Whether a site is selling fake Viagra or pretending to be your bank, at some point it is going to ask you for information such as your credit card number. It will solicit that data using a HTML form and will submit to a server-side script in order to record it in some form. The various elements in that form will show you the names of the input parameters for the script.

Example 5-3 shows a Perl script that will extract these from a web page. The script uses the HTML::TokeParser module to handle all the HTML parsing.

#!/usr/bin/perl -w
use HTML::TokeParser;
die "Usage: $0 <html file>\n" unless @ARGV == 1;
my $p = HTML::TokeParser->new($ARGV[0]) || die "Can't open: $!";
while(my $token = $p->get_token) {
  if($token->[0] eq 'S') {
     if($token->[1] eq 'form' or
        $token->[1] eq 'button' or
        $token->[1] eq 'input' or
        $token->[1] eq 'select' or
        $token->[1] eq 'option' or
        $token->[1] eq 'textarea') {
        print $token->[4] . "\n";
     }
} elsif($token->[0] eq 'E') {
     if($token->[1] eq 'form') {
        print $token->[2] . "\n\n";
     }
  }
}

When supplied with the name of a saved HTML file, the script outputs the tags associated with any forms on the page. In this example of a fake PayPal site, the form attempts to capture the victim’s email address and password in the fields login_email and login_password, and submit those to a CGI script called web2mail.cgi.

            % extract_form_elements.pl log1.htm <FORM action=http://<domain>/cgi-bin/web2mail.cgi method=post> <INPUT ...