CURL LOGIN

[simpjd]

I'm trying to login into a site using curl. The problem is that the site uses a token to login that changes every 10 seconds and every time the page loads.

 

$ch=curl_init();

curl_setopt($ch,CURLOPT_URL, $url);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);

$output = curl_exec($ch);

$output = preg_split("/(<table[^>]*>|<\/table>)/", $output);

$output = preg_split('/"/', $output[2]);

$token = $output[5];

curl_close($ch);

 

This script gets the token from the login page but when I write another script to login using that token, a new token is produced when the next curl session accesses the page and makes the login invaild!

 

 

Can anyone help?

[trq]

The reason sites use tokens is to stop people doing precisely what it is your trying to do. Good luck.

[Maq]

This script gets the token from the login page but when I write another script to login using that token, a new token is produced when the next curl session accesses the page and makes the login invaild!

 

Do you mind explaining what exactly this is for?  I'm not assuming it's malicious, just curious...

[GingerRobot]

The reason sites use tokens is to stop people doing precisely what it is your trying to do. Good luck.

 

I still think it's largely pointless. It's not particularly difficult to circumnavigate.

[redarrow]

gingerrobot what you saying there a way in?

[xylex]

There's always a way in.  If a browser can do it, so can cURL.

 

The only real question is is it worth it?  Chances are, if these blocks are in place, you're in violation of site agreements for how you're retrieving the information, and they can come after you if you try to use whatever you're scraping for anything.  And since they control the server, it's also pretty easy to get into a cat and mouse game of them trying a new way to block and you having to circumvent it, and it gets to be a royal PITA.

 

And simpjd, you're probably not going to get much help from this forum on it unless you have a legitimate need to do it and can explain that to us.

[corbin]

it's also pretty easy to get into a cat and mouse game of them trying a new way to block and you having to circumvent it, and it gets to be a royal PITA.

 

 

Nothing gives more satisfaction than changing content on a web site for a certain referrer or IP to something nasty.

[Maq]

it's also pretty easy to get into a cat and mouse game of them trying a new way to block and you having to circumvent it, and it gets to be a royal PITA.

 

 

Nothing gives more satisfaction than changing content on a web site for a certain referrer or IP to something nasty.

 

Sorry, I had to laugh at that, hahaha...

[simpjd]

What I am trying to do is to automatically log into my online banking, retrieve my balance and then logout. I find it a pain to login on on a daily basis to check my balance. I have my own website on which I have done this for a few other things with lesser security with curl and websites like paypal have great little API tools for getting such information. Unfortunately my bank does not. My overall aim is to have all the information I need on my website so I don't have to spend time surfing the internet in order to check things.

 

 

Jack

[redarrow]

No dont do that ...

 

what about people sniffing peoples ip address no way.

 

There a good reason banks get you to log in.

 

f*** that i dear sorry that scary.

 

Think about it, if they can rely get into

something using the secure token, then you and

me, have no chance keeping any one out.

 

if you achieve this idea your next post will be,

i am skint and someone having a whale off a time with my money.

 

 

[Daniel0]

The reason sites use tokens is to stop people doing precisely what it is your trying to do. Good luck.

 

Tokens are more used to prevent CSRF (cross site request forgery) attacks more than preventing automation.

 

This is the logout URL on our forum: http://www.phpfreaks.com/forums/index.php?action=logout

 

If I wanted to be annoying then I could do <img src="http://www.phpfreaks.com/forums/index.php?action=logout" width="0" height="0"> on a website, and all people who happened to be logged in here would be logged out. I'm sure you can imagine more malicious things do to than simply logging people out.

 

EXCEPT, that URL requires a token. Without a valid token it doesn't actually work (try to click it, it won't work).

 

http://www.phpfreaks.com/tutorial/php-security/page8

 

No dont do that ...

 

what about people sniffing peoples ip address no way.

 

There a good reason banks get you to log in.

 

f*** that i dear sorry that scary.

 

Think about it, if they can rely get into

something using the secure token, then you and

me, have no chance keeping any one out.

 

if you achieve this idea your next post will be,

i am skint and someone having a whale off a time with my money.

 

Whether your browser or your script is the UA doesn't change anything. It's equally (in)secure. It will be making the same requests over the same protocol from the same machine to the same machine.

[redarrow]

No way not clicking that...

 

hahahahahahahaha

[simpjd]

Oh ok.....

 

I dont really know about the security risks. Isn't using curl, really just the same as logging in normally? If people can sniff a curl connection using SSL, can't people "sniff" form data once it is sent?

[redarrow]

Yes,

 

That why high paid programmers, get paid so much,

there always changing things around to prevent problams like that.

 

world known hackers, get employed to work along side programmers

to prevent these things.

 

nothing is 100% safe differently not on the internet.

 

 

[simpjd]

Ok,

 

These tokens seem to be a useful tool for session authentication! Does anyone know of a good education resource about security tokens? I would like to implement them onto my site!

 

Back to my original problem, so the risks seem to be the same, I'm quite new to curl, can someone help me??

[Daniel0]

No way not clicking that...

 

hahahahahahahaha

 

You're not clicking what? The logout link?

 

1) I'm an admin here. Why the would I screw with out users?

2) Even if I lied, you clicked on it and got logged out, so what? You can just log in again.

3) Compare the URL to the URL of the logout link on the top of the page. You'll see it has a token.

4) See attached screenshot.

 

Oh ok.....

 

I dont really know about the security risks. Isn't using curl, really just the same as logging in normally? If people can sniff a curl connection using SSL, can't people "sniff" form data once it is sent?

 

It isn't more insecure. Don't listen to redarrow.

 

These tokens seem to be a useful tool for session authentication! Does anyone know of a good education resource about security tokens? I would like to implement them onto my site!

 

See my link a few posts up.

 

Back to my original problem, so the risks seem to be the same, I'm quite new to curl, can someone help me??

 

HTTP is a stateless protocol. You need to use CURL_COOKIE, CURL_COOKIEFILE and CURL_COOKIEJAR using curl_setopt.

 

[attachment deleted by admin]

[redarrow]

i tested it dan, and it didn't log me out .

 

whale that crazy.

 

 

dan i don't think you agree that he should, put his bank info on a page do ya.?

 

 

[Daniel0]

That depends on how well he is able to protect that script. This forum's configuration file has the MySQL user's password stored in plain text too for instance. We're pretty confident that no unauthorized people would get access to that file though, so that's not a problem.

[redarrow]

know you got me going dan.

 

how do you set those tokens lol'

 

i wont to no know.

 

i have read in my Apache book about tokens, never took notice.

 

where do i go to learn tokens then.

 

also thank you for your time.

[Daniel0]

You essentially just need to generate a random, high entropy string. Store that using sessions and put it in the URL (or a hidden form field or whatever). Then just check if it matches on the next page. You could also just use the session id, which you can get using session_id.

 

A high tier programmer like you should easily be able to whip something together. PHP is for life you know

[simpjd]

HTTP is a stateless protocol. You need to use CURL_COOKIE, CURL_COOKIEFILE and CURL_COOKIEJAR using curl_setopt.

 

Thanks for your help, I know how to start a cookie session in order to stay logged in, the problem is how to get the token and then send a login POST without GETTING the page twice.....I need to read the page in order to get the token and then submit the POST.....

 

Hope this makes scene...

[simpjd]

Oh and also, On my website I currently store the session id in mysql when the user logs in and check it on every page, does this do the same as a token? Does the token not need to change?

[redarrow]

That was funny cracking up.

 

 

I am already doing that dan lol.

 

Thort it was some think i was missing.

 

That it, after all them pages i just read on Apache.

 

well explained Apache needs you.

 

Php is my life wish i new it all.

 

 

 

 

 

 

[Daniel0]

Thanks for your help, I know how to start a cookie session in order to stay logged in, the problem is how to get the token and then send a login POST without GETTING the page twice.....I need to read the page in order to get the token and then submit the POST.....

 

Hope this makes scene...

 

No, that's not the problem. As I said, HTTP is a stateless protocol. This request is entirely separate from the next requests from the web server's point of view. You need to get CURL to store the cookie so you can "add state". This is why your token changes.

 

Oh and also, On my website I currently store the session id in mysql when the user logs in and check it on every page, does this do the same as a token? Does the token not need to change?

 

No, it does not. CSRF attacks work because they are executed as being that user. The tokens counter that because you cannot actually get the SID or token. You can only get people to make requests and hope it'll do something bad.

[simpjd]

Fantastic!

 

So I used:

 

$ch=curl_init();

curl_setopt($ch,CURLOPT_URL, $url);

curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE);

curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');

curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

$output = curl_exec($ch);

$output = preg_split("/(<table[^>]*>|<\/table>)/", $output);

$output = preg_split('/"/', $output[2]);

echo $output[5];

curl_close($ch);

 

 

$ch=curl_init();

curl_setopt($ch,CURLOPT_URL, $url);

curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');

curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

$output = curl_exec($ch);

$output = preg_split("/(<table[^>]*>|<\/table>)/", $output);

$output = preg_split('/"/', $output[2]);

echo $output[5];

curl_close($ch);

 

 

To generate the token twice for testing purposes. This code used to read to very different values, but after implementing the cookie the values are nearly identical...

 

Here is an example:

 

040924885853-1894922651-01633669330

040924885853-1894922651-01633669331

 

The first token always ends in 0 and the second always in 1....why do you think this is?

 

p.s. thank you for all your help so far!!!

 

 

also, so in an attempt to make my site secure, I've heard of session jacking....although my site is now protected against basic links that CSRF, can people not "jack" the session in order to get the session id....or something? please excuse my ignorance!