Using cURL to complete ASP.NET (.aspx) forms

Using cURL to complete ASP.NET (.aspx) forms

If you are reaching here it is because you are trying to use cURL to submit an ASP.NET web form and you have found it is not as easy as it is in PHP forms. This is because of the nature of ASP.NET, how it handles HTTP requests and some tools it brings to help the website developers to create sites which can request information in an easy way from one page to another not only depending on the URL.

Background

First of all let’s talk a little about HTML, I know this is not why you are here but if you are interested not only on how to solve the issue but also to understand it, I’d recommend you to spend a minute reading this.

Basically HTML forms are a set of input controls (like text boxes, combo boxes, command buttons, etc.) which allow the website visitor to complete the form and submit it, commonly using a command button. On the HTML side the form tag has attributes, the most important are the Action one and the Method one. The Action attribute defines which script on the server side will receive and process the data submitted by the user. The Method attribute can be filled by two values, GET or POST, which corresponds to the HTTP methods for forms submission, GET implies that when the form is submitted the data is passed to the script (noted in the action field) as part of the URL, while POST invokes the script but the data is passed as part of the body of the message. HTML standard defines GET should be used when form being submitted doesn’t have side effects (like updating a database), but also says that if you don’t define the method in the form tag, GET will be chosen by default.

As we said GET and POST are HTTP methods, every time you enter a web site your browser is actually sending an HTTP GET request, so you might wondering “If GET is for reading a website, how it can be used to submit a form?”, well, as we said if you use GET to submit a form, then the data being sent is attached to the URI something like http://www.test.com/formprov.pl?var1=val1&var2=val2 this is doable because the script on the other side knows how to read the parameters next to the script name. As said, GET should not be used in forms which action will modify data on the other side, but you can use it, for example for a search form.

Now let’s talk a little about ASP.NET, ASP.NET includes some hidden controls in forms to help the website developers develop more powerful and friendly sites. The main one is __VIEWSTATE, there are some others, but let’s focus in View State which is the most common one,  (here is a great in depth article on how View State field works: http://msdn.microsoft.com/en-us/library/ms972976.aspx), from this article:

View state’s purpose in life is simple: it’s there to persist state across postbacks.

I believe you don’t need to know further on this one, but if you are interested you can read the previously mentioned article which is really good.

View State Value

View state and other similar fields can be disabled, but as per the objective of this article let’s suppose we don’t have access to the website options, we just want to automate the filling of a form created by some one else. Any how, if you disable View State, you will still see it in the HTML. View state is one of the values you will have to submit during the post of the form, View State is always the same unless it is a postback, let’s see how to programmatically find the view state value:

curl -Ss http://www.test.com | grep -i VIEWSTATE | awk ‘{print $5}’ | awk ‘BEGIN {FS =”\””}{print $2}’

Submitting the ASP.NET form with cURL

Well, let’s talk about how to fill an ASP.NET web form using cURL, first let’s take a look at the command and how should be structured, cURL usses the –d parameter to submit form data, between quotes you should include the different input commands with the value being inserted (including the submit button), and finally the full URL to the page:

curl –d “input=value&input=value” website

As we have already seen there are some hidden fields, you could go and look the HTML code using your browser to track all the input controls, or you can figure out which are the required fields submitting the form manually and then with a sniffer check what is being submitted, I prefer this last, in the following example you will see the form submission for a 1 textbox (txtIP) and 1 button (btnSubmit) form:

image

*black blocks are sensitive information about my network.

As you can see, not only the textbox is being submitted, but also the click on the button, and in this case the VIEWSTATE and EVENTVALIDATION controls which are used by ASP.NET. Once you¿ve got this information is as easy as creating a script running the following commands:

#!/bin/sh
value=”value”
vs=curl -Ss http://www.test.com | grep VIEWSTATE | awk '{print $5}' | awk 'BEGIN {FS ="\""}{print $2}'
curl -d “__VIEWSTATE=$vs&__EVENTVALIDATION=%2FwEWAwKOmpmUDgK4%2B5bqDwLCi9reA8ylmZ8cftBo8UxuqRGL%2B8tMkhFZLoZFbbVgdvSxixWc&txtIP=$value&btnSubmit=Submit” http://www.test.com/test.aspx

As you can see in the previous example script I’m not obtaining programmatically the _EVENTVALIDATION control, but you can obtain it in the very exact way as done with __VIEWSTATE.

Hope this is useful to you, I would loved to find an article explaining this when was looking on how to do it Smile

Hernán J. Larrea

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.