Problem using controls for fields within a web page

[ejs]

Has anyone successfully used controls for fields, buttons, and graphical links on a web page (e.g., name, address, password, SUBMIT etc.)? Or, if you encountered the same problem that I describe below, did you come up with any workarounds, perhaps that do not use controls?

 

The Macro Express help file warns "Sometimes the only control in a given program is the window or dialog that pops up when the program starts."

 

This appears to be the case with all of the web browsers I tried, which means that controls are useless for filling out web forms. (My objective was to have a macro that fills in the username and password on web pages using controls in order to circumvent spyware that could log keys if macro express were to use text type or clipboard paste to populate the web form fields.)

 

Here the results from the Macro Express get control utility on each of the browsers I tried.

 

Windows XP SP2 - IE 7.0 - the entire window is the only control with control class name = Internet Explorer_server

Windows XP SP2 - Netscape 7.2 - the entire window is the only control with control class name = MozillaWindowsClass

 

Windows XP SP1 - IE 6.0 - the entire window is the only control with control class name = Internet Explorer_server

Windows XP SP1 - Netscape 7.2 - the entire window is the only control with control class name = MozillaWindowsClass

 

To benchmark that I am doing this right, I did successfully use the get control utility on the Microsoft windows calculator application to ensure that it recognized each calculator button and field as a control.

[Cory]

Controls are in proper Windows applications and you will never find one in an HTML document. Even though this is a limitation I do a ton of stuff in web browsers and have always been able to make things work. My first approach is to see if I can somehow use offline files. That is the actual HTML in the file to extract links and such but with so much Java and other scripting languages this rarely works. Next I try Text Type commands. You can often tab X number of times to do what you want. Also I use CTRL+F to find label text then tab. Mouse moves and clicks are often easier but if you distribute the macro or make any changes to toolbars or if the web page graphics change a little you're hosed. Many things change the graphic alignment in web browsers. If you do use I suggest first setting a base reference point. At first it will be 0,0. Then add this to all your stored mouse positions. You see usually the change in a web page will all the features in relation to the window but not each other. This way you can adjust for a new ad banner or whatever in one place. Also I've used stored offset or mouse positions. I store them in the registry and create a simple macro to have the user point out all the buttons or elements I need to move to and save that in the registry. Now each machine can have it's own independent values and use the same macro script. Also dont' forget tehre are a ton of key combos to use in web browsers. For instance F6 to get to the address bar or F5 to refresh, things like that.

[ejs]

Thanks Cory.

 

Between using tabs and mouse clicks, I've gotten my macros to be able to get to the correct form fields for most of the web sites. Like you, I found that the off-line approach usually is not feasible.

 

My biggest concern is how to stuff my text string into the form field in a way that key logging spyware cannot read the password. When I discussed this question on a earlier post, the response was that using macro express text type and macro express clipboard paste would still expose the text to being captured by spyware. There was a suggestion that sending text to a control would occur at a layer that key logging software would not capture.

 

Since the control approach evidently is not feasible for web sites, do you have any suggestion for how I can make macro express fill in the text in a form field in a way that key logging software cannot capture it?

 

Here's the only remaining (poor) idea I have: currently, my macros use text type to outpulse the URL. I could change this so that I set up a shortcut or bookmark to each URL so that the macro can go to the web site without typing the URL. The key logging software would still be able to capture the user ID and password that macro express types, but the key logging software would not know which URL was submitted before entering that userid and password. But the inherent weakness to this approach is that the key logging software can captured the active window name for any typed text, and the window name would be enough for the hacker to figure out the URL (e.g., even if the key logging software doesn't show that the URL is www.ebay.com, it's not hard to figure out that my userid and password must be for eBay if the active window has the word 'eBay' in it.)

[Cory]

Well my feeling is if you want to avoid keyloggers don't install them.

 

Seriously I can't think of any way to do what you propose. In order to enter that password one has to type it in. You might try and confuse them by doing something like typing half the password, tabbing ahead, back, End, and then the rest of the password but that's a pain and if a human ever scrutinized it they would probably figure it out. And if you wanted to hide the file you could always create a simple HTML file with ME3 that would make a file with an instantaneous redirect so they wouldn't see you typing in the URL but like you say if the title of the window is bankofamerica.com well... I think most of these loggers probably operate on the same principle that ME3 does so I don't know how one could avoid it.

 

If it was a controlled enough environment you might be able to maintain a list of approved processes and if the user is running anything unknown report it and don't run. However many appear as the generic service host so that's no sure bet either. Or, again if it's a controlled environment, you could have ME3 verify that the company Anti-spyware software is running and up to date.

 

Wouldn't it be better to use one of the commercially available secure website applications? I mean why reinvent the wheel?

 

Mehh... All hare brained ideas really. I think you're at an impasse.

[kevin]

If you already know the password and want it to be entered by the macro you can use one of these methods:

Variable Set String %T1% "MyPassword"
Text Type: <CTRLD>c<CTRLU>

Variable Set String %T1% "MyPassword"
Clipboard Paste

The only thing a keylogger would see is the Ctrl-c used to paste the password.

 

You could keep someone from seeing the password by examining the macro file by using the Encrypted Text command. Like this:

Encrypted Text
Text Type: <CTRLD>c<CTRLU>

Encrypted Text
Clipboard Paste

[ejs]

Cory - can you tell me the names of some of the 'commercially available secure website applications' that have capabilities to defeat key loggers? I'll consider these. I did look into anti-key logger software, but most of them appear to use a mechanism that would also disrupt macro express's ability to use hot keys and short keys for activation.

 

Kevin - the problem is that the "best" spyware not only does key logging but also logs the clipboard contents, so even though the key log trace would only show a paste command, the clipboard trace would still reveal the password.

[Cory]

Funny you should ask. At lunch I was reading MaximumPC and found a free one in their "softy awards". Check out KeePass. I don't know if it can defeat keyloggers but at least it keeps all it's data on the hard disk encrypted. I'm sure if you ask they would be able to tell you if they can avoid keyloggers. However I'm not sure it's clearly known how all the keyloggers in the world work so that might be a loaded question. There are many other pay apps for this as well, you might shop around and ask the same question of them.

 

Again though, I think your tack is wrong. I suggest you invest in good anti-Virus/anti-spyware. Perhaps it's not spyware you're worried about but rather parental controls or corporate monitoring software? IOW anti-spyware isn't going to do it for you.