Web Security : Automating with LibWWWPerl - Simulating Form Input with POST, Capturing and Storing Cookies

1. Simulating Form Input with POST

1.1. Problem

You want to programmatically issue requests that mimic form inputs by a user.

1.2. Solution

See Example 1.

Example 1. Basic Perl script to submit a form

#!/usr/bin/perl use LWP::UserAgent; use HTTP::Request::Common qw(POST); $URL = "http://www.example.com/login.php"; $UA = LWP::UserAgent->new(); $req = HTTP::Request::Common::POST( "$URL", Content_Type => 'form-data', Content => [ USERNAME => 'admin', PASSWORD => '12345', Submit => 'Login' ] ); $resp = $UA->request($req); # check for error. Print page if it's OK if ( ( $resp->code() >= 200 ) && ( $resp->code() < 400 ) ) { print $resp->decoded_content; } else { print "Error: " . $resp->status_line . "\n"; }

1.3. Discussion

Example 1 shows posting to a simple login page (login.php) with 2 fields: USERNAME and PASSWORD. If you had a list of usernames and passwords you wanted to try programmatically, you could iteratively redefine $req and reinvoke the $UA->request() method to reissue new login attempts—perhaps in a foreach or while loop.

The Submit item in the form data is simply there for the sake of being identical to what a real browser would send. Many applications do not care what the value of the Submit button is, but the browser will send that value anyways. You could imagine, however, some circumstances where a form might have multiple Submit buttons, and the value of the Submit button would be significant. For example, a search page might have Basic Search and Advanced Search buttons, and your script must change the value of the Submit button to tell your application which button was clicked.

2. Capturing and Storing Cookies

2.1. Problem

Most web applications will use cookies, possibly in conjunction with other techniques, to manage state or maintain session identity. To login and stay logged in, your Perl script will have to receive these cookies and send them back throughout its session. Doing this programmatically allows you to also test various attributes of session maintenance.

2.2. Solution

See Example 2.

Example 2. Perl script that automatically captures cookies

#!/usr/bin/perl use LWP::UserAgent; use HTTP::Cookies; use HTTP::Request::Common; $myCookies = HTTP::Cookies−>new( file => "cookies.txt", autosave => 1, ); $URL = "http://www.example.com/login.php"; $UA = LWP::UserAgent->new(); $UA->cookie_jar( $myCookies ); $req = HTTP::Request->new( GET => "http://www.example.com/" ); $resp = $UA->request($req); # check for error. Print page if it's OK if ( ( $resp->code() >= 200 ) && ( $resp->code() < 400 ) ) { print $resp->decoded_content; } else { print "Error: " . $resp->status_line . "\n"; }

2.3. Discussion

The code in Example 2 assumes you want to store your cookies in a file, perhaps because you want to look at them after your tests run or perhaps because you have engineered malicious cookies in advance and want to load them. You can change the invocation of the cookie_jar() method to create an empty cookie jar (and one that will be lost when the script terminates) by writing $UA->cookie_jar( {} ).