Can I render a form from another website

Question

I have a user on website A and I need to log him to website B (not under my control) but without jeopardizing his password on website B. Website B doesn't have an API which is what's making this more complicated than should be.

My first option is to render my own form on website A, user enters his website B password into my form, and I somehow securely pass his website B password to website B to log him in. This means I have to first pass the password securely from the client to my server, then pass it again securely from my server to the end website. That's what I'm guessing I have to do, but I don't have a plan for how to implement these 2 hops securely, so I worry that I might expose the user's password somehow.

So I thought of the second option which is to render the same website B from website B onto my website. But the form on website B is part of a larger page, so can this be done?

• How would I isolate the code for the form itself from the code for the full page
• how to present the form on my website. I want the user to see it. iframe comes to mind but never worked with it
• will the form still be valid when the user clicks the submit button or does rendering the form on my website somehow invalidates it

These are the 2 different solutions I thought of. I welcome answers for each of them, and also welcome answers that suggest an alternate third approach that may be easier.

Answer 1

As long as you are using SSL on your site, there's not a significant risk in terms of compromising the user's password (unless you are doing financial transactions of some sort, then please clarify).

My suggestion would be, don't copy their form. Instead, replicate the HTTP POST generated by that form. You can do this completely programmatically and the user will never leave YOUR site, but (in most cases) the result will be that the user is logged in to THEIR site as well.

If there is some sort of hashed fields to deal with, request their form page (programatically) and use whatever values you receive to send back to the second site so that the request will validate. Their server doesn't know that the request isn't coming from a browser (indeed, you can add a user agent to the HTTP headers if you wish).

I have used this methodology against Verizon's site and LinkedIn (both for legitimate purposes) and it works.

To recap:

1. Learn the structure of their HTTP POST.

2. Add a login form to YOUR site.

3. Manipulate the request in your code to look like the POST their site expects.

4. POST to their site from your code.

5. Display the response to the user on your site (if needed), redirect, whatever.

Answer 2

It all depends on how the server you are POSTing to handles CSRF [Cross-Site Request Forgeries], as that is basically what you are doing. If they are using a Django that is relatively recent, for instance, then POST requests from an outside server will by default fail, unless they contain the csrf cookie value.

It is possible to get around this, if you have control of the server you are POSTing to as well.