RELEASE NOTES FOR Web Form Flooder Beta 0.2.0 (source and binary) http://formflood.sourceforge.net mailto: formflood@letiecq.org Installing Web Form Flooder --------------------------- Unzip formflood-source-beta-0.2.0 into a clean directory. This should create a directory structure with com, com/html and com/datagen subdirectories. Source code: Obtain and install the Java SDK for Java 1.4 (J2SE or J2EE) if you don't have it. If you need it, it's available at http://java.sun.com. If you can run "javac -version" from the command line, you should be good to go. Binary code: If you have the binary release, you only need to have the runtime environment (AKA JRE). This binary release was compiled with Blackdown Java 1.4.1-01 on a SuSE Linux 8.2 platform. If you can run "java -version" from the command line you should be OK. If you can't, download the JRE from http://java.sun.com. Compiling Web Form Flooder -------------------------- If you're compiling from source code, in the directory where formflood.java has been unzipped, run the following command: javac formflood.java This should compile all of the source files for you. Let me know if you encounter any errors with the compile (be helpful and give me the full compiler output if you do this!). Configuring Web Form Flooder ---------------------------- In the directory where formflood.java was unzipped, there should be a file named formflood.cfg. If there isn't one, create it with a text editor. The file should have the following entries: CrawlHelpURLs=0 DataDir=c:\\test\\formflood\\ SleepInterval=0 MaxThreads=10 FloodExternURLs=0 TestFile= UserName= Password= CrawlHelpURLS (currently not functioning) Setting this to 1 tells formflood to crawl any URLs which contain the substring "help". Normally you don't want to waste time crawling help files, so setting this to zero is recommended. DataDir (Required, but content is Optional) Leave this blank unless you want to store the data support files (the files ending with .txt) in a different location than the directory that the program is located in. If you'd like to have different versions of these files to support flooding different URLs, just change this entry to the directory you want to use. Remember to include the trailing slash (Unix, etc) or backslash (Windows). SleepInterval (Optional, set from the command line) This tells the application how many milliseconds to sleep between starting tasks. If you want to slow down execution, set this to 10000 (for ten seconds) or higher as needs dictate. Setting this to zero prevents any pausing between tasks. MaxThreads (Optional- default 10) This tells formflood how many simultaneous tasks to run. The maximum number of tasks waiting to go is twice this number. If you find tasks aren't getting run and the tasklist is full, increasing MaxThreads will fix this. FloodExternURLs (Recommended =0) Setting this to zero prevents crawling URLs that aren't part of the host you initially used as a target. If you set this to one, if the page has a link to another site, formflood will start crawling that site as well. TestFile (currently not functioning) This was used in development to test the HtmlParser and see if it was interpreting http forms correctly. It probably does not work now. UserName (temporary, do not use) If you run the application with the -u option, it will overwrite this value and use it to fill in any text inputs that appear to be asking for a username. If this is not specified on the command line, it is set to a zero-length string. Password (temporary, do not use) As with UserName, but relates to password text inputs and is set with the -p option on application startup. Tweaking the Analyzer --------------------- The analyzer now looks at the (normally) displayed text as well as the coded field name to try to determine what a field is for. In most instances, forms are laid out withing HTML tables with the description of the field appearing either to the left of the field or above it. Formflood looks within these table structures to identify descriptive text, first looking to the left and then above. If this analysis does not yield a clear determination of the purpose of a field, formflood will make an entry in formflood.cfg with the format HANDLE-=0. The corresponds to the "name" entry in the HTML tag, and the number 0 corresponds to "ignore this". Change this numeric value to one from the table below in order to direct the analyzer how this field should be handled. Any HANDLE entries in formflood.cfg override any decisions the analyzer would otherwise make. You may want to delete obsolete HANDLE entries after you're done with a site in order to prevent unintended alayzer overrides. HANDLE entry analyzer processing directives: 0 ignore do not supply a value 1 first name (read from file fname.txt) 2 last name (read from file lname.txt) 3 middle name (read from file fname.txt) 4 whole name (first name last name) 5 address line 1 (random number, street.txt, street|avenue|road) 6 address line 2 (apt + random number:10% | blank:90%) 7 city (city.txt) 8 state (state.txt) 9 zipcode (random number, 5 digits) 10 country ("US":100%) 11 social security number (random number, 9 digits) 12 phone number (random number, 10 digits) 13 [deprecated] 14 ignore this field (blank:100%) 15 email address (email_names.txt + @ + domains.txt) 16 IP address (random number IP formatted) 17 area code (random number, 3 digits) 18 property value (random 100000 to 500000) 19 balance (random 80000 to 400000) 20 company (company.txt) 21 payment amount (random 800 to 1600) 22 years (random 1 to 12) 23 credit card number (creditcards.txt) 24 date (0104 to 1208) 25 user name (supplied as -u argument) 26 password (supplied as -p argument) 27 numeric data (random 100000 to 9999999) 28 user file (read from file .txt) 29 low percentage (random 7.00 to 12.89) note: Input text fields are typically limited to a fixed number of chgaracters. Selecting "numeric data" to fill in a 4 character field will cause only the first four digits to be used, as the program will enforce all length limitations. So if formflood tells you that it doesn't know what to do with a field it found called "mother_name", you can add HANDLE-mother_name=2 to formflood.cfg and it will supply a last name from lname.txt in every instance it encounters a field with that exact naming. If a field is specified as "user file", formflood looks for a file with that exact fieldname with a .txt extension that will have possible candidates listed in the same manner as they are listed in fname.txt. Modifying the Data Support Files -------------------------------- Feel free to modify the fname, lname and other data files, but please exercise caution with the credit card file. The card numbers in that file pass the standard checksum validation tests but are guaranteed not to correlate to anyone's account. They are commonly used as testing numbers, and it's unlikely anyone would get into trouble using them. In these data files, each line is a complete entry. Any extra carriage return/line feeds at the end of the file will be interpreted as blank entries, so be careful that the file ends at the end of the last data line. Running Web Form Flooder ------------------------ From the command line, type: java formflood http://thetargetURL.com Where URL in that command is the URL you are targeting. Optional command line arguments are: -u joe (sets "joe" as the username - don't use a space) -p password (sets "password" as the password - don't use a space) -s 10s (sets the sleep interval to 10 seconds) -s 10m (sets the sleep interval to 10 minutes) You can get a dump of the task list by typing "i" on the console. You may stop any tasks from being added by typing "q on the console. Known Issues ------------ The DataGenerator doesn't fully evaluate the form as a whole, but looks at fields independently which can cause data to not make sense as a whole. States, zip codes and area codes now relate to each other, but that's the extent of "linked data" so far. There may be other cases where the data has to make sense as a whole, and we haven't included funtionality to allow tweaking this yet. Forms which deal with credit card information provide data which will probably not pass rudimentary validation outside of validating the only credit card number. This is partly by design, so no real people end up with their credit cards getting charged from a site. I am open to improving credit card submissions, as long as the possibility of real people getting charged is as close to zero as is humanly possible. If you have suggestions, let me know. The beta versions are not thoroughly tested, and may have bugs that are revealed under circumstances (sites) that I haven't encountered. If a bug is evident as a consequence of hitting a particular site and I can hit it myself, please pass it on so I can debug the issue properly. Some sites which have server-side validation of data may reject form submissions, although this is less likely now than with previous releases. We're interested to see where this may happen, so drop a note if you see a formflood submission being rejected because of an incorrect zip code or something like that. Some sites which perform javascript validation and set hidden tags with the validation results prior to submission will not work. When I include full javascript evaluation, this should be solved. Sites that obfuscate their content through javascript document.write() commands (essentially having the client browser render the document) don't work because we don't have a javascript parser. When full javascript support is completed, this will be solved. This is a beta version and has numerous other issues, many which are noted on http://sourceforge.net/projects/formflood where all issues are tracked. If you find a bug that is not documented please let me know at formflood@letiecq.org so it can be included and addressed in future releases. I'd appreciate any information that would help me reproduce the problem. If I can't see the website that demonstrated the error, emailing me the source of the page will be very helpful. Submitting bugs and change requests ----------------------------------- Email me using the link on http://sourceforge.net/projects/formflood if you encounter any undocumented problems. I will be happy to add you to the project so you can submit bugs and RFE's if you have a sourceforge account. Email me at formflood@letiecq.org if you don't have a sourceforge account. Changes in beta-0.1.4 --------------------- Added statistics report for number of known successful submits Added default handling for credit card security verification codes HANDLE directives in formflood.cfg override default processing HANDLE directives now documented (in this file) Unknown fields automatically generate formflood.cfg handling directives HANDLE directives can specify user files in addition to default files improved default processing of person names changed argument delimiters to include equals sign Changes in beta-0.1.4a (Emergency Bug Fix) ---------------------- Fixed bug introduced in javascript form action identification that broke all non-javascript form action directives Fixed bug in command line parsing and standardized argument formats Improved user interface output Changes in beta-0.1.4b (Emergency Bug Fix) ---------------------- Fixed bug in HTML Parser that was causing form submissions to fail. Corrected some minor problems. Changes in beta-0.1.5 --------------------- Changed analyzer to evaluate user-displayed text when figuring out how to complete fields. Consolidated some static values into ResponseCodes Cleaned up code in HtmlParser Added class to handle user-displayed text elements Added additional handling logic for HTTP errors Added support for OPTION tags where value is unspecified and relies on user-displayed text for values Consolidated function code values in urlparser and UrlManager into ResponseCodes for clarity Changes in beta-0.2.0 --------------------- Added facility for forms to use "linked data" sets of city, state, zip and area code so forms pass validation. Fixed bugs in user-displayed text analysis. Cleaned up some of the extraneous ThreadManager output so it's easier to understand. Numerous bugfixes regarding null pointers in some situations Added rudimentary support for username/password guessing Added "low percentage" handle directive Fixed bug that prevented links from being recognized unless they were the first element in an anchor tag. Added locations.txt data support file to provide city, state, zip code and area code data Added restriction on flooding sites within the .mil TLD. Consolidated some functionality from HtmlTag and MultiTagHtmlTag into HtmlElement class. Interface now displays the page HTML title during analysis Fixed bug that caused formflood.cfg to get smoked by competing threads