1

The following python script usually works to automatically fill in a login webform:

import requests

payload = {
    user : myusrname
    password : mypass
    ...etc...
}

s = requests.Session()
s.post(formurl, data = payload)
r = s.get(protectedurl)

However on some websites, the above seems to fail to start the session. I am looking for what it is that it blocking me from entering the protected page.

On the website (https://www.avanza.se) the form looks like 

<form autocomplete="off" class="loginForm clearFix"  method="POST"action="/ab/noop">
    <input placeholder="Användarnamn" type="text" name="j_username" autocapitalize="none"> 
    <input placeholder="Lösenord" type="password" name="j_password">
    <div class="errorToolTipPlacement">
        <button class="focusBtn loginButton" type="submit" disabled="disabled">Logga in</button>
        <a class="fRight marginTop4px defaultSize plcLink" href="/glomt-uppgift.html">Problem att logga in?</a>
    </div>
</form>

I am providing the post request with all the name:value fields (in this case j_username and j_password)

The request succeeds, giving me a status code 200 and then redirects back to the original webpage - not logged in. The url and cookies for the start page and the protected page are the same.

I noticed that the result is the same even if I fill out the wrong username and password.

Am I missing some information to send?

Is it using more complicated authentication that I can't see?

Is it simply blocking automated login bots?

lsund
  • 744
  • 5
  • 16
  • i think this will solve [1]: http://stackoverflow.com/questions/26258042/python-programm-to-log-into-the-web-page/26566377#26566377 – P_O_I_S_O_N Jan 28 '15 at 10:47

1 Answers1

1

Looking at it initially is appears that the request has a third parameter (url)

Below are all the request header parameters, I would set (at a minimum) Referer, Content-Type, and the "Accept" parameters. 

Host: www.avanza.se
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Referer: https://www.avanza.se/start
Content-Length: 70
Cookie: _ga=GA1.2.714386931.1422441452; _gat_rollup=1; _gat=1; optimizelySegments=%7B%22696152504%22%3A%22ff%22%2C%22696851909%22%3A%22direct%22%2C%22702410951%22%3A%22false%22%7D; optimizelyEndUserId=oeu1422441452807r0.117113927933018; optimizelyBuckets=%7B%7D; optimizelyPendingLogEvents=%5B%5D
Connection: keep-alive
Pragma: no-cache

You can set those in a named array and pass them in with the "headers" parameter for the post method.

Once the post method "returns" you should actually read the response (in json format) and it should give you the url to redirect to.

Damian Nikodem
  • 1,324
  • 10
  • 26
  • Hello and thank you for your answer. What tells you it has a third parameter? The text from the response is a javascript snippet redirecting to the main page. The headers from the response does not seem to contain any url. I tried to add the headers to the post request but with no luck – lsund Jan 28 '15 at 14:19
  • What tells me that there is a third parameter was simply visiting the site and watching my login attempt with firefox in debugging mode. A common trick to reduce XSS risk is to check the referer, and/or user agent string. The response from the JSON request might set a cookie, and/or instructions for javascript to redirect the main page in the event of a successful login, but I got a error code/message immediately as soon as I entered invalid credentials. – Damian Nikodem Jan 28 '15 at 14:59
  • 1
    I managed to catch the proper url after entering the wrong username/password and observing in firebug. The url of the failed post request was something like '/post/loginhandler'. I just tried (because I tried everything else) to use it in my script instead of the form URL and it seems to work for now. Thank you for you help! – lsund Jan 28 '15 at 20:37