LWP Client Masquerading
am 12.09.2005 19:09:32 von cplistsHi,
One of my clients recently asked me to embed a login form for one of their
partner websites into their own website. The form on the partner site has a
lot of extraneous information and other links. They have issues where their
users were following the link to the form and were being misled to other
parts of the site.
I examined the form and found that they were creating a token when the form
was feed to the client. I wrote a script using LWP::UserAgent and HTML::Form
to go get a token and called it via SSI to embed it in a copy of the form on
my client's site. I also found that they were using javascript base64 and
MD5 functions to encrypt the password and had to get them as well.
When I tested the form, I found that they must also be storing the client's
ip address when they issue the token. When I try my form using my gettoken
script, it fails. But if I get a token from my machine then cut and paste it
into the form on my client's site, I can login.
My question is would it be possible to use SSI environment variables to pass
the remote user's ip address to my gettoken script and have LWP impersonate
the user when it gets the token?
My fear is that all this is happening at a higher level and I would have to
get down to the socket level to spoof the other web server. If this is the
case, it's not really worth it to do this.
Your thoughts and comments would be appreciated.
Thanks,
Cameron