GAE: POST OK as a local HTML file but not on GAE SDK or GAE infrastructure

Question

We have a web site which allows users to login using hidden inputs to pass username and password in an HTML form as follows (I know it's insecure, but that's what I am asked to do :-( ).

<form method="post" action="https://...">
  <input name="username" value="..." type="hidden">
  <input name="password" value="..." type="hidden">
  <input type="submit" value="submit">
</form>

If the HTML file is saved as a local HTML file, I can login successfully by submitting the form (the URL shown in the browser is file:///.../xxx.html ).

However, if I use GAE SDK to render the HTML file, I am not able to login and the web site complains that I am trying to login via an unknown source (the URL shown in the browser is http://localhost:8080/ ).

If I deploy the system to the GAE infrastructure, I am not able to login either, with the same error message as above (the URL shown in the browser is http://xxxxx.appspot.com ).

I wonder what is the difference between a local HTML form and a website-rendered form.

How can I enable logging through from a website-rendered form?

Answer 1

The important part is the final HTTP communication between your browser and the logging service you are using, the form post will translate to that at the end. In order to see any difference you can use any browser's ( Google->View->Developer->Developer Tools ) and see the Network event when submitting the form. You will notice some differences between a POST made from a file and a POST made from a file served by local or cloud server (like Google SDK or Google App Engine), I made a quick test and the main difference is:

When POSTING from file:

Origin:null

And when POSTING from html from server:

Origin:http://localhost:26124
Referer:http://localhost:26124/testform/

From a server side perspective, you can set up a mockup POST listener (I did it on the SDK), this is the code:

class TestFormHandler(BaseHandler):
    def get(self):
        form = """
              <form method="post" action="">
              <input name="username" value="valueusernamme" type="hidden">
              <input name="password" value="valuepassword" type="hidden">
              <input type="submit" value="submit">
              </form>
        """
    self.response.out.write(form)

def post(self):
    logging.info(self.request.body)
    logging.info(self.request.headers)
    logging.info(self.request.params)
    logging.info(self.request.cookies)

And then use a file with the form (make sure the form action is the address of your local or cloud service localhost and port if its from your own machine), or access the service you setup (the GET Handler that returns the previous form).

After printing the body, headers, params and cookies of that form:

With the file POST:

username=valueusernamme&password=valuepassword

{'X-Appengine-Country': 'ZZ', 'Content-Type': 'application/x-www-form-urlencoded', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'es-419,es;q=0.8,en;q=0.6', 'Content_Length': '46', 'Content-Length': '46', 'Content_Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.69 Safari/537.36', 'Host': 'localhost:26124', 'Origin': 'null', 'Pragma': 'no-cache', 'Cookie': 'dev_appserver_login="test@example.com:True:185804764220139124118"; PHPSESSID=f87c32d417539f8d2903ac76dc5fef1f; language_id=1; __atuvc=0%7C43%2C1%7C44%2C8%7C45%2C0%7C46%2C54%7C47; session=eyJfY3NyZl90b2tlbiI6IjVzcVhEayJ9|1418620181|f01cc7c352763ebe30a0c1d2a34f063112641bbd; _ga=GA1.1.629360734.1406657652; hl=es_ES', 'Cache-Control': 'no-cache'}

UnicodeMultiDict([(u'username', u'valueusernamme'), (u'password', '******')])

UnicodeMultiDict([(u'__atuvc', u'0%7C43%2C1%7C44%2C8%7C45%2C0%7C46%2C54%7C47'), (u'PHPSESSID', u'f87c32d417539f8d2903ac76dc5fef1f'), (u'dev_appserver_login', u'test@example.com:True:185804764220139124118'), (u'session', u'eyJfY3NyZl90b2tlbiI6IjVzcVhEayJ9|1418620181|f01cc7c352763ebe30a0c1d2a34f063112641bbd'), (u'_ga', u'GA1.1.629360734.1406657652'), (u'language_id', u'1'), (u'hl', u'es_ES')])

With the file served from your server:

username=valueusernamme&password=valuepassword

{'X-Appengine-Country': 'ZZ', 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'es-419,es;q=0.8,en;q=0.6', 'Content_Length': '46', 'Content-Length': '46', 'Referer': 'http://localhost:26124/testform/', 'Content_Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.69 Safari/537.36', 'Host': 'localhost:26124', 'Origin': 'http://localhost:26124', 'Pragma': 'no-cache', 'Cookie': 'dev_appserver_login="test@example.com:True:185804764220139124118"; PHPSESSID=f87c32d417539f8d2903ac76dc5fef1f; language_id=1; __atuvc=0%7C43%2C1%7C44%2C8%7C45%2C0%7C46%2C54%7C47; session=eyJfY3NyZl90b2tlbiI6IjVzcVhEayJ9|1418620181|f01cc7c352763ebe30a0c1d2a34f063112641bbd; _ga=GA1.1.629360734.1406657652; hl=es_ES', 'Cache-Control': 'no-cache'}

UnicodeMultiDict([(u'username', u'valueusernamme'), (u'password', '******')])

UnicodeMultiDict([(u'__atuvc', u'0%7C43%2C1%7C44%2C8%7C45%2C0%7C46%2C54%7C47'), (u'PHPSESSID', u'f87c32d417539f8d2903ac76dc5fef1f'), (u'dev_appserver_login', u'test@example.com:True:185804764220139124118'), (u'session', u'eyJfY3NyZl90b2tlbiI6IjVzcVhEayJ9|1418620181|f01cc7c352763ebe30a0c1d2a34f063112641bbd'), (u'_ga', u'GA1.1.629360734.1406657652'), (u'language_id', u'1'), (u'hl', u'es_ES')])

Some services check the Origin of the request and can filter access using the Origin or Referer, I would try to look at the logging service to find out if they have something in this regard.