More features - Githubissues

tommy31 commented 7 years ago

Hi, Thank you for your code. This help me a lot to start my own project.

After login in i update session cookie and token then i try to set mobile data to disable.

Did you find a way to pass this error after login in :

{ code: '125003', message: 'Session tokens missing' }

Thanks for reading, Tom

ishan-marikar commented 6 years ago

Hello there!

Sorry I've been away. I was a bit too overwhelmed with work and couldn't work on this. I'll look into this issue and update you in a while.

julianmejio commented 6 years ago

Hello. I was looking for a while about this issue, and I found that the __RequestVerificationToken sent in the request is actually a CSRF token printed in the HTML code as a metatag. The test case I did is:

(As a logged user)

Access to the function via browser, i.e. Restart page
Take a look to the meta elements in the HTML code, looking for name="csrf_token"
Save the content of the meta elements.
Do the action, i.e. click on Restart button
In the request, find the __RequestVerificationToken and take a look to the content.

The value of that header is the same of the CSRF token.

Notes:

The contents of csrf_token changes in every page.
There are two csrf_token, but the action (at least the restart action) uses always the first one.
The csrf_token is HTML-generated. A curl can access to this using the token info used for the login command.
I DON'T KNOW if this is the real issue. I don't know if fixing this issue will allow pass the actions that require a login, but it's a start.

Disclaimer: I don't know if the API uses another (or alternatives) values for __RequestVerificationToken, nor if the correct value of __RequestVerificationToken can be extracted from another part (maybe XORing with perfect timing the values of the already known tokens) - By design the that kind of CSRF tokens should be only present in the source page and can't be generated using seeds, but this is not CSRF, this is another kind of mechanism called that way.

This is only the result of a couple-of-hours research and should be further investigated.

example_csrf

julianmejio commented 6 years ago

After some hours I wrote a Proof of concept, and it worked as expected.

Code of PoC: https://gist.github.com/julianmejio/8df739bbdca10c045f7534d4e96e0eec

I hope it helps a bit.

ishan-marikar / dialog-router-api

More features #4