Re: OT: question about HTTP headers
--- Malcolm Ferguson <Malcolm_Ferguson@yahoo.com> escribió:
> Roberto Sanchez wrote:
>
> >POST /mypay.asp HTTP/1.1
> >Host: mypay.dfas.mil
> >User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b)
> >Content-Length: 44
> > |-HiddenVal=Netscape5.0+%28Windows%3B+en-US%29
> >
> >
> >POST /mypay.asp HTTP/1.1
> >Host: mypay.dfas.mil
> >Content-Length: 40
> > |-HiddenVal=Netscape5.0+%28X11%3B+en-US%29
> >
>
> Some web servers don't check the method verb, thus you can use the GET
> method with POST data in the URL. You might be able to do something like:
>
>
<https://mypay.dfas.mil/mypay.asp?HiddenVal=Netscape5.0+%28Windows%3B+en-US%29>
>
> I haven't tried this trick for a while, so I might have formulated it
> incorrectly, but I have done it before.
>
I tried this but it didn't work. HiddenVal was still showing up with X11
even when I fed Windows into the URL like you suggested.
>
> >I used wget to download the two .asp scripts that run when you first bring
> >up the page, but I could not find in the browser identification code where
> >this particular information was pulled from.
> >
>
> If you're posting your UA string, then either there's some client side
> script that has done this, perhaps via DHTML or whatever it's called
> (thus it won't appear if you wget the page), or it was detected on a
> earlier page and IIS inserted it in to the content before serving it
> (presumably it would then be visible with wget). You've got it working
> with a non-IE browser under Windows, so there is no MSFT hidden logic
> here. Does any of this work if you disable JavaScript?
>
The site does not even load with JScript disabled. How else might IIS be
obtaining the string?
> Malc
>
-Roberto
___________________________________________________
Yahoo! Messenger - Nueva versión GRATIS
Super Webcam, voz, caritas animadas, y más...
http://messenger.yahoo.es
Reply to: