This forum is in read-only mode. The new forum is live at and registrations are open!

Parsing header x-csrf-token

  • Good Evening all

    I have this response from the website :
    Request Headers :
    x-csrf-token: vNZO5RL94un4H/5QlYZ99MXPbQ4hvbRAr8WgfnZ5BA1Rog3Fd7NvNYqVTsof+f8XM1+mjddH6xaYVOCnbO/m0A==
    x-requested-with: XMLHttpRequest

    My loliscript :
    REQUEST GET "https://****/users/sign_in"

    HEADER "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36"
    HEADER "Pragma: no-cache"
    HEADER "Accept: /"

    PARSE "<COOKIES>" LR "{(__cfduid, " ")," -> VAR "__cfduid"

    PARSE "<COOKIES>" LR " (_sourceout_session, " ")}" -> VAR "_sourceout_session"

    PARSE "<HEADERS(x-csrf-token)>" LR "" "" -> VAR "AUTH"

    REQUEST POST "https:///users/sign_in"
    CONTENT "utf8=%E2%9C%93&user%5Bemail%5D=<USER>&user%5Bpassword%5D=<PASS>&user%5Bremember_me%5D=0&commit=Log+in"
    CONTENTTYPE "application/x-www-form-urlencoded; charset=UTF-8"
    HEADER "origin: https://
    HEADER "referer: https://****"
    HEADER "sec-ch-ua: "Chromium";v="88", "Google Chrome";v="88", ";Not A Brand";v="99""
    HEADER "sec-ch-ua-mobile: ?0"
    HEADER "sec-fetch-dest: empty"
    HEADER "sec-fetch-mode: cors"
    HEADER "sec-fetch-site: same-origin"
    HEADER "user-agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.121 Safari/537.36"
    HEADER "x-requested-with: XMLHttpRequest"
    HEADER ": scheme: https"
    HEADER "accept: application/json, text/javascript, /; q=0.01"
    HEADER "accept-encoding: gzip, deflate, br"
    HEADER "accept-language: en-US,en;q=0.9"
    HEADER "content-length: 125"
    HEADER "x-csrf-token: vNZO5RL94un4H/5QlYZ99MXPbQ4hvbRAr8WgfnZ5BA1Rog3Fd7NvNYqVTsof+f8XM1+mjddH6xaYVOCnbO/m0A=="

    KEYCHAIN Failure OR
    KEY ""Login faile"


    What im doing wrong ? it shows ban and results as an empty Response Source, have i been wrong in parsing x-csrf-token? if so then whats the correct way, i truly appreciate the help

  • Shouldn't your POST headers be something like this
    HEADER "x-csrf-token: <AUTH>"
    so the parsed csrf token can be passed to the next request?

  • @Fairy I changed it, same results 😞

  • @Fairy Thank you i truly appreciate the help

  • You are the most welcome buddy.

Log in to reply