Trying to log into a https website...

[David Díez]

I want to use PHP Crawler to trigger artificial hits on user profiles in https://www.interpals.net but I have been unsuccessful so far.

I added this code to the example.php file, among some other small modifications:

// Login
$post_data = array(
"username" => "myusername",
"password" => "mypassword",
"submit" => "Sign in");
$crawler->addPostData("#https://www.interpals.net/app/auth/login#", $post_data);

The crawler runs, but the network log is not showing any POST activity and the website pages are showing the login boxes everywhere. I have cookies handling enabled. The website is using CSRF protection... I don't know if that matters.

https://www.interpals.net/app/auth/login is where the form script resides.

[Anonymous]

[Anonymous]

Yes, it does matter. You need to post the csrf_token too.

[Anonymous]

Well, I do not know how to do it as the CSRF seems to be embedded on the cookie itself. I simply do not understand how this all fits together...

General

Request URL:https://www.interpals.net/app/auth/login
Request Method:POST
Status Code:302
Remote Address:104.20.197.2:443
Referrer Policy:no-referrer-when-downgrade

Response Headers

cache-control:no-cache
cache-control:no-store, no-cache, must-revalidate
cf-ray:3a974ce47ead2f4d-MAD
content-type:text/html; charset=UTF-8
date:Fri, 06 Oct 2017 08:37:44 GMT
expires:Thu, 19 Nov 1981 08:52:00 GMT
location:/app/account
pragma:no-cache
server:cloudflare-nginx
set-cookie:lt=504288532484157440%2Ca90d238fcd6b818cc0ee954901f83c0571ed91634d3b25b4d1f0f76a3430b887%2C3da5826f040a41eaee63ff90b4ece439; expires=Mon, 30-Oct-2017 08:37:44 GMT; Max-Age=2073600; path=/; domain=.interpals.net; HttpOnly
status:302
x-content-type-options:nosniff
x-frame-options:SAMEORIGIN
x-xss-protection:1; mode=block

Request Headers

:authority:www.interpals.net
:method:POST
:path:/app/auth/login
:scheme:https
accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
accept-encoding:gzip, deflate, br
accept-language:es-ES,es;q=0.8,en;q=0.6
cache-control:max-age=0
content-length:61
content-type:application/x-www-form-urlencoded
cookie:resolution=1600x900; resolution=1600x900; ubic1=MTAwMDY0MDg4NjU5Yjk4YTI1NWEwODkyLjY0NDk0MTU4; fbnl=1; cfduid=d3fe236c2386986cb35e799c1f1f21b721507279005; interpals_sessid=n79qksgg141vp9im0lttfiplu7; csrf_cookieV2=Bu8Rvn4Mh7U%3D; utmt=1; gads=ID=6e0d3ce9ea135247:T=1507279027:S=ALNI_Ma1SxNQF_Vd9XGv9fjA-ZzaDbHGgA; resolution=1600x900; utma=46363135.883832889.1507279106.1507279106.1507279106.1; utmb=46363135.8.10.1507279106; utmc=46363135; utmz=46363135.1507279106.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
origin:https://www.interpals.net
referer:https://www.interpals.net/
upgrade-insecure-requests:1
user-agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

[Anonymous]

That's actually the point of csrf, to prevent you from doing this. Good luck...

[Anonymous]

However I know that other bots are connecting and interacting with the website.

[Anonymous]

Maybe a good read....
https://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks

[Anonymous]

Thanks. I have found this which seems more related to my question: https://stackoverflow.com/questions/36198970/does-using-csrf-form-tokens-help-spam-prevention

Curiously, the website I am targetting has no CAPTCHA on the form.

[Anonymous]

All I'm trying to say is that you need to first scrape the token value and then post the token in your post_data array. There's a bunch of ways to do that...

[Anonymous]