Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More features #4

Open
tommy31 opened this issue Aug 27, 2017 · 3 comments
Open

More features #4

tommy31 opened this issue Aug 27, 2017 · 3 comments

Comments

@tommy31
Copy link

tommy31 commented Aug 27, 2017

Hi,
Thank you for your code. This help me a lot to start my own project.

After login in i update session cookie and token then i try to set mobile data to disable.

Did you find a way to pass this error after login in :

{ code: '125003', message: 'Session tokens missing' }

Thanks for reading,
Tom
@ishan-marikar
Copy link
Owner

Hello there!

Sorry I've been away. I was a bit too overwhelmed with work and couldn't work on this. I'll look into this issue and update you in a while.

@julianmejio
Copy link

julianmejio commented Sep 28, 2018
edited
Loading

Hello. I was looking for a while about this issue, and I found that the __RequestVerificationToken sent in the request is actually a CSRF token printed in the HTML code as a metatag. The test case I did is:

(As a logged user)

  1. Access to the function via browser, i.e. Restart page
  2. Take a look to the meta elements in the HTML code, looking for name="csrf_token"
  3. Save the content of the meta elements.
  4. Do the action, i.e. click on Restart button
  5. In the request, find the __RequestVerificationToken and take a look to the content.

The value of that header is the same of the CSRF token.

Notes:

  • The contents of csrf_token changes in every page.
  • There are two csrf_token, but the action (at least the restart action) uses always the first one.
  • The csrf_token is HTML-generated. A curl can access to this using the token info used for the login command.
  • I DON'T KNOW if this is the real issue. I don't know if fixing this issue will allow pass the actions that require a login, but it's a start.

Disclaimer:
I don't know if the API uses another (or alternatives) values for __RequestVerificationToken, nor if the correct value of __RequestVerificationToken can be extracted from another part (maybe XORing with perfect timing the values of the already known tokens) - By design the that kind of CSRF tokens should be only present in the source page and can't be generated using seeds, but this is not CSRF, this is another kind of mechanism called that way.

This is only the result of a couple-of-hours research and should be further investigated.

example_csrf

@julianmejio
Copy link

After some hours I wrote a Proof of concept, and it worked as expected.

Code of PoC: https://gist.github.com/julianmejio/8df739bbdca10c045f7534d4e96e0eec

I hope it helps a bit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@julianmejio @tommy31 @ishan-marikar