Results 1 to 3 of 3

Thread: Need help discovering dynamic DOM value

  1. #1
    Join Date
    Oct 2011

    Lightbulb Need help discovering dynamic DOM value

    I am building a script to automate some tasks in a classifieds site I use frequently. I have successfully scripted everything except for 1 piece. I have examined the HTTP posts during login, and there are 2 form values that are being dynamically added to the DOM just before form submission: "x" and "y". I know this because x and y appear in my form post inspector, but these do NOT appear in the page source anywhere. These get set to different integers each time, and I believe they're being used to defeat scripted logins. I believe the server-side code is checking for a match on those 2 vars. The funny thing is the system allows me to login via script (no errors or warnings - I am just not submitting x and y), but when I get down to submitting a classified item, it is not successful. I know I am successfully submitting all form vars on all pages EXCEPT for this x/y stuff on the login page, because all the rest are static.

    I have tried in vain to figure out which values x and y should be, and I know they have to be embedded in the javascript someplace, since it's a client-side DOM update occurring. There is a lot of javascript going on, several js include files, including jQuery, and lots of custom js.

    • Firebug acts like there is no javascript, which I can't understand.

    • The firefox plugin "Javascript Deobfuscator" is very interesting and is showing me all the js that actually executes, but it's a voluminous amount and I don't even know where to start looking.

    If I could figure out how to use firebug to attach to the form submit (login) button somehow, and debug through that, I'm sure I could find the mystery code adding the 2 form elements. Or maybe there's a more straightforward way to discover this.

    The login page is here: www.ksl.com/public/member/signin

    Any help with this would be greatly appreciated.

  2. #2
    Join Date
    Dec 2003
    Bucharest, ROMANIA
    The submit buttons (including the type="image") will automatically submit the position of the mouse when you click that button, as being x= and y=, in case that button has a name. Or even without that, in some browsers, in case of image type buttons.

    Probably the easiest way to get rid of that is to use something like:
    <form action="" onsubmit="this.submit();return false">

  3. #3
    Join Date
    Oct 2011

    Thanks for the reply. Your response is reasonable, but I really think the x and y are being used to defeat scripting, for the following reasons:

    1- There are kilobytes of obfuscated javascript which (it appears to me) is being used to populate the x and y.
    2- The x and y values cannot be screen coordinates, because the numbers are always small and friendly pairs, such as 12,8 or 24,30 or 6,20 -- etc. If these were coords, the button would have to be very near the top left corner of the screen, and it's not. It's near the middle. If those were really coords then I would be seeing pairs like 658,437, etc.
    3- The fact that the DB inserts are not occurring despite the fact that I'm correctly emulating ALL name-value form post fields -- except for the X/Y.

    Also, you seem to think I have access to the application's source code. If I did, I wouldn't need to simulate form posts. :-)

    If you have any other ideas, I'd love to hear. Thanks.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center



X vBulletin 4.2.2 Debug Information

  • Page Generation 0.10890 seconds
  • Memory Usage 2,854KB
  • Queries Executed 13 (?)
More Information
Template Usage (33):
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_global_above_footer
  • (1)ad_global_below_navbar
  • (1)ad_global_header1
  • (1)ad_global_header2
  • (1)ad_navbar_below
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)ad_thread_first_post_content
  • (1)ad_thread_last_post_content
  • (1)bbcode_code
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)headinclude_bottom
  • (3)memberaction_dropdown
  • (1)navbar
  • (4)navbar_link
  • (1)navbar_moderation
  • (1)navbar_noticebit
  • (1)navbar_tabs
  • (2)option
  • (3)postbit
  • (3)postbit_onlinestatus
  • (3)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available (6):
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files (26):
  • ./showthread.php
  • ./global.php
  • ./includes/class_bootstrap.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/functions_navigation.php
  • ./includes/class_friendly_url.php
  • ./includes/class_hook.php
  • ./includes/class_bootstrap_framework.php
  • ./vb/vb.php
  • ./vb/phrase.php
  • ./includes/functions_facebook.php
  • ./includes/functions_calendar.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_notice.php
  • ./packages/vbattach/attach.php
  • ./vb/types.php
  • ./vb/cache.php
  • ./vb/cache/db.php
  • ./vb/cache/observer/db.php
  • ./vb/cache/observer.php 

Hooks Called (71):
  • init_startup
  • friendlyurl_resolve_class
  • init_startup_session_setup_start
  • database_pre_fetch_array
  • database_post_fetch_array
  • init_startup_session_setup_complete
  • global_bootstrap_init_start
  • global_bootstrap_init_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • load_show_variables
  • load_forum_show_variables
  • global_state_check
  • global_bootstrap_complete
  • global_start
  • style_fetch
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • strip_bbcode
  • friendlyurl_clean_fragment
  • friendlyurl_geturl
  • forumjump
  • cache_templates
  • cache_templates_process
  • template_register_var
  • template_render_output
  • fetch_template_start
  • fetch_template_complete
  • parse_templates
  • fetch_musername
  • notices_check_start
  • notices_noticebit
  • process_templates_complete
  • friendlyurl_redirect_canonical
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • memberaction_dropdown
  • tag_fetchbit
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • build_navigation_data
  • build_navigation_array
  • check_navigation_permission
  • process_navigation_links_start
  • process_navigation_links_complete
  • set_navigation_menu_element
  • build_navigation_menudata
  • build_navigation_listdata
  • build_navigation_list
  • set_navigation_tab_main
  • set_navigation_tab_fallback
  • navigation_tab_complete
  • fb_like_button
  • showthread_complete
  • page_templates