Re: OT: question about HTTP headers

From: Malcolm Ferguson (Malcolm_Ferguson_at_yahoo.com)
Date: 08/14/03

  • Next message: stan: "Re: How can I use bittorrent?" 
    Date: Wed, 13 Aug 2003 23:11:42 -0400
To: debian-user <debian-user@lists.debian.org>

    Roberto Sanchez wrote:

    >POST /mypay.asp HTTP/1.1
    >Host: mypay.dfas.mil
    >User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b)
    >Content-Length: 44
    > |-HiddenVal=Netscape5.0+%28Windows%3B+en-US%29
    >
    >
    >POST /mypay.asp HTTP/1.1
    >Host: mypay.dfas.mil
    >Content-Length: 40
    > |-HiddenVal=Netscape5.0+%28X11%3B+en-US%29
    >

    Some web servers don't check the method verb, thus you can use the GET
    method with POST data in the URL. You might be able to do something like:

    <https://mypay.dfas.mil/mypay.asp?HiddenVal=Netscape5.0+%28Windows%3B+en-US%29>

    I haven't tried this trick for a while, so I might have formulated it
    incorrectly, but I have done it before.

    >I used wget to download the two .asp scripts that run when you first bring
    >up the page, but I could not find in the browser identification code where
    >this particular information was pulled from.
    >

    If you're posting your UA string, then either there's some client side
    script that has done this, perhaps via DHTML or whatever it's called
    (thus it won't appear if you wget the page), or it was detected on a
    earlier page and IIS inserted it in to the content before serving it
    (presumably it would then be visible with wget). You've got it working
    with a non-IE browser under Windows, so there is no MSFT hidden logic
    here. Does any of this work if you disable JavaScript?

    Malc 

    -- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: stan: "Re: How can I use bittorrent?"