JS speed question & PHP security question

[shant93]

Ok, my school's login page is really annoying because our usernames are really long and they turned off auto-completion on the form.

I "hacked" the contents of the login form on the page to make myself a submit button that would send the user and pass automatically (as hidden inputs), which i placed on my custom homepage.

I want to spread this around so that other students can use it. I discovered the javascript document.forms.formname.submit(); function, which would allow it to be alone on a page and auto-redirect to the login. But this is really slow. Is there a better place to put the onLoad event? Or is there a way for a PHP page to send POST data without a form?

Here is the code for now:

<body onload="document.forms.formEtu.submit();">
  <form  name="formEtu" action="[COLOR="red"][SCHOOL WEBSITE][/COLOR]" method="post">
      <input type="hidden" name="NoDA" value="[COLOR="red"][USERNAME][/COLOR]" />
      <input type="hidden" name="PasswordEtu" value="[COLOR="red"][PASSWORD][/COLOR]"/>
  </form> 
</body>

That's the first question, which is essentially "how to boost the performance of the script?", because it's relatively slow (slower than the school's crappy servers should make it).

My second question is, if I want to give this to people to have for themselves, I can have a PHP page on my personal hosting account that would recieve the username and password as GET values and login for them. Is there a major security concern there, both for the poeple submitting the password, and for the school who could get abusive traffic from that?

If the first option is not available for reasons mentionned or other, how can I make a script that would generate the page for them to download and save on their desktop? And how can I make sure it's safe?

Finally, does any of this go against x10 TOS?

 

[bagoes4all99]

:redface: nice work bro.. thanks..

how about if entering school website with captcha ????

 

[shant93]

Sorry, I have no idea how to get around captcha filtering...
But I just want to know, is there any way to speed it up and what are security concerns for making a PHP-generated page for all?

 

[lemon-tree]

This won't be possible through PHP as the cookies wouldn't be set properly in your browser, so the PHP server could be logged in but your browser wouldn't.
The only reason I can think of that this would be slow is that the page is loading slowly from the servers, so you'll either need to use a local page or move to a faster server.
For the distribution question, to make that you just need a PHP script that the user puts their details in (Trusting you not to harvest them) and the PHP loads a template like you posted and inserts the desired details. Using headers you could then tell the browser to download the file.

 

[misson]

There's no way to do this securely, as the hidden inputs require that you store credentials in plaintext somewhere. Even if it's only on a user's own computer, it isn't safe. Other techniques where you take responsibility for automatic login (e.g. store credentials in a database, log in from your server and use cookie injection to pass the authentication token to the client, hoping that the login system on the target server doesn't prevent session fixation/hijacking) suffer the same issue.

Better would be to write a script for browsers that support scripting additions (e.g. Firefox+Greasemonkey, Safari+GreaseKit, Chrome+Greasemonkey) to turn autocomplete back on. If the school's page uses the autocomplete attribute on the form or inputs, have the browser script remove it (or set it to "on"). Your mileage may vary.

 

[shant93]

For the distribution question, to make that you just need a PHP script that the user puts their details in (Trusting you not to harvest them) and the PHP loads a template like you posted and inserts the desired details. Using headers you could then tell the browser to download the file.

Yes, that's what I was asking. How do you do that (I need an example of code for the "headers"), and also, what are potential security issues using POST data to generate the files?

 

[xav0989]

Well, there is always the issue of script injection on badly secured variables.

As for the actual implementation, it would go along the lines of displaying a form to the user, asking for his DA and password. When he submits (POST), load the values into variables and clean them. Next, load a template (the same as the one you posted), and replace the username and password in the form. This will created a personal html file, stored in memory. Next simply generate the required headers and echo the html file.

header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0");
header('Content-disposition: attachment; filename=' . basename($filename));
header("Content-Type: text/html");

As for the GM script Misson mentioned, I started one, but I haven't found the time to finish it yet.

 

[shant93]

I seem to have confused POST and GET. Which is safer?

 

[misson]

GET makes session fixation and the like easier (as an attacker can create a link that includes GET data, whereas POSTed data requires a form), but that's about the only difference when it comes to security. The real difference is semantic: GET should be a safe method (in this context, "safe" means the request has no significant side effects and has nothing to do with security) while POST should be idempotent (which means that multiple POST requests to the same URL with the same data should have the same affect as a single request). Idempotence comes from math; an operation is idempotent if repeated application have the same result. Read "RESTful web services" and "How I Explained REST to My Wife" for more.

It's been a bit since I've written a GM script, but try the following:

// ==UserScript== 
// @name           Enable Autocomplete
// @namespace      http://libertatia.co.cc/greasemonkey/
// @description    Turn on autocomplete for forms that disable it.
// @include        [enter login page URLs here] 
// ==/UserScript==  

// This work (trivial as it is) is placed in the public domain by its author.
// No rights reserved.

for (var i=0; i < document.forms.length; ++i) {
    document.forms[i].setAttribute('autocomplete', 'on');
    for (var j=0; j < document.forms[i].elements.length; ++j) {
        document.forms[i].elements[j].setAttribute('autocomplete', 'on');
    }
}

GM's sandboxing might mess this up, in which case replacing 'document' with 'unsafeWindow.document' should make it work. You might also wish to replace the namespace with your own, especially if you're going to distribute the script from your own server.

 

[vv.bbcc19]

how to boost the performance of the script

What is the platform on which the website is made?is that a isolated php script? or is it on Joomla or Wordpress or ASP.net or only HTML pages?

My second question is, if I want to give this to people to have for themselves, I can have a PHP page on my personal hosting account that would recieve the username and password as GET values and login for them. Is there a major security concern there, both for the poeple submitting the password, and for the school who could get abusive traffic from that?

Yes.This raises a real serious concern as your GET form(on your host) should give a YES or NO to the school website(on school server) for the e\people to login.This means that your GET form has access to School server database.
Alternatively if you are only transferring the user id and password to the site on schoolserver ,that even slows down the site login process as GET and POST are from external server.
So you should be concentrating on the following
1.Compress Javascript
2.Minify and compress CSS
3.Tune APACHE for optimizing php(if the server is apache as most php scripts are run on APACHE ,I assumed this)
http://phplens.com/phpeverywhere/tuning-apache-php
4.After tuning APACHE server,gimme a reply.I can help in optimizing php

Thats all brother.That school people will stop bugging you.
Regards,
VVBB

 

[callumacrae]

GET makes session fixation and the like easier (as an attacker can create a link that includes GET data, whereas POSTed data requires a form), but that's about the only difference when it comes to security. The real difference is semantic: GET should be a safe method (in this context, "safe" means the request has no significant side effects and has nothing to do with security) while POST should be idempotent (which means that multiple POST requests to the same URL with the same data should have the same affect as a single request). Idempotence comes from math; an operation is idempotent if repeated application have the same result. Read "RESTful web services" and "How I Explained REST to My Wife" for more.

It's been a bit since I've written a GM script, but try the following:

// ==UserScript== 
// @name           Enable Autocomplete
// @namespace      http://libertatia.co.cc/greasemonkey/
// @description    Turn on autocomplete for forms that disable it.
// @include        [enter login page URLs here] 
// ==/UserScript==  

// This work (trivial as it is) is placed in the public domain by its author.
// No rights reserved.

for (var i=0; i < document.forms.length; ++i) {
    document.forms[i].setAttribute('autocomplete', 'on');
    for (var j=0; j < document.forms[i].elements.length; ++j) {
        document.forms[i].elements[j].setAttribute('autocomplete', 'on');
    }
}

GM's sandboxing might mess this up, in which case replacing 'document' with 'unsafeWindow.document' should make it work. You might also wish to replace the namespace with your own, especially if you're going to distribute the script from your own server.

If they've disabled autocomplete, I imagine they'll have disabled the ability to install plugins.

~Callum

 

[shant93]

No, they've disabled autocomplete from the webform. This is for trying to access the school from anywhere.