0

Is it possible to log into websites that use csrf tokens and such using JSOUP? The website I am trying to log into is aliexpress.com. Which seems to have a lot of input values, and I noticed that the csrf token changes on every attempt. I am guessing that these are protective measures to block out spam. I am quite new to html, and was wondering, is it even possible to login to sites like these? Thanks

Here is my code in case I did something wrong:

public static void main(String[] args) throws IOException {

     Connection.Response loginForm = Jsoup.connect("http://login.aliexpress.com")
        .method(Method.POST)
            .data("cookieexists", "false")
            .data("loginId", "xxxxxx@gmail.com")
            .data("password", "xxxxxx")
            .data("event_submit_do_login", "submit")
            .data("submit-btn", "Sign In")
            .data("appName", "aebuyer")
            .data("appEntrance", "default")
            .data("_csrf_token", "vdspQZH4cMoQT6GxLyU0a7")
            .data("rdsToken", "")
            .data("cid", "a832dd6d-990f-44eb-8bdb-9ec49d1c0a99")
            .data("umidToken", "4e6219e38c34346dc2bb7914a54794aac7645e7b")
            .data("lang", "en_us")
            .data("hsid", "VP4zHOZfVs1Ec4qqEsI1mA")
            .data("isRDSReady", "false")
            .data("isUMIDReady", "false")
            .data("umidGetStatusVal", "")
            .data("bizParams", "")
            .data("isRequiresHasTimeout", "false")
            .data("loginHost", "https://passport.aliexpress.com/")
            .data("scene", "")
            .data("isMobile", "false")
            .data("modulus", "d3bcef1f00424f3261c89323fa8cdfa12bbac400d9fe8bb627e8d27a44bd5d59dce559135d678a8143beb5b8d7056c4e1f89c4e1f152470625b7b41944a97f02da6f605a49a93ec6eb9cbaf2e7ac2b26a354ce69eb265953d2c29e395d6d8c1cdb688978551aa0f7521f290035fad381178da0bea8f9e6adce39020f513133fb")
            .data("exponent", "10001")
            .data("ua","099#KAFEx7E+TEGE6YTLEEEEE6twSXLoZ6NHDu3YS6tqDywMC6t3gR9YLfD1SryM4MDFYuJoV6t1YRB7n6f1Ych6n6g1DRJo+xqTETFUEcZt288mby1PYPrfds1gLjdTEEi5DEEErGFEHCLlhRaTG9llEJIm/KRlbpZV8MixZy164GFEJFwlsyaDMOcmby1TSV3WPy1tY0s3YuaHLyZTvbd9E7EFD67EEKqTETAEluZdtkH7NyhGYfciuOkG/MhXaQ3bAMZtY0s3JGFET6i5EE1iE7Eo73lP/3m4NVkAbIJi4leDbRZTvbuwsqk6/MhXaCqTETfEEcZt9CXmby1PYPrfds1tYo8XCV/zLybTETDElapdLIallGEeOOCxls1Pr08FSP8zYovKZMRc41qTETFUEcZt9Scmby1PYPrfds1gLioTETzElsXdLUQEWECmYKhMtV8gPy1fnM9SZyvHLioTETYQldXd7FEEVcCmYKhMtV8gPy1XC0ysUoSnE7EiK3l6/wqaEcExOMRyv9cGNyvHYp5TEEi5D7EE/GFETJDovl8JE7hMDwGEmba3U61vv0XBaYevDpiRciUt1OLjbo4Qc7rczQ8nZR2Bw7CWSQ/vPsqqi9exUqZ96Yz6bQWAnWuWLLrDA2iebRMREyB7Pbcdb4QsPok4QioWiYeWZyhqqOKR1eJ6UI2Vcgw6bXkPnypX1YuYalp7Pwnh1eyJroeXFSZ6UcCsZLpzLUZ1WsJhvLqpa291dzCncU7RbohMtscSi7hYSeJFFsxcTy/0/fhCv4bprqrANa2n+GCWds166OIp+WJFrtSSPFnRrVs8SAUM+GZDnR+kbyo6cWyIbISMHG1uVPybZz4M/vl4DXym8jvqaWw7zVZBNdZ6bteWNREZwErbnpywry4t+O/kuV8W/EPcuzpYa0uVaYnzZuB5hg9ulrimV65MJwnuV6i4DTY03BlWaccJ8ypu9u2A8WWzPMIszbcYDi4nEoCYDpiB4gvl9zkGVPq0IlbuQfcxVyrs37eQSyJKcw4RLeXKPt+Z4LslVewCYREnCQZVgcx+hz+l/ri5Vfx+8IRuNP94S0Yo3/sLDVwjvK4l7uyxOGFETYilssn1dASTEELlluaLom7wxeSTE1LlluZdt3illllls3aSt3t3llle33iSw6alluUdt37q33llWLaStEGde7FE5YHKJ7ThVa6o3kskwmyV0HUC6Df39yzU0xEG1DN7Vafo3kikLw+IRhj2qbAB6OT2qago1DN7VaTo3kikawWIRhj2qoAB6OT2qafo1DN7VmGtI8EJE7EhlAaP/3iSJGFET6i5EE1mE7EFlllbrxqTETFUluZdDWkmby1PYPrfds1gLioTETYQltCdBHGEV38mYKhMtV8gPy1XC0ysUoSnE7EB63l7/h6LEc7JNM1j83X0UykG+qxEdUF9E7EFD67EE1qTETFUluZt9CZmby1PYPrfds1gLjdTEEi5DEEE4GFEJFwlsyaD0Lxmby1TSV3WPy1tY0s3YuaHLyZTvbuiE7Eo73lP/3m+q0kAbIJi4leDbRZTvbuwsqk6/MhXaVqTETAEluZdtkpCNyhGYfciuOkG/MhXaQ3bAMZtY0s3IGFEHSwlsyDe2VkAbpZ1ZVnabRZTC0sR8u86")
            .followRedirects(true)
        .execute();

    // TODO code application logic here
    Document doc = loginForm.parse();



    System.out.print("website title:" + doc);
}

}

sandra burgle
  • 47
  • 1
  • 8
  • Yes, it is possible. Look here for an example - https://stackoverflow.com/questions/31871801/problems-submitting-a-login-form-with-jsoup/31877829#31877829 – TDG Nov 04 '17 at 09:00
  • @TDG Hi, sorry for misunderstanding. It still does not seem to work for me and keeps putting me on the login screen. I have included all input values, but I think the reason why it does not work is because some input values (like csrf token) change on every new instance. Would this be the reason? – sandra burgle Nov 05 '17 at 01:12

1 Answers1

1

Since you know which parametrers to send, I assume that you know how to use your browser's developer's tools, so it will be easy for you:
In order to login to the site, you have to take two steps. The first step is sending a GET request and parse the result. The second step is to send a POST request, with the needed parameters, including the ones you've obtained from step 1.
I've seen that when sending the first get request to https://login.aliexpress.com/, the result does not contain the values of _csrf_token etc. The browser sends another request to https://passport.aliexpress.com/mini_login.htm?lang=en_us&appName=aebuyer&appEntrance=default&styleType=auto&bizParams=&notLoadSsoView=false&notKeepLogin=true&isMobile=false&rnd=0.9476178801629621 so you must do the same, and parse the result (notice that the last parameter of the get request is some random number. I think you should also randomize the string and not use the same number again and again, it might be some protection measure): 

String firstURL = "https://passport.aliexpress.com/mini_login.htm?lang=en_us&appName=aebuyer&appEntrance=default&styleType=auto&bizParams=&notLoadSsoView=false&notKeepLogin=true&isMobile=false&rnd=0.9476178801629621";
Connection.Response loginForm = Jsoup.connect(firstURL)
    .userAgent("Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0")    
    .method(Method.GET);

After that you'll have to parse the response and extract the parameters, something like this -

Element e = doc.select("input[id=fm-cid]").first();
String cid = e.attr("value");

After parsing all the needed values, you can send the POST request.

TDG
  • 5,909
  • 3
  • 30
  • 51