The analyzation: Formbased access to sharepoint by WebDav

In the previous post I described the problem of accessing WebDav resources by using WebDav on a sharepoint server which has enabled form based authentication. The basic idea behind the solution is actually quite easy:

When accessing the sharepoint portal on the external zone with the ASP.NET membership accounts you have to fill out the login form with your credentials. When you click on the “Sign In” button a HTTP Post is sent to the server containing some uniquely generated IDs for your current browser session and your credentials with the name of the containing form component in plain text. If the authentication is successful the server returns a cookie containing the authorization state of the client. This cookie must be saved in the clients session and provided to the server every time the client communicates with it.

For firefox there is a plugin called Live HTTP Headers which allows to analyze the communication between the client and the sharepoint server. When we fill in our credentials in the login form and click the “Sign In” button while having the Live HTTP Headers extension capturing the requests and responses we see that on HTTP Post is going to the following url:

POST /_layouts/login.aspx?ReturnUrl=%2f HTTP/1.1

containing the following data:

__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKMTc0NDQ2ODg4OQ9kFgJmD2QWAmYPZBYCAgMPZBYCAiEPZBYCAgEPZBYCZg9k
FgICDQ8QDxYCHgdDaGVja2VkaGRkZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFJmN0bDAwJFBsYW
NlSG9sZGVyTWFpbiRsb2dpbiRSZW1lbWJlck1l9S3FBSzxWQyO6ymPe7jRIYYn0nI%3D&__EVENTTARGET=&__EVENTARGUMENT=
&__EVENTVALIDATION=%2FwEWBQL4wcCbCQLE96mtBQLLtsPBAgLkkP7MCgK%2FlZyyB2CgxVrMEgkHC5MEn4QbpWnmLPSX
&ctl00%24PlaceHolderMain%24login%24UserName=daniel.marbach%40planetgeek.ch&ctl00%24PlaceHolderMain%24login%24password=TeSt%252233&ctl00%24PlaceHolderMain%24login%24login=Sign+In&__spDummyText1=&__spDummyText2=

The response of the server contains in the header the authorization data as cookie:

Set-Cookie: .ASPXAUTH=D57FC7A044595A12C5E2926292BDBA7681DD95B0128E53ADD0CFDEB0FA0684341BFB98D1D8FA9DB5872D2EBED707ED6B2A1B9EB206138C5E0D4EF4D8EEF8C4BD22699E2FF14828750E55B948A5030FB03D3852442686096D2F90C272FB917D55D8B8A79C1CE2F06E20140169A3000E3F; path=/; HttpOnly

Analyzing the page source allows us to get a better understanding of what is posted to the server when clicking on “Sign In” (unnecessary HTML code has been stripped out for better readability):


<!-- Somewhere in the header -->
<input type="hidden" name="__LASTFOCUS" id="__LASTFOCUS" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/FwEPDwUKMTc0NDQ2ODg4OQ9kFgJmD2QWAmYPZBYCAgMPZBYCAiEPZBYCAgEPZBYCZg9k
FgICDQ8QDxYCHgdDaGVja2VkaGRkZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFJmN0bDAwJFBsYWNlSG9sZGVyTWFpbiRsb2dpbiRSZW1lbWJlck1l9
S3FBSzxWQyO6ymPe7jRIYYn0nI=" />

<!-- Somewhere in the body-->
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/FwEWBQL4wcCbCQLE96mtBQLLtsPBAgLkkP7MCgK%2FlZyyB2CgxVrMEgkHC5MEn4QbpWnmLPSX" />

<!-- Somewhere in a table containing the form -->
User name: <input name="ctl00$PlaceHolderMain$login$UserName" type="text" id="ctl00_PlaceHolderMain_login_UserName" autocomplete="off" />
Password: <input name="ctl00$PlaceHolderMain$login$password" type="password" id="ctl00_PlaceHolderMain_login_password" autocomplete="off" />
<input type="submit" name="ctl00$PlaceHolderMain$login$login" value="Sign In" id="ctl00_PlaceHolderMain_login_login" />
<input id="ctl00_PlaceHolderMain_login_RememberMe" type="checkbox" name="ctl00$PlaceHolderMain$login$RememberMe" />

<!-- Somewhere in the body-->
<input type="text" name="__spDummyText1" style="display:none;" size=1/>
<input type="text" name="__spDummyText2" style="display:none;" size=1/>

What we also see is that the value of the given input fields are sent url encoded to the server. Interesting are the two hidden fields with dummy text that are appended to the post. Cool is that Live HTTP Headers allows to replay the HTTP post or modify the HTTP post and resend it. Play around a little bit with the various fields and values and see how this affects whether you are able to successfully login or not.

In the next post I’ll cover how to implement the post to the server, the cookie retrieval and the injection of the cookie in the the WebDav communication session. Stay tuned!

About the author

Daniel Marbach

Add comment

Recent Posts