Menu
How do you pass a csrftoken with the python module Requests? This is what I have but it's not working, and I'm not sure which parameter to pass it into (data, headers, auth...)
import requests from bs4 import BeautifulSoup URL = 'https://portal.bitcasa.com/login' client = requests.session(config={'verbose': sys.stderr}) # Retrieve the CSRF token first soup = BeautifulSoup(client.get('https://portal.bitcasa.com/login').content) csrftoken = soup.find('input', dict(name='csrfmiddlewaretoken'))['value'] login_data = dict(username=EMAIL, password=PASSWORD, csrfmiddlewaretoken=csrftoken) r = client.post(URL, data=login_data, headers={"Referer": "foo"}) Same error message every time.
<h1>Forbidden <span>(403)</span></h1> <p>CSRF verification failed. Request aborted.</p> 
636
CSRF GET RequestThe simplest CSRF attack is simply to trick a user into making a GET request to a specific URL. This can done by putting the URL into a deceptively named link. The link could be put in a blog comment (lots of WordPress exploits have used this technique), a post on a web forum, or in a phishing email.
To enable CSRF protection globally for a Flask app, register the CSRFProtect extension. CSRF protection requires a secret key to securely sign the token. By default this will use the Flask app's SECRET_KEY . If you'd like to use a separate token you can set WTF_CSRF_SECRET_KEY .
The CSRF token is like an alphanumeric code or random secret value that's peculiar to that particular site. Hence, no other site has the same code. In Django, the token is set by CsrfViewMiddleware in the settings.py file. A hidden form field with a csrfmiddlewaretoken field is present in all outgoing requests.
1) In Chrome/Firefox, open the console by right clicking anywhere and chose "inspect"(for Chrome) or "inspect element"(for Firefox). Do a get request or login first while you see the request made , to get CSRF-TOKEN sent from the server. 5) In the next post request, use the CSRF-TOKEN from the previous request.
If you are going to set the referrer header, then for that specific site you need to set the referrer to the same URL as the login page:
import sys import requests URL = 'https://portal.bitcasa.com/login' client = requests.session() # Retrieve the CSRF token first client.get(URL) # sets cookie if 'csrftoken' in client.cookies: # Django 1.6 and up csrftoken = client.cookies['csrftoken'] else: # older versions csrftoken = client.cookies['csrf'] login_data = dict(username=EMAIL, password=PASSWORD, csrfmiddlewaretoken=csrftoken, next='/') r = client.post(URL, data=login_data, headers=dict(Referer=URL)) When using unsecured http, the Referer header is often filtered out and otherwise easily spoofable anyway, so most sites no longer require the header to be set. However, when using an SSL connection and if it is set, it does make sense for the site to validate that it at least references something that could logically have initiated the request. Django does this when the connection is encrypted (uses https://), and actively requires it then.
74
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
