Jump to content

Recommended Posts

How to bypass same origin policy

 

Is there any existing browser plugin/another tool which can accomplish these tasks multiple times automatically: 1.Go to certain domain,  2. get data from my PHP script. 3. submit form, 4.get submission results 5. return results. 6.repeat 1-5 actios again. Why I don't use cURL ? Because There is same origin policy restriction and I cann't login to this website without using actual browser.

 

p.s I'm not tryint to break this website or so, because I do have legal access to it.

Link to comment
https://forums.phpfreaks.com/topic/281214-how-to-bypass-same-origin-policy/
Share on other sites

1) you can use cURL, it just sounds like you don't know how to use it to "fool" the server into thinking it's a browser.  The only difference between a regular browser request and a cURL request are the header values sent. Your browser auto-pops most all that stuff, whereas with cURL, you can set them to anything you want.  

 

2) same origin policy has nothing to do with cURL. Assuming you actually tried to do it w/ cURL, it's failing because you didn't sufficiently "fool" the server.

 

3) If you have legal access to the server, change the server settings to bypass the same origin policy! You can do this in your apache or IIS config files, or in .htaccess file

 

4) If you do not have legal (direct) access to the server, there is no bypassing the same origin policy, short of altering your core browser code and recompiling it

Thanks for your help, Grumpy Old Man,

 

1) I'm trying to send every header I'm sending to this webpage using my browser, but it just doesn't work. 

 

The hidden variable named "javax.faces.ViewState"  regenerates it's value each time I make request , so In essence I need to call curl_exec 2 times with the same cURL resource , 1st time to get this value, 2nd - to send form data, right ?  This seems like possible to achieve, even I don't really clearly understand what does javax.faces.ViewState means..

 

But... There is another catch: This webpage sends a COOKIE and I am unable to save it. Why ? I don't have a clue, maybe it's the same origin policy ?

curl_setopt($login_curl, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($login_curl, CURLOPT_COOKIEJAR, 'cookie.txt');

3) I have legal access only to the administration panel, not the source code.

 

p.s This website runs on SSL if if does really matter. I do have curl_setopt($login_curl, CURLOPT_SSL_VERIFYPEER, FALSE);  line in my code

well then it sounds like this website uses some advanced methods to ensure someone is accessing it through a browser.  You can replicate this with php/cURL but it sounds like you're basically going to have to put in a lot of effort to basically code up your own mini-browser in order to do it.  You will likely have better luck attempting this in something like vb or java using a prefab "browser" module/extension - and then altering it, because no doubt they will likely honor the same origin policy out-of-the-box. 

 

But in any case, I suggest you revise your definition of "legal access."  Having an account on a website, even some kind of admin account, does not mean you have the right to do what you intend to do, and FYI most sites very explicitly say in their ToS that you canNOT do things like what you want.  

Holy crap , I found why I couldn't get cookie from the request:

 

I was missing curl_close($handle);  ... Silly mistake.
 
Well, I shouldn't really bother to think of some legal issues I may have, because a company is behind this , which I work for, and the're representatives of the bigger company this website I'm trying to cURL belongs to.  
I will try to continue cURL'ing  and if I'm out of luck - I will search for another solution.  I Was thinking maybe Chrome/Firefox plugin could be the solution, but somehow didn't find information if it is possible to get data from server(localhost) and pass to it.
 
 
Thanks a lot for your help. I would really love to send you some beer-bucks  If you pm me with your paypal account info once I manage to reconfigure my own paypal.

ah okay well, just be careful on that legal shit.. if there IS an issue with it, it's always the lowest guy in the totem pole who gets used as the scapegoat..  in any case, beer-bucks is not necessary, but i won't complain if you send it anyway; never turn down a drink I always say! My paypal link is in my sig ;)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.