Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re: In-browser mech-like thing?

by Anonymous Monk
on Oct 30, 2010 at 23:41 UTC ( [id://868523]=note: print w/replies, xml ) Need Help??


in reply to In-browser mech-like thing?

You're going to run into a wall called cross site request forgery (xsrf). What your probably going to want to do is make a type of web proxy (something like this already exists though?) that takes the login, scrapes the page, takes more info and scrapes the page, and continues to repeat the process.

Either way, what you're asking about is a directed man in the middle attack. It might be completely legitimate because of the company policy of where your users work or some other law (I can't think of how or why and I doubt this is legitimate). But that should start you on enough resources to do what you want to do.

Replies are listed 'Best First'.
Re^2: In-browser mech-like thing?
by Anonymous Monk on Oct 31, 2010 at 11:00 UTC
    I can't think of a legitimate use for this, having a 3rd party BROWSER addon do automated logins on behalf of users to banks, means that it needs to store login/pass for users.... this is pretty much against most banking regulations AFAIK
[reply]
      and furthermore, since the entire session (not just the login) is likely to be https, you won't be able to scrape the gibberish. you can automate pressing buttons etc, but the https info sent from the server will not be intelligable, afaik.
      the hardest line to type correctly is: stty erase ^H
[reply]
        If we implement the scraper as a browser plugin/addon, the browser will provide the HTTPS content (and even the DOM) for us. IIRC, Chrome permits an addon/extension to insert some script to any page and do cross-domain AJAX request (after the user allows it).
[reply]

      Not necessarily, if the user/pass is stored by the browser addon in-memory for the current browsing session only. The user will then be slightly inconvenienced by having to enter a user/pass in the morning, but during the day as long as it does not close the browser, the browser addon can periodically login+logout on behalf of the user to check for new transactions.

      Also, how is this different from browsers themselves saving login username/password for the user (by explicit consent from the user). Do banks in the US explicitly forbid this browser feature?

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://868523]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having a coffee break in the Monastery: (1)
As of 2024-04-23 16:48 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found