Search code examples
c#httpcsrfwebrequest

C# WebRequest - HTTP: 403 Forbidden ('_xsrf' argument missing from POST)

I'm stucked here at getting a WebResponse from HTTPWebRequest.

The WebRequest.GetResponse() Method throws a WebException ("500 Internal Server Error"). When i read the returned HTML it says:

HTTP 403: Forbidden ('_xsrf' argument missing from POST)

Anyone knows this Error or knows what Im doing wrong?

(Im trying to log in to a Website using POST)

EDIT: My sourcecode:

      private String GetLoginCookies(String pHTTPurl, String pUserIDwithFormID, String pPasswordWithFormID)
  {
     String loginPageUrl = pHTTPurl;
     CookieContainer cookieContainer = new CookieContainer();
     var Request = (HttpWebRequest)WebRequest.Create(loginPageUrl);
     Request.CookieContainer = cookieContainer;
     Request.Method = "GET";

     WebResponse Response = Request.GetResponse();

     HttpWebResponse HttpResponse = Response as HttpWebResponse;

     CookieCollection cookies = null;
     if (HttpResponse != null)
     {
        //Cookies die benötigt werden um den Loginvorgang abzuschließen
        cookies = HttpResponse.Cookies;
     }

     string formParams = string.Format(pUserIDwithFormID + "&" + pPasswordWithFormID);


     Request = (HttpWebRequest)WebRequest.Create(loginPageUrl);
     Request.CookieContainer = cookieContainer;
     Request.UserAgent = "I am not a Bot! Ok maybe..";
     WebResponse resp = null;
     Request.ContentType = "application/x-www-form-urlencoded";
     Request.Method = "POST";
     byte[] bytes = Encoding.ASCII.GetBytes(formParams);
     Request.ContentLength = bytes.Length;
     using (Stream os = Request.GetRequestStream())
     {
        os.Write(bytes, 0, bytes.Length);
     }
     try
     {
        resp = Request.GetResponse();
        using (StreamReader sr = new StreamReader(resp.GetResponseStream()))
        {
           String TestResponse = sr.ReadToEnd();
        }
     }
     catch (WebException WE)
     {
        DebugConsole.AppendText("HTTP Error:" + WE.Message + Environment.NewLine);
        String HTML = new StreamReader(WE.Response.GetResponseStream()).ReadToEnd();
        DebugConsole.AppendText(HTML);
        return null;
     }
     String cookieHeader = resp.Headers["Set-cookie"];
     if (String.IsNullOrEmpty(cookieHeader))
        return null;
     else
        return cookieHeader;
  }
Solution

  • This is actually because the web method requires anti csrf (cross site request forgery, more info here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) validation parameter. What you can do, is to append the csrf value to the request header:

    postHeaders.Add("X-CSRFToken", CSRF);

    Maybe you can paste your source code here if you need any help with that, so we can look after it