CODEWITHSUNDEEP
c#httpcsrfwebrequest
user6921302
user6921302

Reputation:

C# WebRequest - HTTP: 403 Forbidden ('_xsrf' argument missing from POST)

I'm stucked here at getting a WebResponse from HTTPWebRequest.

The WebRequest.GetResponse() Method throws a WebException ("500 Internal Server Error"). When i read the returned HTML it says:

HTTP 403: Forbidden ('_xsrf' argument missing from POST)

Anyone knows this Error or knows what Im doing wrong?

(Im trying to log in to a Website using POST)

EDIT: My sourcecode:

      private String GetLoginCookies(String pHTTPurl, String pUserIDwithFormID, String pPasswordWithFormID)
  {
     String loginPageUrl = pHTTPurl;
     CookieContainer cookieContainer = new CookieContainer();
     var Request = (HttpWebRequest)WebRequest.Create(loginPageUrl);
     Request.CookieContainer = cookieContainer;
     Request.Method = "GET";

     WebResponse Response = Request.GetResponse();

     HttpWebResponse HttpResponse = Response as HttpWebResponse;

     CookieCollection cookies = null;
     if (HttpResponse != null)
     {
        //Cookies die benötigt werden um den Loginvorgang abzuschließen
        cookies = HttpResponse.Cookies;
     }

     string formParams = string.Format(pUserIDwithFormID + "&" + pPasswordWithFormID);


     Request = (HttpWebRequest)WebRequest.Create(loginPageUrl);
     Request.CookieContainer = cookieContainer;
     Request.UserAgent = "I am not a Bot! Ok maybe..";
     WebResponse resp = null;
     Request.ContentType = "application/x-www-form-urlencoded";
     Request.Method = "POST";
     byte[] bytes = Encoding.ASCII.GetBytes(formParams);
     Request.ContentLength = bytes.Length;
     using (Stream os = Request.GetRequestStream())
     {
        os.Write(bytes, 0, bytes.Length);
     }
     try
     {
        resp = Request.GetResponse();
        using (StreamReader sr = new StreamReader(resp.GetResponseStream()))
        {
           String TestResponse = sr.ReadToEnd();
        }
     }
     catch (WebException WE)
     {
        DebugConsole.AppendText("HTTP Error:" + WE.Message + Environment.NewLine);
        String HTML = new StreamReader(WE.Response.GetResponseStream()).ReadToEnd();
        DebugConsole.AppendText(HTML);
        return null;
     }
     String cookieHeader = resp.Headers["Set-cookie"];
     if (String.IsNullOrEmpty(cookieHeader))
        return null;
     else
        return cookieHeader;
  }

Upvotes: 1

Views: 904

Answers (2)

user6921302
user6921302

Reputation:

OK! Solution found!

After getting the response of the Log-In site, search in the "Set-cookie" Header for _xsrf. This is the Token you have to put in the header of the next POST request.

Upvotes: 0

alaa_sayegh
alaa_sayegh

Reputation: 2211

This is actually because the web method requires anti csrf (cross site request forgery, more info here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) validation parameter. What you can do, is to append the csrf value to the request header:

postHeaders.Add("X-CSRFToken", CSRF);

Maybe you can paste your source code here if you need any help with that, so we can look after it

Upvotes: 1

Related Questions