For example, can you load Amazon.com in a pop up and fill the search textbox and submit?
Michel van Engelen  2010-09-27 08:55:02
Only if you have control over the site you open in the popup. You can use an iframe for that. So the whole process looks like this: 1) you open the actualcarchecker form in an iframe. 2) This form uses the JSONP method I described to submit data to the original domain's server. 3) The original domain's server processes the input and pushes the results to the web client. 4) The web client renders the results and closes the iframe.
David Parunakian  2010-09-27 10:04:11
Alas, we have no control over that site..
Michel van Engelen  2010-09-27 11:22:17
Then, I'm afraid, what you want is not possible. If I understand your task correctly, you need to be able to 'eavesdrop' on your user's encrypted communication with another website, intercept the data he's trying to send and to process it instead of the third-party website. If not, please clarify your request.
David Parunakian  2010-09-27 11:32:18
Our employees open customer records in our system. The customers have cars. When an employee clicks on a button, we want to open the car checker site and fill in the license plate on the form automagically and submit the form. We have client certificates for both our site and the car checker site.This is one example of many that I have to implement, streamlining the process and making typos history.
Michel van Engelen  2010-09-27 12:27:08
Is the form submitted to the car checker site or your own server-side handler?
David Parunakian  2010-09-27 12:42:14
Client side script that opens a window to the car checker site. The adress is rewritten by the reverse proxy to attempt to bypass the same origin policy.
Michel van Engelen  2010-09-27 13:24:59

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript