I'm studying the basics of XSRF on Portswigger and I've completed Lab: CSRF vulnerability with no defenses with FireFox. I attempted to go a step further by completing the same lab from the terminal. However when I send a request to the server, it returns the body for the login page; so authentication is not working, even though I've provided the username and password to access the account in the lab.
I aim to test logging in with curl and then automate with javascript.
Here is Zshell script:
#!/usr/bin/env zshcurl -iLs --compressed \--user 'wiener':'peter' --cookie-jar ./tmpCookie.txt \"https://0ad500d004b92108827b3d3c00770085.web-security-academy.net/login"curl -iLs --compressed \--cookie ./tmpCookie.txt \"https://0ad500d004b92108827b3d3c00770085.web-security-academy.net/my-account?id=wiener"Here is JavaScript:
//!/usr/bin/env nodeconst req = require("axios"); // http requests// Function to authenticate and obtain session tokenasync function authenticate(url, username, password) { try { const response = await req.post(url, { username, password }); return response.headers["session-token"]; // Assuming server returns session token in headers } catch (error) { console.error("Authentication failed:", error); return null; }}// Make authenticated requests.async function main() { const urL = "https://0ad500d004b92108827b3d3c00770085.web-security-academy.net/login" const sessionToken = await authenticate(urL, "wiener", "peter");}main();