phpbeast Posted August 15, 2013 Share Posted August 15, 2013 How to bypass same origin policy Is there any existing browser plugin/another tool which can accomplish these tasks multiple times automatically: 1.Go to certain domain, 2. get data from my PHP script. 3. submit form, 4.get submission results 5. return results. 6.repeat 1-5 actios again. Why I don't use cURL ? Because There is same origin policy restriction and I cann't login to this website without using actual browser. p.s I'm not tryint to break this website or so, because I do have legal access to it. Quote Link to comment https://forums.phpfreaks.com/topic/281214-how-to-bypass-same-origin-policy/ Share on other sites More sharing options...
.josh Posted August 15, 2013 Share Posted August 15, 2013 1) you can use cURL, it just sounds like you don't know how to use it to "fool" the server into thinking it's a browser. The only difference between a regular browser request and a cURL request are the header values sent. Your browser auto-pops most all that stuff, whereas with cURL, you can set them to anything you want. 2) same origin policy has nothing to do with cURL. Assuming you actually tried to do it w/ cURL, it's failing because you didn't sufficiently "fool" the server. 3) If you have legal access to the server, change the server settings to bypass the same origin policy! You can do this in your apache or IIS config files, or in .htaccess file 4) If you do not have legal (direct) access to the server, there is no bypassing the same origin policy, short of altering your core browser code and recompiling it Quote Link to comment https://forums.phpfreaks.com/topic/281214-how-to-bypass-same-origin-policy/#findComment-1445210 Share on other sites More sharing options...
phpbeast Posted August 15, 2013 Author Share Posted August 15, 2013 Thanks for your help, Grumpy Old Man, 1) I'm trying to send every header I'm sending to this webpage using my browser, but it just doesn't work. The hidden variable named "javax.faces.ViewState" regenerates it's value each time I make request , so In essence I need to call curl_exec 2 times with the same cURL resource , 1st time to get this value, 2nd - to send form data, right ? This seems like possible to achieve, even I don't really clearly understand what does javax.faces.ViewState means.. But... There is another catch: This webpage sends a COOKIE and I am unable to save it. Why ? I don't have a clue, maybe it's the same origin policy ? curl_setopt($login_curl, CURLOPT_COOKIEFILE, 'cookie.txt'); curl_setopt($login_curl, CURLOPT_COOKIEJAR, 'cookie.txt'); 3) I have legal access only to the administration panel, not the source code. p.s This website runs on SSL if if does really matter. I do have curl_setopt($login_curl, CURLOPT_SSL_VERIFYPEER, FALSE); line in my code Quote Link to comment https://forums.phpfreaks.com/topic/281214-how-to-bypass-same-origin-policy/#findComment-1445214 Share on other sites More sharing options...
.josh Posted August 15, 2013 Share Posted August 15, 2013 well then it sounds like this website uses some advanced methods to ensure someone is accessing it through a browser. You can replicate this with php/cURL but it sounds like you're basically going to have to put in a lot of effort to basically code up your own mini-browser in order to do it. You will likely have better luck attempting this in something like vb or java using a prefab "browser" module/extension - and then altering it, because no doubt they will likely honor the same origin policy out-of-the-box. But in any case, I suggest you revise your definition of "legal access." Having an account on a website, even some kind of admin account, does not mean you have the right to do what you intend to do, and FYI most sites very explicitly say in their ToS that you canNOT do things like what you want. Quote Link to comment https://forums.phpfreaks.com/topic/281214-how-to-bypass-same-origin-policy/#findComment-1445219 Share on other sites More sharing options...
phpbeast Posted August 15, 2013 Author Share Posted August 15, 2013 Holy crap , I found why I couldn't get cookie from the request: I was missing curl_close($handle); ... Silly mistake. Well, I shouldn't really bother to think of some legal issues I may have, because a company is behind this , which I work for, and the're representatives of the bigger company this website I'm trying to cURL belongs to. I will try to continue cURL'ing and if I'm out of luck - I will search for another solution. I Was thinking maybe Chrome/Firefox plugin could be the solution, but somehow didn't find information if it is possible to get data from server(localhost) and pass to it. Thanks a lot for your help. I would really love to send you some beer-bucks If you pm me with your paypal account info once I manage to reconfigure my own paypal. Quote Link to comment https://forums.phpfreaks.com/topic/281214-how-to-bypass-same-origin-policy/#findComment-1445227 Share on other sites More sharing options...
.josh Posted August 15, 2013 Share Posted August 15, 2013 ah okay well, just be careful on that legal shit.. if there IS an issue with it, it's always the lowest guy in the totem pole who gets used as the scapegoat.. in any case, beer-bucks is not necessary, but i won't complain if you send it anyway; never turn down a drink I always say! My paypal link is in my sig Quote Link to comment https://forums.phpfreaks.com/topic/281214-how-to-bypass-same-origin-policy/#findComment-1445232 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.