21Mar
Unable to login to Portswigger lab website with curl or javascript [closed]
I'm studying the basics of XSRF on Portswigger and I've completed Lab: CSRF vulnerability with no defenses with FireFox. I attempted to go a step further by completing the same lab from the terminal. However when I send a request to the server, it returns the body for the login page; so authentication is not working, even though I've provided the username and password to access the account in the lab.
I aim to test logging in with curl
and then automate with javascript
.
Here is Zshell script:
#!/usr/bin/env zsh
curl -iLs --compressed \
--user 'wiener':'peter' --cookie-jar ./tmpCookie.txt \
"https://0ad500d004b92108827b3d3c00770085.web-security-academy.net/login"
curl -iLs --compressed \
--cookie ./tmpCookie.txt \
"https://0ad500d004b92108827b3d3c00770085.web-security-academy.net/my-account?id=wiener"
Here is JavaScript:
//!/usr/bin/env node
const req = require("axios"); // http requests
// Function to authenticate and obtain session token
async function authenticate(url, username, password) {
try {
const response = await req.post(url, { username, password });
return response.headers["session-token"]; // Assuming server returns session token in headers
} catch (error) {
console.error("Authentication failed:", error);
return null;
}
}
// Make authenticated requests.
async function main() {
const urL = "https://0ad500d004b92108827b3d3c00770085.web-security-academy.net/login"
const sessionToken = await authenticate(urL, "wiener", "peter");
}
main();