Hello nairaland
I am an ethical hacker am trying to programmatically log into a website , I successfully gained access nairaland and some other tough sites and it worked because nairaland does have much security for that .

But when I try to login to some other sites it won’t work cus I may not have supplied the right cookie as a real browser would or sometimes there are some client side tokens that are difficult to find out where they where generated .


Abeg who sabi web pentesting very well , make we meet abeg

I can’t believe my eyes , is there no ethical hacker in this forum ?

DexterTech:
Hello nairaland
I am an ethical hacker am trying to programmatically log into a website , I successfully gained access nairaland and some other tough sites and it worked because nairaland does have much security for that .

But when I try to login to some other sites it won’t work cus I may not have supplied the right cookie as a real browser would or sometimes there are some client side tokens that are difficult to find out where they where generated .


Abeg who sabi web pentesting very well , make we meet abeg

You're basically trying to either steal auth tokens or perform session id randomness to hijack user's session. Intercept the requests with burp and analyze it in the sequencer. Should show all hidden tokens.

Thanks bro, I was using fiddler and chrome network development tester it only showed me the url parameters, and a cookie which I don’t know where it came from . I will try with burp and give you reply .

Thanks man

EvilSec:

You're basically trying to either steal auth tokens or perform session id randomness to hijack user's session. Intercept the requests with burp and analyze it in the sequencer. Should show all hidden tokens.

This guy that relies on copy n paste solutions

DexterTech:
Thanks bro, I was using fiddler and chrome network development tester it only showed me the url parameters, and a cookie which I don’t know where it came from . I will try with burp and give you reply .

Thanks man

You're welcome.

modestbrowser:

This guy that relies on copy n paste solutions

I've got stalkers now? Where in my post did you see copy and paste?

DexterTech:
Thanks bro, I was using fiddler and chrome network development tester it only showed me the url parameters, and a cookie which I don’t know where it came from . I will try with burp and give you reply .

Thanks man

what do you mean by hidden cookie?
I use fiddler to capture network requests. But isn't it the same as checking your network tab on your browser and copying the request headers?

holuphisayor:

what do you mean by hidden cookie?
I use fiddler to capture network requests. But isn't it the same as checking your network tab on your browser and copying the request headers?

It will capture the request headers quite alright,
In the same request header there are some essential cookies sent along with the request. And if the server does not see that cookie it won’t give the right response, and in this case the cookie is unique for each request and I don’t know where it came from using chrome network tester or fiddler .


In some other sites it might be a token generated by an algorithm that can be sent back as a cookie or as a csrf token along with the request. And if the token or cookie does not match the algorithm the server will return a bad response.

The problem is this sites hide the way this cookie or csrf are gotten so no one can send post or get request to the server without using a Webbrowser

DexterTech:


It will capture the request headers quite alright,
In the same request header there are some essential cookies sent along with the request. And if the server does not see that cookie it won’t give the right response, and in this case the cookie is unique for each request and I don’t know where it came from using chrome network tester or fiddler .


In some other sites it might be a token generated by an algorithm that can be sent back as a cookie or as a csrf token along with the request. And if the token or cookie does not match the algorithm the server will return a bad response.

The problem is this sites hide the way this cookie or csrf are gotten so no one can send post or get request to the server without using a Webbrowser

Have you tried puppeteer?
Since, you already know the problem.

holuphisayor:

Have you tried puppeteer?
Since, you already know the problem.

puppeteer Is a node.js library and I’m guessing it will it will do the job , but how fast can it run

Can I have your phone number or email ?

DexterTech:


puppeteer Is a node.js library and I’m guessing it will it will do the job , but how fast can it run

Can I have your phone number or email ?

It's headless by default.
share ur whatsapp I'll contact u.

holuphisayor:

It's headless by default.
share ur whatsapp I'll contact u.

+2347060******

DexterTech:



+2347......

Seen

Must it be in js or can it be called from another language like python

Which site are you trying to login to, let me see

Echatbook:
Which site are you trying to login to, let me see

If I should mention the site, some people might miss behave.

Should I drop my contact or you drop yours so I can paste it on WhatsApp

GO LEARN WEB APPLICATION PENTESTING. LEARN HOW TO USE BURPSUITE AND THE LIKES.


I HAVE READ VARIOUS COMMENTS FROM WANNABE NIGERIAN HACKERS AND ONE THING I CAN SAY IS THAT THEIR SHALLOW MENTALITY IS BEYOND SHOCKING. HOW CAN THEY ALWAYS SAY THAT USING HACKING TOOLS MAKES ONE A SKID AND AN AMATEUR? THEY ALWAYS SAY THAT ONE MUST WRITE HIS OWN HACKINGTOOLS. INDEED NIGERIAN HACKERS HERE ON NAIRALAND ARE BEYOND STUPID.


EVEN NSA HACKERS USES HACKING TOOLS WRITTEN BY THE NSA. ITS THIS SAME NSA HACKING TOOLS LIKE WANNACRY, EMOTET, ETC THAT ARE LEAKED THAT HACKERS MODIFY AND USE TO CAUSE HAVOC.



RUSSIAN HACKERS USES HACKING TOOLS. THE WORLD BEST HACKERS , HACKING ORGS USES HACKING TOOLS SO WHERE NIGERIAN HACKERS GET THAT STUPID MENTALITY FROM IS A PROOF THAT INDEED NIGERIA IS CURSED.

Now that's a whole lot of unnecessary information.

DexterTech:



If I should mention the site, some people might miss behave.

Should I drop my contact or you drop yours so I can paste it on WhatsApp

You can drop yours

jibrilELsudan:
GO LEARN WEB APPLICATION PENTESTING. LEARN HOW TO USE BURPSUITE AND THE LIKES.


I HAVE READ VARIOUS COMMENTS FROM WANNABE NIGERIAN HACKERS AND ONE THING I CAN SAY IS THAT THEIR SHALLOW MENTALITY IS BEYOND SHOCKING. HOW CAN THEY ALWAYS SAY THAT USING HACKING TOOLS MAKES ONE A SKID AND AN AMATEUR? THEY ALWAYS SAY THAT ONE MUST WRITE HIS OWN HACKINGTOOLS. INDEED NIGERIAN HACKERS HERE ON NAIRALAND ARE BEYOND STUPID.


EVEN NSA HACKERS USES HACKING TOOLS WRITTEN BY THE NSA. ITS THIS SAME NSA HACKING TOOLS LIKE WANNACRY, EMOTET, ETC THAT ARE LEAKED THAT HACKERS MODIFY AND USE TO CAUSE HAVOC.



RUSSIAN HACKERS USES HACKING TOOLS. THE WORLD BEST HACKERS , HACKING ORGS USES HACKING TOOLS SO WHERE NIGERIAN HACKERS GET THAT STUPID MENTALITY FROM IS A PROOF THAT INDEED NIGERIA IS CURSED.

Do you know the meaning of HTML?

modestbrowser:

Do you know the meaning of HTML?

YES. IT'S THE PASSWORD TO YOUR WIFE'S TOWTOW.

jibrilELsudan:




YES. IT'S THE PASSWORD TO YOUR WIFE'S TOWTOW.

Lols...
Funny enough i have used that same picture b4

modestbrowser:

Do you know the meaning of HTML?

what a stupid irrelevant question.

Godsfavour78:
what a stupid irrelevant question.

How

Echatbook:

You can drop yours

+2347060****1. WhatsApp

DexterTech:
Hello nairaland
I am an ethical hacker am trying to programmatically log into a website , I successfully gained access nairaland and some other tough sites and it worked because nairaland does have much security for that .

But when I try to login to some other sites it won’t work cus I may not have supplied the right cookie as a real browser would or sometimes there are some client side tokens that are difficult to find out where they where generated .


Abeg who sabi web pentesting very well , make we meet abeg

I can now put u through.... It's easy
Only on Node.js tho

modestbrowser:


I can now put u through.... It's easy
Only on Node.js tho

I know it’s achieveable with node.js , I’m trying to achieve this using c# or vb.net

DexterTech:

I know it’s achieveable with node.js , I’m trying to achieve this using c# or vb.net

Ok... U didn't state it.

modestbrowser:

Ok... U didn't state it.

Yeah, I used fiddler to capture all required cookies, headers and post parameters. The thing is any time the form is submitted the JavaScript unsubmit(); Code adds some other custom cookies and parameters which are not visible in the pure html source code . The JavaScript code is very bulky so how can I detect which code is executed on form submit(); and detect how those cookies or parameters are gotten and implement it with c# for a successful login

jibrilELsudan:



YES. IT'S THE PASSWORD TO YOUR WIFE'S TOWTOW.

wawwwuu