Тот же запрос, разные ответы между почтальоном и топором ios (узел) - PullRequest
0 голосов
/ 27 марта 2020

Я отправляю запрос с почтальоном и могу войти в систему. Используя тот же заголовок и данные, я получаю другой ответ с ax ios в узле.

Я сравнил запрос, используя Fiddler:
data Почтальон:

_csrf=8806aed7-f222-417f-a3aa-a0e3c0876075&loginMail=my.email%40email.com&loginWenkseSessionId=a419116a-0349-4da3-b78f-0012d5964bfb&password=mypassword&fingerprint=3746b536f50ec270a12a7a4e74f3e4a1

data ax ios:

_csrf=8806aed7-f222-417f-a3aa-a0e3c0876075&loginMail=my.email%40email.com&loginWenkseSessionId=a419116a-0349-4da3-b78f-0012d5964bfb&password=mypassword&fingerprint=3746b536f50ec270a12a7a4e74f3e4a1

заголовок почтальона:

POST https://www.my-url.com/page.html?targetUrl=/ HTTP/1.1
Host: www.my-url.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: fr,en;q=0.7,de;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://www.my-url.com/
DNT: 1
Connection: keep-alive
Cookie: JSESSIONID=345619E4B9164E346E099B23C2EA1762-mc5.koeb46-5_i01_1001; rbzid=DcpM4PC9zel6z+f6GAv5kAymylqw001/v299Eg/jfmAzp/jIzSZxjje6++LdfAPK5HlgwAtqDhYScjobif3t21F4I0MqlMIWC7WE61suzUrkmWGJiRvZE2iVsxOZTdeCYI8kt9yAltmgj5v+lz2+SY1rmnKSkCEiV/VfMZ5aaDZT/1WnWRZ/7HXIM5yRd+uzcG4SpJylPSwrNlEF4Z03GURur6nao2uLMV727hBs0GH5dW4run3KoQGS+GbTV4zBifAKIkqyhKoDlVP70w13z3jg5HOdDihROWDG0hROP4jVzbY92gYYQp11AkPhVJtn; rbzsessionid=aa17403285c68f873066a34ca3967ddf;
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Postman-Token: 5851992c-e383-4369-9bf5-93ec71e466e6
Content-Type: application/x-www-form-urlencoded
Content-Length: 216

заголовок топора ios

POST https://www.my-url.com/page.html?targetUrl=/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
host: www.my-url.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept-Language: fr,en;q=0.7,de;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://www.my-url.com/
DNT: 1
Connection: keep-alive
Cookie: JSESSIONID=345619E4B9164E346E099B23C2EA1762-mc5.koeb46-5_i01_1001; rbzid=DcpM4PC9zel6z+f6GAv5kAymylqw001/v299Eg/jfmAzp/jIzSZxjje6++LdfAPK5HlgwAtqDhYScjobif3t21F4I0MqlMIWC7WE61suzUrkmWGJiRvZE2iVsxOZTdeCYI8kt9yAltmgj5v+lz2+SY1rmnKSkCEiV/VfMZ5aaDZT/1WnWRZ/7HXIM5yRd+uzcG4SpJylPSwrNlEF4Z03GURur6nao2uLMV727hBs0GH5dW4run3KoQGS+GbTV4zBifAKIkqyhKoDlVP70w13z3jg5HOdDihROWDG0hROP4jVzbY92gYYQp11AkPhVJtn; rbzsessionid=aa17403285c68f873066a34ca3967ddf;
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 216

Данные строго идентичны.
Заголовки есть 2 отличия:
- «Хост» от почтальона имеет верхний регистр, топор ios имеет строчный «h» .. хотя мой код имеет верхний регистр, ¯ \ _ (ツ) _ / ¯ (см. ниже)
- у Почтальона есть дополнительный Почтальон-Жетон.

Мой топор ios код:

const postData = qs.stringify({
    "_csrf": "8806aed7-f222-417f-a3aa-a0e3c0876075",
    "loginMail": "my.email@email.com",
    "loginWenkseSessionId": "a419116a-0349-4da3-b78f-0012d5964bfb",
    "password": "mypassword",
    "fingerprint": "3746b536f50ec270a12a7a4e74f3e4a1"
  });

const resp = await axios.post(
    loginUrl,
    postData,
    {
        headers: 
        {
            "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0",
            "Host": "www.my-url.com",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
            "Accept-Language": "fr,en;q=0.7,de;q=0.3",
            "Accept-Encoding": "gzip, deflate, br",
            "Referer": "https://www.my-url.com/",
            "DNT": "1",
            "Connection": "keep-alive",
            "Cookie": "JSESSIONID=345619E4B9164E346E099B23C2EA1762-mc5.koeb46-5_i01_1001; rbzid=DcpM4PC9zel6z+f6GAv5kAymylqw001/v299Eg/jfmAzp/jIzSZxjje6++LdfAPK5HlgwAtqDhYScjobif3t21F4I0MqlMIWC7WE61suzUrkmWGJiRvZE2iVsxOZTdeCYI8kt9yAltmgj5v+lz2+SY1rmnKSkCEiV/VfMZ5aaDZT/1WnWRZ/7HXIM5yRd+uzcG4SpJylPSwrNlEF4Z03GURur6nao2uLMV727hBs0GH5dW4run3KoQGS+GbTV4zBifAKIkqyhKoDlVP70w13z3jg5HOdDihROWDG0hROP4jVzbY92gYYQp11AkPhVJtn; rbzsessionid=aa17403285c68f873066a34ca3967ddf;",
            "Upgrade-Insecure-Requests": "1",
            "Cache-Control": "max-age=0",
            "Content-Type": "application/x-www-form-urlencoded",
        }
    }
);

Редактировать: Ответы с сервера:

Топор ios Заголовки и ответ:

status: 200,
statusText: 'OK',
headers: {
  server: 'rhino-core-shield',
  date: 'Sat, 28 Mar 2020 13:25:04 GMT',
  'content-type': 'text/html;charset=UTF-8',
  requires_auth: '1',
  'set-cookie': [
    'JSESSIONID=9364C40A071C826484EC0D96EA2F83AA-mc5.koeb47-31_i01_1001; Path=/; Secure; HttpOnly',
    'up=%7B%22ln%22%3A%25548484226%11%7D; Expires=Thu, 24-Sep-2020 13:25:04 GMT; Path=/; Secure',
    'GCLB=AB2LnqCH0fobagE; path=/; HttpOnly'
  ],
  'strict-transport-security': 'max-age=31536000',
  'x-frame-options': 'DENY',
  'x-content-type-options': 'nosniff',
  'x-xss-protection': '1; mode=block',
  'cache-control': 'no-cache, no-store, max-age=0, must-revalidate',
  pragma: 'no-cache',
  expires: '0',
  'content-language': 'de-DE',
  vary: 'Origin, Accept-Encoding',
  'x-varnish': '484155822',
  age: '0',
  'accept-ranges': 'bytes',
  via: '1.1 varnish (Varnish/6.0), 1.1 google',
  'alt-svc': 'clear',
  'transfer-encoding': 'chunked'
},
config: {
  url: 'https://www.my-url.com/my-page.html?targetUrl=/',
  method: 'post',
  data: 'loginMail=my-email%40email.com&_csrf=236a81db-6d63-438f-9b68-e3a76403c61e&password=my-password&fingerprint=3746b536f50ec270a12a7a4e74f3e4a1',
  headers: {
    Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0',
    'Accept-Language': 'fr,en;q=0.7,de;q=0.3',
    'Accept-Encoding': 'gzip, deflate, br',
    Referer: 'https://www.my-url.com/',
    DNT: '1',
    Connection: 'keep-alive',
    'Upgrade-Insecure-Requests': '1',
    'Cache-Control': 'max-age=0',
    Cookie: 'JSESSIONID=345619E4B9164E346E099B23C2EA1762-mc5.koeb46-5_i01_1001; rbzid=DcpM4PC9zel6z+f6GAv5kAymylqw001/v299Eg/jfmAzp/jIzSZxjje6++LdfAPK5HlgwAtqDhYScjobif3t21F4I0MqlMIWC7WE61suzUrkmWGJiRvZE2iVsxOZTdeCYI8kt9yAltmgj5v+lz2+SY1rmnKSkCEiV/VfMZ5aaDZT/1WnWRZ/7HXIM5yRd+uzcG4SpJylPSwrNlEF4Z03GURur6nao2uLMV727hBs0GH5dW4run3KoQGS+GbTV4zBifAKIkqyhKoDlVP70w13z3jg5HOdDihROWDG0hROP4jVzbY92gYYQp11AkPhVJtn; rbzsessionid=aa17403285c68f873066a34ca3967ddf; '
  },
  transformRequest: [ [Function: transformRequest] ],
  transformResponse: [ [Function: transformResponse] ],
  timeout: 0,
  adapter: [Function: httpAdapter],
  xsrfCookieName: 'XSRF-TOKEN',
  xsrfHeaderName: 'X-XSRF-TOKEN',
  maxContentLength: -1,
  validateStatus: [Function: validateStatus]
},
request: ClientRequest {
  _events: [Object: null prototype] {
    socket: [Function],
    abort: [Function],
    aborted: [Function],
    error: [Function],
    timeout: [Function],
    prefinish: [Function: requestOnPrefinish]
  },
  _eventsCount: 6,
  _maxListeners: undefined,
  outputData: [],
  outputSize: 0,
  writable: true,
  _last: true,
  chunkedEncoding: false,
  shouldKeepAlive: true,
  useChunkedEncodingByDefault: false,
  sendDate: false,
  _removedConnection: false,
  _removedContLen: false,
  _removedTE: false,
  _contentLength: 0,
  _hasBody: true,
  _trailer: '',
  finished: true,
  _headerSent: true,
  socket: TLSSocket {
    _tlsOptions: [Object],
    _secureEstablished: true,
    _securePending: false,
    _newSessionPending: false,
    _controlReleased: true,
    _SNICallback: null,
    servername: false,
    alpnProtocol: false,
    authorized: true,
    authorizationError: null,
    encrypted: true,
    _events: [Object: null prototype],
    _eventsCount: 8,
    connecting: false,
    _hadError: false,
    _parent: null,
    _host: 'www.my-url.com',
    _readableState: [ReadableState],
    readable: false,
    _maxListeners: undefined,
    _writableState: [WritableState],
    writable: false,
    allowHalfOpen: false,
    _sockname: null,
    _pendingData: null,
    _pendingEncoding: '',
    server: undefined,
    _server: null,
    ssl: null,
    _requestCert: true,
    _rejectUnauthorized: true,
    parser: null,
    _httpMessage: [Circular],
    [Symbol(res)]: null,
    [Symbol(asyncId)]: 30,
    [Symbol(kHandle)]: null,
    [Symbol(lastWriteQueueSize)]: 0,
    [Symbol(timeout)]: null,
    [Symbol(kBuffer)]: null,
    [Symbol(kBufferCb)]: null,
    [Symbol(kBufferGen)]: null,
    [Symbol(kBytesRead)]: 7787,
    [Symbol(kBytesWritten)]: 955,
    [Symbol(connect-options)]: [Object]
  },
  connection: TLSSocket {
    _tlsOptions: [Object],
    _secureEstablished: true,
    _securePending: false,
    _newSessionPending: false,
    _controlReleased: true,
    _SNICallback: null,
    servername: false,
    alpnProtocol: false,
    authorized: true,
    authorizationError: null,
    encrypted: true,
    _events: [Object: null prototype],
    _eventsCount: 8,
    connecting: false,
    _hadError: false,
    _parent: null,
    _host: 'www.my-url.com',
    _readableState: [ReadableState],
    readable: false,
    _maxListeners: undefined,
    _writableState: [WritableState],
    writable: false,
    allowHalfOpen: false,
    _sockname: null,
    _pendingData: null,
    _pendingEncoding: '',
    server: undefined,
    _server: null,
    ssl: null,
    _requestCert: true,
    _rejectUnauthorized: true,
    parser: null,
    _httpMessage: [Circular],
    [Symbol(res)]: null,
    [Symbol(asyncId)]: 30,
    [Symbol(kHandle)]: null,
    [Symbol(lastWriteQueueSize)]: 0,
    [Symbol(timeout)]: null,
    [Symbol(kBuffer)]: null,
    [Symbol(kBufferCb)]: null,
    [Symbol(kBufferGen)]: null,
    [Symbol(kBytesRead)]: 7787,
    [Symbol(kBytesWritten)]: 955,
    [Symbol(connect-options)]: [Object]
  },
  _header: 'GET /my-page.html?targetUrl=/m-another-page.html&sessionExpired=true HTTP/1.1\r\n' +
    'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n' +
    'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0\r\n' +
    'Accept-Language: fr,en;q=0.7,de;q=0.3\r\n' +
    'Accept-Encoding: gzip, deflate, br\r\n' +
    'Referer: https://www.my-url.com/\r\n' +
    'DNT: 1\r\n' +
    'Connection: keep-alive\r\n' +
    'Upgrade-Insecure-Requests: 1\r\n' +
    'Cache-Control: max-age=0\r\n' +
    'Cookie: JSESSIONID=345619E4B9164E346E099B23C2EA1762-mc5.koeb46-5_i01_1001; rbzid=DcpM4PC9zel6z+f6GAv5kAymylqw001/v299Eg/jfmAzp/jIzSZxjje6++LdfAPK5HlgwAtqDhYScjobif3t21F4I0MqlMIWC7WE61suzUrkmWGJiRvZE2iVsxOZTdeCYI8kt9yAltmgj5v+lz2+SY1rmnKSkCEiV/VfMZ5aaDZT/1WnWRZ/7HXIM5yRd+uzcG4SpJylPSwrNlEF4Z03GURur6nao2uLMV727hBs0GH5dW4run3KoQGS+GbTV4zBifAKIkqyhKoDlVP70w13z3jg5HOdDihROWDG0hROP4jVzbY92gYYQp11AkPhVJtn; rbzsessionid=aa17403285c68f873066a34ca3967ddf; \r\n' +
    'Host: www.my-url.com\r\n' +
    '\r\n',
  _onPendingData: [Function: noopPendingOutput],
  agent: Agent {
    _events: [Object: null prototype],
    _eventsCount: 1,
    _maxListeners: undefined,
    defaultPort: 443,
    protocol: 'https:',
    options: [Object],
    requests: {},
    sockets: {},
    freeSockets: {},
    keepAliveMsecs: 1000,
    keepAlive: false,
    maxSockets: Infinity,
    maxFreeSockets: 256,
    maxCachedSessions: 100,
    _sessionCache: [Object]
  },
  socketPath: undefined,
  method: 'GET',
  path: '/my-page.html?targetUrl=/m-another-page.html&sessionExpired=true',
  _ended: true,
  res: IncomingMessage {
    _readableState: [ReadableState],
    readable: false,
    _events: [Object: null prototype],
    _eventsCount: 1,
    _maxListeners: undefined,
    socket: [TLSSocket],
    connection: [TLSSocket],
    httpVersionMajor: 1,
    httpVersionMinor: 1,
    httpVersion: '1.1',
    complete: true,
    headers: [Object],
    rawHeaders: [Array],
    trailers: {},
    rawTrailers: [],
    aborted: false,
    upgrade: false,
    url: '',
    method: null,
    statusCode: 200,
    statusMessage: 'OK',
    client: [TLSSocket],
    _consuming: true,
    _dumped: false,
    req: [Circular],
    responseUrl: 'https://www.my-url.com/my-page.html?targetUrl=/m-another-page.html&sessionExpired=true',
    redirects: []
  },
  aborted: false,
  timeoutCb: null,
  upgradeOrConnect: false,
  parser: null,
  maxHeadersCount: null,
  _redirectable: Writable {
    _writableState: [WritableState],
    writable: true,
    _events: [Object: null prototype],
    _eventsCount: 2,
    _maxListeners: undefined,
    _options: [Object],
    _redirectCount: 2,
    _redirects: [],
    _requestBodyLength: 158,
    _requestBodyBuffers: [],
    _onNativeResponse: [Function],
    _currentRequest: [Circular],
    _currentUrl: 'https://www.my-url.com/my-page.html?targetUrl=/m-another-page.html&sessionExpired=true',
    _isRedirect: true
  },
  [Symbol(kNeedDrain)]: false,
  [Symbol(isCorked)]: false,
  [Symbol(kOutHeaders)]: [Object: null prototype] {
    accept: [Array],
    'user-agent': [Array],
    'accept-language': [Array],
    'accept-encoding': [Array],
    referer: [Array],
    dnt: [Array],
    connection: [Array],
    'upgrade-insecure-requests': [Array],
    'cache-control': [Array],
    cookie: [Array],
    host: [Array]
  }
},
data: <"html of a page telling me my session is over">

Ответ заголовка почтальона:

POST https://www.my-url/m-my-page.html?targetUrl= /
Это 302
GET https://www.my-url/m-another-page.html

GET /m-my-page.html?targetUrl=/ HTTP/1.1
Host: www.my-url
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: fr,en;q=0.7,de;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://www.my-url/m-my-page.html?targetUrl=/
DNT: 1
Connection: keep-alive
Cookie: JSESSIONID=345619E4B9164E346E099B23C2EA1762-mc5.koeb46-5_i01_1001; rbzid=DcpM4PC9zel6z+f6GAv5kAymylqw001/v299Eg/jfmAzp/jIzSZxjje6++LdfAPK5HlgwAtqDhYScjobif3t21F4I0MqlMIWC7WE61suzUrkmWGJiRvZE2iVsxOZTdeCYI8kt9yAltmgj5v+lz2+SY1rmnKSkCEiV/VfMZ5aaDZT/1WnWRZ/7HXIM5yRd+uzcG4SpJylPSwrNlEF4Z03GURur6nao2uLMV727hBs0GH5dW4run3KoQGS+GbTV4zBifAKIkqyhKoDlVP70w13z3jg5HOdDihROWDG0hROP4jVzbY92gYYQp11AkPhVJtn; rbzsessionid=aa17403285c68f873066a34ca3967ddf;; up=%7B%22ln%22%3A%22333539628%22%7D; wl=%7B%22l%22%3A%22%22%7D; GCLB=COiZgvKeiYvIhQE; JSESSIONID=9DC4DFDABFF9EB02F8666D8D9503CB8E-mc5.koeb47-12_i01_1001
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Postman-Token: 37d36a4b-f4a1-4493-94c5-719298b764ee
loginMail=my-email%40email.com&_csrf=236a81db-6d63-438f-9b68-e3a76403c61e&password=my-password&fingerprint=3746b536f50ec270a12a7a4e74f3e4a1
HTTP/1.1 200 OK
Server: rhino-core-shield
Date: Sat, 28 Mar 2020 13:48:09 GMT
Content-Type: text/html;charset=UTF-8
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Content-Language: de-DE
Content-Encoding: gzip
Vary: Origin, Accept-Encoding
X-Varnish: 484102076
Age: 0
Accept-Ranges: bytes
Via: 1.1 varnish (Varnish/6.0), 1.1 google
Alt-Svc: clear
Transfer-Encoding: chunked

Данные ответа почтальона HTML, когда я вошел в систему.

Я попытался использовать другой код сервера Node, сгенерированный почтальоном, но безуспешно. Обратите внимание, что один и тот же запрос почтальона может быть успешно отправлен несколько раз. Поле CSRF не уникально для запроса.

Что я могу забыть?

1 Ответ

0 голосов
/ 27 марта 2020

Ты пробовал вот так

const postData = qs.stringify({
            "_csrf": "8806aed7-f222-417f-a3aa-a0e3c0876075",
            "loginMail": "my.email@email.com",
            "loginWenkseSessionId": "a419116a-0349-4da3-b78f-0012d5964bfb",
            "password": "mypassword",
            "fingerprint": "3746b536f50ec270a12a7a4e74f3e4a1"
      });

     const options = {
            method: 'POST',
            headers:   {
                "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0",
                "Host": "www.my-url.com",
                "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
                "Accept-Language": "fr,en;q=0.7,de;q=0.3",
                "Accept-Encoding": "gzip, deflate, br",
                "Referer": "https://www.my-url.com/",
                "DNT": "1",
                "Connection": "keep-alive",
                "Cookie": "JSESSIONID=345619E4B9164E346E099B23C2EA1762-mc5.koeb46-5_i01_1001; rbzid=DcpM4PC9zel6z+f6GAv5kAymylqw001/v299Eg/jfmAzp/jIzSZxjje6++LdfAPK5HlgwAtqDhYScjobif3t21F4I0MqlMIWC7WE61suzUrkmWGJiRvZE2iVsxOZTdeCYI8kt9yAltmgj5v+lz2+SY1rmnKSkCEiV/VfMZ5aaDZT/1WnWRZ/7HXIM5yRd+uzcG4SpJylPSwrNlEF4Z03GURur6nao2uLMV727hBs0GH5dW4run3KoQGS+GbTV4zBifAKIkqyhKoDlVP70w13z3jg5HOdDihROWDG0hROP4jVzbY92gYYQp11AkPhVJtn; rbzsessionid=aa17403285c68f873066a34ca3967ddf;",
                "Upgrade-Insecure-Requests": "1",
                "Cache-Control": "max-age=0",
                "Content-Type": "application/x-www-form-urlencoded",
              },
            data: postData,
            loginUrl,
          };
          axios(options)
          .then(function (response) {
            //response
           })
...