Menu
I am currently using Python Requests, and need a CSRF token for logging in to a site. from my understanding requests.Session() gets the cookie, but obviously I need the token. And Also I would like to know where to place it in my code. import requests
user_name = input('Username:')
payload = {
'username': 'user_name',
'password': 'randompass123'
}
with requests.Session() as s:
p = s.post('https://examplenotarealpage.com', data=payload)
635
To fetch a CRSF token, the app must send a request header called X-CSRF-Token with the value fetch in this call. The server generates a token, stores it in the user's session table, and sends the value in the X-CSRF-Token HTTP response header.
A CSRF attack works because browser requests automatically include all cookies including session cookies. Therefore, if the user is authenticated to the site, the site cannot distinguish between legitimate authorized requests and forged authenticated requests.
The webserver needs a mechanism to determine whether a legitimate user generated a request via the user's browser to avoid such attacks. A CSRF token helps with this by generating a unique, unpredictable, and secret value by the server-side to be included in the client's HTTP request.
A CSRF secure application assigns a unique CSRF token for every user session. These tokens are inserted within hidden parameters of HTML forms related to critical server-side operations. They are then sent to client browsers.
See the following code example. You can use it directly to login into a website that only uses cookies to store login information.
import requests
LOGIN_URL = 'https://examplenotarealpage.com'
headers = {
'accept': 'text/html,application/xhtml+xml,application/xml',
'user-agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36'
}
response = requests.get(LOGIN_URL, headers=headers, verify=False)
headers['cookie'] = '; '.join([x.name + '=' + x.value for x in response.cookies])
headers['content-type'] = 'application/x-www-form-urlencoded'
payload = {
'username': 'user_name',
'password': 'randompass123'
}
response = requests.post(LOGIN_URL, data=payload, headers=headers, verify=False)
headers['cookie'] = '; '.join([x.name + '=' + x.value for x in response.cookies])
There are a few possible locations of the CSRF token. Different websites use different ways to pass it to browser. Here are some of them:
Sometimes page meta holds the CSRF token. You have to parse the html content of the page to get it. Find the proper CSS selector for it. See an example:
from bs4 import BeautifulSoup
soup = BeautifulSoup(response.text, 'lxml')
csrf_token = soup.select_one('meta[name="csrf-token"]')['content']
It can be inside of a script tag with JavaScript code. Getting it will be tricky. But, you can always use regex to isolate it.
112
import requests
from bs4 import BeautifulSoup
headers = {'user-agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chromium/80.0.3987.160 Chrome/80.0.3987.163
Safari/537.36'
}
login_data = {
'name' : 'USERNAME',
'pass' : 'PASSWORD',
'form_id':'new_login_form',
'op':'login'
}
with requests.Session() as s:
url = 'https://www.codechef.com/'
r = s.get(url,headers=headers,verify=False)
#print(r.content) # to find name of csrftoken and form_build_id
soup = BeautifulSoup(r.text, 'lxml')
csrfToken = soup.find('input',attrs = {'name':'csrfToken'})['value']
form_build_id = soup.find('input',attrs = {'name':'form_build_id'})
['value']
login_data['csrfToken'] = csrfToken
login_data['form_build_id'] = form_build_id
r = s.post(url,data=login_data,headers = headers)
print(r.content)
You can directly use this but their are few things to change:
1.check your user-agent in your browser network option
2.check your name attribute for csrf-token and form_build_id
by print(r.content)
and find csrftoken and form-build-id and check their name attribute.
search logout in your r.content if it is their then you are login.
2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
