Jump to content
Tuts 4 You
Sign in to follow this  
LCF-AT

How to create client login requests?

Recommended Posts

LCF-AT

Hi guys,

so I'am working again on my internet client stuff and this time I would like to add / send login datas to server/s and need to find some examples about all those diffrent POST sending paramters I could / should use.

Possible situations:

1.) Normal client requests over http  port 80
2.) Normal client requests over https port 443
3.) Normal client requests over http  port 80  with http  Proxy type
4.) Normal client requests over https port 443 with https Proxy type
----------------------------------------------------------------------
5.) Normal client requests over http  port 80  + username password
6.) Normal client requests over https port 443 + username password
7.) Normal client requests over http  port 80  + username password + with http  Proxy type + username password
8.) Normal client requests over http  port 443 + username password + with https Proxy type + username password

I think these should be the basic possible situations I would like to manage sending right request header informations.My questions in that case are how the possible request headers from point 5 till 8 could / should look like?Below a example request header I found on internet....

POST /login.php HTTP/1.0
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Connection: keep-alive

username=TEST&password=123

My questions is how to do it correctly and what to find out manually infos of specific pages I want to login like custom paramters etc if there are some I need to use etc.

So I have test to login into one page on internet I have login datas of a site using just http prococol only.Now I did run fiddler and did login on that page and now I can see the send request for the login and I did wonder.The message body which was send looks pretty custom and does differ to the example above.So there was many other infos put into the message body also some hash values  etc!=?How to know that before?

I also tried to use Curl to send login paramters like that....

curl -v --user user1:password2 http://example.com/forum/login.php?do=login

....and did monitor all Winsocket network function using rohitab.Now when I check the send / recv calls then I see curl was trying to send other paramters and found that...

GET /forum/login.php?do=login HTTP/1.1
Host: example.com
Authorization: Basic dXNlcjE6cGFzc3dvcmQy
User-Agent: curl/7.65.3
Accept: */*

....just using the GET request method (not POST) and a base64 hash of name:pass but this failed to login and just did got redirect response to main page.Problem seems to be that the Basic Auth should just be used over https only = seems that Curl didnt checked that or something!?

So my question now is again how to handle & manage websites & Proxys using name&password login datas?So I got only the main paramters...

Proxy address
Proxy login datas Name:Password (http or https)

URL address /login path         (http or https)
URL login datas Name:Password

Now I need to know when using POST method with message body + what to enter in message body and when using just the GET method with Basic type & bass64 hash Auth....request in header etc?You know what I mean right?Just wanna know how to handle all those possible diffrent situations and to send correctly login data requests to the servers to get successfully response back.Maybe you can help and or have some examples etc.Thank you.

greetz

Share this post


Link to post
whoknows

truly, lost you... pasting some functions for GET/POST, maybe is helpful 

 

function make_post_request($url, $params, $json) {
	
	$curl = curl_init();
	curl_setopt($curl, CURLOPT_URL, $url);
	curl_setopt($curl, CURLOPT_POST, true);


	if (!$json)
 	{ 
		curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
	}
	else {
		$params = json_encode($params);
		curl_setopt($curl, CURLOPT_POSTFIELDS, $params);
		curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json; charset=UTF-8', 'X-Accept: application/json'));
	}

	// display header
	// curl_setopt( $curl , CURLOPT_HEADER, 1 ) ; 
	curl_setopt( $curl , CURLOPT_CUSTOMREQUEST , 'POST');
	curl_setopt( $curl , CURLOPT_SSL_VERIFYPEER , false ) ;		 // <--  u searching for this ?						
	curl_setopt( $curl , CURLOPT_RETURNTRANSFER , true ) ;								
	curl_setopt( $curl , CURLOPT_TIMEOUT , 5 ) ;

	$response = curl_exec($curl);
	
	//	http status code
	//	$status = curl_getinfo($c, CURLINFO_HTTP_CODE);
	//	var_dump($status);
	
	curl_close($curl);
	
	return json_decode($response);

}


function make_get_request($url, $params) {
	
	$c = curl_init();
	
	$url .= '?' . http_build_query($params);

	curl_setopt($c, CURLOPT_URL, $url);
		
	curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
//	curl_setopt($c, CURLOPT_HEADER, true);
/*	curl_setopt($c, CURLOPT_FOLLOWLOCATION, true);
	curl_setopt($c, CURLINFO_HEADER_OUT, true);*/
	curl_setopt($c, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
	
	$response = curl_exec($c);

/*	$status = curl_getinfo($c, CURLINFO_HTTP_CODE);
	
	var_dump($status);*/
	curl_close($c);
	
	return json_decode($response);

}

 

Quote

how to do it correctly and what to find out manually infos of specific pages I want to login like custom paramters etc if there are some I need to use etc.

once user login, store info to session variable at any page you can get any info stored. ex. ata login page 

$r is a recordset

			$_SESSION['mail'] = $_POST['email'];
			$_SESSION['u'] = $r['fullname'];
			$_SESSION['id'] = $r['user_id'];
			$_SESSION['level'] = $r['user_level_id'];

then on any page, u can read the variable
$_SESSION[??] 

//always u have to use @ the top
@session_start();

 

 

what is the need? you are on HTTP and what ?

 

ref curl w/o https :

serverfault.com/a/469825

  • Like 1

Share this post


Link to post
LCF-AT

Hi again,

so I just wanna know what kind of login requests I have to send for any XY sites.Are there parameters I have to know before or are there basic parameters I need to send etc?

Example: Today I did run fiddler again during login on tuts4you to see what requests was send to do the login process.The browser does send a POST request like this...

POST https://forum.tuts4you.com/login/ HTTP/1.1
Host: forum.tuts4you.com
User-Agent: Mozilla/5.0
Referer: https://forum.tuts4you.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 208 <--- messagebody size below
Origin: https://forum.tuts4you.com
Connection: keep-alive
Cookie: ips4_IPSSessionFront=*; ips4_guestTime=*; ips4_forum_view=*; ips4_ipsTimezone=*; ips4_hasJS=*; ips4_noCache=*
Upgrade-Insecure-Requests: 1

csrfKey=*
&ref=*
&auth=* <--- username
&password=* <--- password
&remember_me=*
&anonymous=*
&_processLogin=*
&_processLogin=*

....my question now is how to make this manually and how to find out the messagebody paramter names & values I have to send?Do you know what I mean?

1.) How to check or find out whether I need to send a POST request for tuts4you to send logindatas?Why not a GET request a Authorization paramter?Lets say I have login datas for diffrent sites I wanna send login requests and somehow I must know before what kind of requests I have to send or I should find it out anyhow when sending some requests.How to know that?

2.) Lets say I send POST requests so in that case I should find out or know what kind of variable names + content I have to send to the server.In the example above you can see 8 paramters names & values I marked with a *,How the heck should I know all that paramters before or do I not need to send them all?How to manage a login on tuts4you using Curl?I only have the login datas I could send anyhow but I dont have thise values for the other paramters like ref or csrfKey hash xy etc you know.

So when I wanna send a POST request in Curl then I have to use the -d paramter like this...

curl -c cookie.txt -d "auth=someuser" -d "password=somepass" https://forum.tuts4you.com/login

...(didnt tried it yet whether it would work or not) but here I need first to find out the paramters I need to send like auth & password + knowing that this sites does accept the POST request and  not GET for login datas etc.

- is it enough only to find out & send the username & password paramters and to skip all possible other paramters which would maybe only be relevant when using a browser?

In case of tuts4you I get a 301 Moved Permanently message back in fiddler to a location of "forum.tuts4you.com/?_fromLogin=1" and with some new cookies....

Set-Cookie: ips4_guestTime=*
Set-Cookie: ips4_device_key=*
Set-Cookie: ips4_guestTime=*
Set-Cookie: ips4_IPSSessionFront=*
Set-Cookie: ips4_member_id=*
Set-Cookie: ips4_login_key=* <--- 
Set-Cookie: ips4_loggedIn=*
Set-Cookie: ips4_noCache=*

.....and question here is how to verify whether the login datas I did send was accepted?You said I have to check the cookie entrys about that but for this I also need to know the cookie names I have to check for like isp4_login_key etc.

Maybe one more time.I just wanna know what I need to know before or find out before "manually" and what not.Lets say I send something like that....

POST https://forum.tuts4you.com/ HTTP/1.1
Host: forum.tuts4you.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 35 <--- messagebody size below
Connection: keep-alive

username=LetMeInHere&password=12345

....would that work?I dont think so.Problem 1 = missing login path url right?In case of tuts4you it is forum.tuts4you.com/login/ = first paramter I need to KNOW before and find out manually.Next point are the used paramters in messagebody.I just used username & password but would the server of t4y accept that?Above we have seen no username paramter only a auth paramter where the username itself comes in.So that means a request with a username paramter would fail...right?It means I also have to find out those paramters manually too?So anyhow its total stupid to check & find out all possible paramters for any XY sites I need to send when I wanna send a login request.Is that true or do think again in any wrong direction?So could anyone bring some light in my questions and telling me some answers how to manage that etc?Thank you.

greetz

Share this post


Link to post
whoknows

CSRF tokens

https://stackoverflow.com/a/33829607

https://www.hhutzler.de/blog/using-curl/

https://www.google.com/search?q=curl+login+with+CSRF

--

On all modern login system there are 'validation' like this... 

 

What I have done in the past, is to use CefSharp library (or even the plain WebBrowser of .NET frm), load the page @ browser set the values to inputboxes and submit the form to the server by clicking the submit button by JS code. ex

document.querySelector('.ovm-ClassificationBarButton-18');
restoreTAB.click();

 

  • Like 1

Share this post


Link to post
LCF-AT

Hi again,

just to make it more understandable for me.....does it really mean that there is NO basic method to send a login request template for any site?Does it really mean that every site / Proxy etc has a own verification / template / method I have to find out first?For any site?So this is really PITA! :( It also makes all much more complexer to build any own client code.So in this case I can forget it. :(

greetz

Share this post


Link to post
Progman

Every site especially nowadays can be quite different.

Not only the form fields which can change need to be identified but persistent login options, one or more redirects can occur, cookies are dropped and must be forwarded, browser headers are checked and per browser details involved.  Sometimes custom headers are added, there is CSRF, sometimes client side Javascript is doing some key changes to headers or the request maybe encrypting or encoding, sometimes a captcha will come about some just monitoring mouse movements others requiring specific valid input, sometimes the site loads important cookies from other sites, SSL considerations with client or server side certificates, the original HTML spec even had authentication options like basic and digest, even NTLM Windows auth is possible through digest as I recall.

So best to create your generic template which deals with all of these things and have per site settings which guide the template.  It's a real project for sure but not impossible.  But yea a pain indeed.

  • Like 1

Share this post


Link to post
whoknows
Posted (edited)

@LCF-AT 

Quote

 I have to find out first?For any site?

sure, is like, is diff executable, depends on author.

 

apart from diff server validations 

each form has diff name for elements, ex

spacer.png

 

these names take place when POST/GET to the server when u click 'login' or whatever..

 

spacer.png

Edited by whoknows (see edit history)
  • Like 1

Share this post


Link to post
LCF-AT

Hi guys,

thanks for the feedback again.So this really sounds like hell to build any own client code without to build a browser engine to find out what kind of validation any xy site does request.So why is this validation so dynamic?Sound like that any server could also use any own request method XY instread GET / POST etc like GET_IT or whatever you know.All in all its just bad for me now so there are too much diffrent variables to handle and to know before.This just sucks. :(

greetz

  • Haha 1

Share this post


Link to post
Progman

Probably it's like this because the HTML standard is too loose and flexible in a way that makes uniformity on security issues something unlikely to ever happen at this point.  Dynamic aspects even more so are to increase security or even business model.

As much as many of us want to see this be easily scrptable, businesses are working hard to ensure in fact just the opposite.  So many bots doing phony stuff nowadays for one, and sometimes data leaching is desired to be prevented because the data and bandwidth have value.  Some businesses want you to have to manually go through login and clicking to simply make it cumbersome to both waste your time and energy and keep things complicated enough that you might make a mistake.  I would really like a script which logs in and downloads, renames appropriately and saves all bill or bank statements every month for example.

But its cumbersome and tedious at best to script and if a captcha comes likely you need to interrupt the automation for a short user browser interaction before proceeding.  Unless you want to automate that with special built neural nets.  I've yet to see one that makes human like mouse movement but the bot networks out there probably have it albeit it's not public.

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...