Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using stolen cookie in cURL to bypass CSRF

Tags:

php

curl

cookies

csrf

yii

I have to process a web page. This web page is based on YII framework, and the login page is protected by CSRF tokens. When I pass the login credentials by POST method. I get the error 400 and The CSRF token could not be verified message.

I don't know how to by pass this protection. I don't understand the mechanism. When I login by the Chrome browser, I see what the POST message look like. It has 4 parameters: CSRF key, login, password, an one empty variable. How the browser gets the proper CSRF key to be sanded back?

I have a login and password for this web page, and I can login as normal user. Only the login page is protected against CSRF. Can I use the cookie (how to do that) created by browser on normal login, give this cookie to cURL and start processing URLs behind login page?

like image 931
MrMgr Avatar asked Nov 23 '13 21:11

MrMgr

2 Answers

MrMgr Answer in his comments. I've put it here to help other people easily identify the answer.

The CSRF key is generated for session and it is inside LOGIN page as plain text. I can copy it from the source code, of the login page, and provide to cURL script to be past as POST variable. The CSRF Key doesn't change after every page refresh, a KEY is valid until logout. On logout the CSRF key is sanded to server for termination.

Source

like image 63
ʰᵈˑ Avatar answered Oct 22 '22 08:10

ʰᵈˑ

CSRF tokens are in place to make this precise action difficult. You need a better way to spoof being a browser with PHP. To do that, store all cookies in what is generally called a "cookie jar." PHP's implementation of curl has that capability. All curl requests routed to this site should use this cookie jar from now on.

Next you need to parse the login page to grab all fields that are submitted. This includes the username, password, CSRF, and other hidden fields. Make sure you have values for each one. If it's not supposed to be entered by you (e.g. hidden inputs), scrape the login page's HTML and put those fields into variables you can pass along in the login POST. Also be sure to send the url of the login page you scraped as the referrer in the login POST.

Parsing html can be tedious, but libraries like SimpleHTMLDOM should make it simple if you're familiar with CSS selectors.

like image 45
TheLonelyGhost Avatar answered Oct 22 '22 07:10

TheLonelyGhost
Sign in to Comment

Related questions

Composer errors on OS X and OpenSSL used by PHP
Sessions not showing but are definitely there as shown from next page
ResponseListener in Symfony leads to duplicate header 'Content-Type' from apache in dev mode
PHP - Getting Channel ID after OAuth - YouTube API
Clicking 'Refresh' crashes phpMyAdmin
Override frontcontroller or modulefrontcontroller init() method for checkout
JavaScript Detection / Browser Statistics
Image comparison with php + gd
How does PHP PDO work internally?
Why is Twitter returning a "Failed to validate oauth signature and token?"
Is there a way to send tracking info to Google Analytics from PHP?
What are the requirements to send an email with PHP?
Limit PHP error handler to specific namespace(s)
Is there a good SimpleSAMLphp SLO example?
how to learn Zend Framework?
how to add file attachment in PHPMailer?
Usage of 'use' or 'using' in programming languages
Push notifications in PHP using Amazon SNS/SQS?
PHP, Memcached works from command line but not from the web
How to connect to XMPP server using PHP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!