I am in the progress of making a mobile App for a website to view your schedule. They don't provide any API and has no intention to make one.
The website can only function with Ajax, however to fake these requests and scrape the website I need to fake the __EVENTVALIDATION
post field.
I have no control whatsoever over the website and I have never built anything using ASP.NET or Microsoft Ajax.
Has anyone done this?
I have found that the __EVENTVALIDATION
field has this pattern (...
symbolises bytes changed depending on the request, hexdump of the base64 decoded version):
d8 01 16 13 02 4f 0a ... f6 e0 84 d4 05 02 a0 3f e2 3f 03 02 3f d8 d1 d5 0c 02 bb 82 cf ec 08 02 b4 b5 99 f8 0b 02 3f 89 3f eb 04 02 d5 83 90 88 0a 02 8a db 94 90 03 02 8b cf 3f 85 08 02 93 3f b1 3f 06 02 9b 3f 8f a5 02 02 b5 b4 af 85 01 02 d1 fc ae 9c 0e 02 b4 e2 94 9e 0a 02 3f e2 94 9e 0a 02 3f e2 94 9e 0a 02 bb 92 80 a5 06 ...
I've dealt with this problem before in building scrapers for ASP.NET sites. You need to request the initial page that the browser user would ordinarily land on, extract the __VIEWSTATE
and __EVENTVALIDATION
hashes then use these in making the second request for the data which you actually need.
For example, if you're scraping the response from a form submission:
If you're looking for JavaScript functions to extract the hashes from markup, I've published the ones I use as ms-viewstate on GitHub.
__EVENT
VALIDATION
is a security measure.
The feature prevents unauthorized requests sent by potentially malicious users from the client. To ensure that each and every postback and callback event originates from the expected user interface elements, the page adds an extra layer of validation on events. The page basically matches the contents of the request with the information in the __EVENTVALIDATION field to verify that no extra input field has been added on the client and that value is selected on a list that was already known on the server. The page generates the event validation field during rendering-that is at the last possible moment when the information is available. Like the view state, the event validation field contains a hash value to prevent client-side tampering.
The hash value is based on a key at the server level. So you cannot replicate that hash - or rather, if you did, without access to the server, I guess you found a security hole.
REF: MSDN
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With