Am I parsing this properly



  • Here is the client response I captured using Fiddler:

    POST https://www.thewebsite.com/sessions
    Host: www.thewebsite.com
    Connection: keep-alive
    Content-Length: 239
    Accept: application/json, text/javascript, */*; q=0.01
    Sec-Fetch-Dest: empty
    X-CSRF-Token: JgI6CCtsJSYqOwQAIAl9M1N7FiwXAAAAdmhCoZpECtpPua/J89UffQ==
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: https://www.thewebsite.com
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Referer: https://www.thewebsite.com/
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.9
    Cookie: ajs_group_id=null; registered=true; first_visit_at=2020-03-20+16%3A31%3A29+%2B0000; ajs_anonymous_id=%22fafdd866-53fa-40d4-a3d9-a2b911f72aeb%22; ajs_user_id=%2216505105%22; _session_id=K2c0TlJhcnBCMkZOZkRHRzFhSC9SdFYraHIvTzZucWMvT3MzQVdXQ2VIcmkyQStCS085Mi83WC9Oa3RON1VrOU5FU0Vucm1DUGlwMCtHMm1hS2lMZHc9PS0taVFHbzZhMmRCVlhCMVZIcVJyUkdiZz09--942dd4a640a1b7ed1aeb456485c92acdde8e7c7f
    
    _csrf_token=JgI6CCtsJSYqOwQAIAl9M1N7FiwXAAAAdmhCoZpECtpPua%2FJ89UffQ%3D%3D&_utf8=%E2%9C%93&user%5B_analytics_session_id%5D=1584812306526&user%5Bemail%5D=asdfasdfdsf%40gmail.com&user%5Bpassword%5D=234ASDsadasdsad&user%5Bremember_me%5D=false
    

    How I am capturing X-CSRF-TOKEN:
    e16256bf-deaf-4889-813f-24709ce9b177-image.png

    However it doesn't capture jack rabbit

    How I capture CSRF Token From The Content:
    c7c07945-8134-486b-ad9f-74ade9f6adb8-image.png
    Again it doesn't capture (ignore the keycheck)

    So my problem is that How can I get that specific COOKIE and HEADER
    Maybe the server is not generating it? For csrf content, I receive a 400 Bad Request

    But it does give me a X-CSRF-Token: which is not parsed? What am I doing wrong?

    TL: I want to parse the X-CSRF Token from Headers and _csrf from the content(server does not generate) but it's not parsing X-CSRF Token see above. I used the reference from https://forum.openbullet.dev/topic/4/how-to-parse-cookies-headers

    Thank you for your knowledge.



  • Its most likely being generates using Javascript, You will have to find a work around or try recreating the JS. Maybe try selenium



  • possible to share a sample address that you are using ?



  • Thank you guys I found out I have to parse the main page as a GET and that parses it Still having a problem with the X-CSRF-Token Header



  • @Pure @masterchief I have found the code to parse the header document.head.querySelector("meta[name=csrf-token]").content; and the extra shit or whatever they did to change it for the HEADER version the function they USE

    function (t, e, n) {}, function (t, e, n) {
      "use strict";
      n.r(e);
      n(150), n(152), n(153), n(154), n(155), n(156), n(157), n(158), n(159), n(160), n(161), n(162), n(163), n(164), n(165), n(166), n(167), n(168), n(169), n(170), n(171), n(172), n(173), n(174), n(175), n(176), n(177), n(178), n(73), n(179), n(180), n(181), n(182), n(183), n(184), n(185), n(186), n(187), n(188), n(189), n(190), n(191), n(192), n(193), n(194), n(196), n(197), n(198), n(199), n(200), n(201), n(202), n(203), n(204), n(205), n(206), n(207), n(209), n(210), n(211), n(212), n(213), n(214), n(215), n(216), n(217), n(218), n(219), n(220), n(221), n(223), n(224), n(225), n(226), n(227), n(228), n(230), n(232), n(234), n(235), n(236), n(237), n(238), n(239), n(240), n(241), n(242), n(243), n(244), n(245), n(246), n(247), n(248), n(249), n(250), n(251), n(252), n(253), n(254), n(256), n(257), n(260), n(261), n(262), n(264), n(265), n(266), n(267), n(268), n(269), n(270), n(271), n(272), n(273), n(274), n(275), n(276), n(277), n(278), n(279), n(280), n(281), n(282), n(283), n(136), n(284), n(285), n(286), n(287), n(288), n(289), n(290), n(291), n(292), n(293), n(294), n(295), n(296), n(297), n(298), n(299), n(300), n(301), n(302), n(303), n(304), n(305), n(306), n(307), n(308), n(309), n(310), n(311), n(312), n(313), n(314), n(315), n(316), n(317), n(318), n(319), n(320), n(321), n(322), n(323), n(324), n(325), n(326), n(327), n(328), n(329), n(330), n(331), n(332), n(333), n(334), n(335), n(336), n(337), n(338), n(339), n(340), n(341), n(342), n(343), n(344), n(345), n(346), n(347), n(348), n(349), n(350), n(353), n(144), n(354), n(355), n(356), n(357);
      var r = n(52),
          i = n.n(r),
          o = n(0),
          y = n.n(o);
    

    setRequestHeader("X-CSRF-Token", r) How do I use this as my header now? Without the use of selenium please? Because <HEADERS(X-CSRF-Token)> does not work. They reuse the csrf but change it with the y = n.n(o)
    Can someone help me grasp this generation in this function?

    Maybe some function that would allow me to do above^ They generate like so "X-CSRF-Token": r setRequestHeader("X-CSRF-Token", r)

    I highly appreciate you guys helping out



  • I usually get the csrf token by sending a GET request to the main address of my target (not it's "session" for example)

    Try to send a GET request to "https://www.thewebsite.com" and search the source for "csrf" string



  • @masterchief
    I have done this for the csrf but the header is generated by an encysted function


Log in to reply