1. 首頁
  2. 問答
  3. HTTP ::使用LWP的perl中的請求:UserAgent進行身份驗證:CRFS問題

HTTP ::使用LWP的perl中的請求:UserAgent進行身份驗證:CRFS問題

2013-03-28 203 views
0

我試圖使用perl HTTP:Request和LWP:UserAgent登錄到一個網站。我說這是我使用Firebug反正拿到CRFS令牌是沒有定義的螢火蟲發現HTTP ::使用LWP的perl中的請求:UserAgent進行身份驗證:CRFS問題

my $ua = LWP::UserAgent->new(keep_alive=>1); 
$useragent->credentials('www.refer.org:80','','[email protected]','pwd'); 
$request = HTTP::Request->new('POST','https://www.refer.org/account/signin', 
HTTP::Headers->new(<add all headers found in the header>)); 
$response = $useragent->request($request); 
print $response->as_string;

頭中發現錯誤阿里HTTP標頭:

Request URL:https://bla/login 
Request Method:POST 
Status Code:200 OK 
Request Headersview source 
Accept:*/* 
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3 
Accept-Encoding:gzip,deflate,sdch 
Accept-Language:en-US,en;q=0.8,de;q=0.6 
Connection:keep-alive 
Content-Length:58 
Content-Type:application/x-www-form-urlencoded 
Cookie:logout=1364426556.61; sessionid=47b306354faa7357281a6cb1f0298df1; maestro_user=%7B%22id%22%3A%22%22%2C%22email_address%22%3A%22%22%2C%22external_id%22%3A%226c104964ceb5d7ceb4575cab729ba7aa%22%2C%22photo_24%22%3A%22%22%2C%22photo_60%22%3A%22%22%2C%22photo_120%22%3A%22%22%2C%22display_name%22%3A%22%22%2C%22full_name%22%3A%22%22%2C%22privacy%22%3A100%2C%22groups%22%3A%5B%5D%2C%22is_superuser%22%3Afalse%2C%22is_staff%22%3Afalse%2C%22identity_verified%22%3Afalse%2C%22locale%22%3A%22en_US%22%2C%22timezone%22%3A%22%22%7D; __utma=158142248.1347071395.1348726747.1364423066.1364426537.88; __utmb=158142248.4.10.1364426537; __utmc=158142248; __utmz=158142248.1348726747.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); csrftoken=zUZft9KwWmmogYbjR906daJB 
Host:https://www.referer.org/ 
Origin:https://www.referer.org/ 
Referer:https://www.referer.org/account/signin 
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22 
X-CSRFToken:zUZft9KwWmmogYbjR906daJB 
X-Requested-With:XMLHttpRequest

這裏是在Firebug的,如果有人應答頭的愛好

Response Headersview source 
Cache-Control:no-cache, no-store, must-revalidate 
Connection:keep-alive 
Content-Encoding:gzip 
Content-Length:725 
Content-Type:application/json 
Date:Wed, 27 Mar 2013 23:23:18 GMT 
Server:nginx/1.2.6 
Set-Cookie:sessionid=1ac9a133760f02c6fb8c61daebe7fc6d; expires=Wed, 10-Apr-2013 23:23:18 GMT; httponly; Max-Age=1209600; Path=/ 
Set- Cookie:maestro_login="cuPT1ZexESKY8gOQaLRRoBzxTnS0diEitb7Dy4g9h9FwfWO4PM5ppRYnQlLFM6++HX5TcA1lrrly5Fi/ie1bjw==|mRCAxgo374DL1N6yNRkDOh6Zony+s8InBTugfXb/ovuNff0LfudF6Z6mVP2qz2zxIgZ/kGUCbgRcb7+KUEvLPGY8AWBa2wCAV71fgUaAysm5NAPEaXV0k4C5ErQhOldAMVvyTspAR2PIXT+T2GY0mUGtUUTvZ1G2PI5knDjxQ2lnLuJNjEn0knrOA9bRspfAq8RwCl1cCSO5VjmrSquRlCEUf8MdUBD9Ea3abyKpDyfFx0vMBa2QMjxzOBYGqou8UPDizbjL4E6E5axmXl+wRt+QwpZNHASTh3l3h5Q90R2bWtLWlNQdC+mOlC4p0UXsQkIed9J7WXgQXpYbFNf6R7395LNJhr8mz0lQBWRimGBmqJCfpeKtYYACeH22QtXnRkgQxx44VmZ3XbaiKGKOdL7b/2kw9tJQxFZC/5bPQwemWxmJMfLW8YZtxdcugoKACnpyENjuxlHm7Ndt36KXKIq2rZdtwP8joLYpQQdkc6g="; expires=Fri, 26-Apr-2013 23:23:18 GMT; Max-Age=2592000; Path=/ 
Vary:Cookie 
Vary:Accept-Encoding

和響應,因爲我執行的Perl代碼

HTTP/1.1 403 FORBIDDEN 
Cache-Control: no-cache, no-store, must-revalidate 
Connection: keep-alive 
Date: Thu, 28 Mar 2013 07:17:48 GMT 
Server: nginx/1.2.6 
Vary: Accept-Encoding 
Content-Length: 1006 
Content-Type: text/html; charset=utf-8 
Content-Type: text/html; charset=utf-8 
Client-Date: Thu, 28 Mar 2013 07:17:48 GMT 
Client-Peer: xxx 
Client-Response-Num: 1 
Client-SSL-Cert-Issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,  
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification 
Authority/serialNumber=07969287 
Client-SSL-Cert-Subject: /O=*.refer.org/OU=Domain Control Validated/CN=*.refer.org 
Client-SSL-Cipher: AES256-SHA 
Client-SSL-Warning: Peer certificate not verified 
Title: 403 Forbidden 
X-Meta-Robots: NONE,NOARCHIVE 


<!DOCTYPE html> 
<html lang="en"> 
<head> 
<meta http-equiv="content-type" content="text/html; charset=utf-8"> 
<meta name="robots" content="NONE,NOARCHIVE"> 
<title>403 Forbidden</title> 
<style type="text/css"> 
html * { padding:0; margin:0; } 
body * { padding:10px 20px; } 
body * * { padding:0; } 
body { font:small sans-serif; background:#eee; } 
body>div { border-bottom:1px solid #ddd; } 
h1 { font-weight:normal; margin-bottom:.4em; } 
h1 span { font-size:60%; color:#666; font-weight:normal; } 
#info { background:#f6f6f6; } 
#info ul { margin: 0.5em 4em; } 
#info p, #summary p { padding-top:10px; } 
#summary { background: #ffc; } 
#explanation { background:#eee; border-bottom: 0px none; } 
</style> 
</head> 
<body> 
<div id="summary"> 
<h1>Forbidden <span>(403)</span></h1> 
<p>CSRF verification failed. Request aborted.</p> 

</div> 
<div id="explanation"> 
<p><small>More information is available with DEBUG=True.</small></p> 
</div> 

</body> 
</html>

我沒有使用「https://開頭BLA /登錄」作爲鏈接的網站永久不可

我會嘗試WWW:明天機制。但在這裏我想知道是否有其他方法來定義CSRF頭文件?

來源

2013-03-28 zina

回答

1

我看到了很多的問題,在你的代碼:

  • 你不要張貼但歌廳,而不是(你不使用你的$req objuect!)。
  • 您不會將餅乾發送到目標網站,但Firefox會發送一些 Cookie。
  • 您也沒有設置Referer標頭

生命是短暫的,以便使用WWW ::機械化不是純LWP ...

PS你可以設置標題是這樣的:

$req->header("X-CSRFToken" => "zUZft9KwWmmogYbjR906daJB", Referer => 'http://ww 
w.test.com/', "X-Requested-With" => "XMLHttpRequest");

強調文本

來源

2013-03-28 01:52:18 gangabass

+0

喜,確實。這是一個晚上的防刮碼。現在我添加了一個真正的。我按照你的建議定義了標題 – zina 2013-03-28 07:26:16

相關問題

 相關問題