Search code examples
javapythonandroidposthttp-post

Why does my Python POST work but my Java POST gives CSRF error?

I am trying to send a POST with some data and I want to create an app for it, I have working Python code but am having trouble getting the Java counterpart working. Python:

headerpayload = {
        'X-Requested-With': 'XMLHttpRequest',
        'Host': host,
        'Origin': origin,
        'Referer': login_url,
        '__RequestVerificationToken': veri_token
    }

    payload = {
        "__RequestVerificationToken": veri_token,
        "Q_b9849eb2-813d-4d0a-a1ce-643f1c8af986_0": "test",
        "Q_62ebd8c8-7d45-481d-a8b1-ad54a390a029_0": "test@test.ca",
        "Q_f4a3bb2e-ebab-4660-a9a1-75c0d79fe0b4_0": "",
        "Q_20cd46d1-3b95-46ad-81a3-b7b4d7fe7bf9_0": "b9558536-87d3-4395-aceb-ac3e012b4bad",
        "Q_012d8ddf-e75a-4266-ae78-f59502862aa9_0": "Bay 4",
        "Q_6b61b457-f325-41d7-9784-5cb4a959223f_0": "Superman",
        "FormId": "276caa59-80a5-4ced-9b9d-025e1d753b4a",
        "_ACTION": "Continue",
        "PageIndex": "1"
    }

    result = session_requests.post(
    login_url,
    data=payload,
    headers=headerpayload
    )

Android: (OkHttp)

        
        RequestBody requestBody = new MultipartBody.Builder()
                .setType(MultipartBody.FORM)
                .addFormDataPart("__RequestVerificationToken", veritoken)
                .addFormDataPart("Q_b9849eb2-813d-4d0a-a1ce-643f1c8af986_0", "test")
                .addFormDataPart("Q_62ebd8c8-7d45-481d-a8b1-ad54a390a029_0", "test@test.ca")
                .addFormDataPart("Q_f4a3bb2e-ebab-4660-a9a1-75c0d79fe0b4_0", "")
                .addFormDataPart("Q_20cd46d1-3b95-46ad-81a3-b7b4d7fe7bf9_0", "b9558536-87d3-4395-aceb-ac3e012b4bad")
                .addFormDataPart("Q_012d8ddf-e75a-4266-ae78-f59502862aa9_0", "Bay 4")
                .addFormDataPart("Q_6b61b457-f325-41d7-9784-5cb4a959223f_0", "Superman")
                .addFormDataPart("FormId", "276caa59-80a5-4ced-9b9d-025e1d753b4a")
                .addFormDataPart("_ACTION", "Continue")
                .addFormDataPart("PageIndex", "1")
                .build();
        Request request = new Request.Builder()
                .addheader("X-Requested-With", "XMLHttpRequest")
                .addheader("Host", host)
                .addheader("Origin", origin)
                .addheader("Referer", url)
                .addheader("__RequestVerificationToken", veritoken)


                .url(url)
                .post(requestBody)
                .build();

Python code works fine, Java code doesn't.

Solution

  • It looks like you are using the request python library in your python code which has cookie persistence. However, It seems as if your post request in the Java code does not have a CSRF cookie token tacked on to it. You would need to get the cookies by making a get request then when you make a post request add the cookies. I will show an example below using Jsoup.

    Connection.Response r = Jsoup.connect(url).method(Connection.Method.GET).execute();
Map co = r.cookies();
Jsoup.connect(url).cookies(co).header(veriTokenKey, veritoken).data(veriTokenKey, veritoken).method(Connection.Method.POST).execute();