11

I have to process a web page. This web page is based on YII framework, and the login page is protected by CSRF tokens. When I pass the login credentials by POST method. I get the error 400 and The CSRF token could not be verified message.

I don't know how to by pass this protection. I don't understand the mechanism. When I login by the Chrome browser, I see what the POST message look like. It has 4 parameters: CSRF key, login, password, an one empty variable. How the browser gets the proper CSRF key to be sanded back?

I have a login and password for this web page, and I can login as normal user. Only the login page is protected against CSRF. Can I use the cookie (how to do that) created by browser on normal login, give this cookie to cURL and start processing URLs behind login page?

Kiran RS
  • 981
  • 14
  • 31
MrMgr
  • 125
  • 1
  • 6
  • CSRF key has timeout limit, so if you use csrf key from last login (say it was two days ago) login page should throw error – kirugan Nov 23 '13 at 21:27
  • CSRF key is different every time I re-login in Chrome. Thus I think that the CSRF key is one use only. – MrMgr Nov 23 '13 at 21:37
  • 4
    SOLVED: The CSRF key is generated for session and it is inside LOGIN page as plain text. I can copy it from the source code, of the login page, and provide to cURL script to be past as POST variable. The CSRF Key doesn't change after every page refresh, a KEY is valid until logout. On logout the CSRF key is sanded to server for termination. – MrMgr Nov 23 '13 at 22:31
  • 3
    @MrMgr You should use this comment above, and answer your own question with it. That way anyone else who has the same problem, can easily see how to solve it. – Arian Faurtosh Dec 26 '13 at 19:23

2 Answers2

2

MrMgr Answer in his comments. I've put it here to help other people easily identify the answer.

The CSRF key is generated for session and it is inside LOGIN page as plain text. I can copy it from the source code, of the login page, and provide to cURL script to be past as POST variable. The CSRF Key doesn't change after every page refresh, a KEY is valid until logout. On logout the CSRF key is sanded to server for termination.

Source

Community
  • 1
  • 1
ʰᵈˑ
  • 11,279
  • 3
  • 26
  • 49
1

CSRF tokens are in place to make this precise action difficult. You need a better way to spoof being a browser with PHP. To do that, store all cookies in what is generally called a "cookie jar." PHP's implementation of curl has that capability. All curl requests routed to this site should use this cookie jar from now on.

Next you need to parse the login page to grab all fields that are submitted. This includes the username, password, CSRF, and other hidden fields. Make sure you have values for each one. If it's not supposed to be entered by you (e.g. hidden inputs), scrape the login page's HTML and put those fields into variables you can pass along in the login POST. Also be sure to send the url of the login page you scraped as the referrer in the login POST.

Parsing html can be tedious, but libraries like SimpleHTMLDOM should make it simple if you're familiar with CSS selectors.

TheLonelyGhost
  • 327
  • 6
  • 11