C
C#15mo ago
Kein

❔ HTTPclient fails to POST properly

Target website has a very basic login form, and I have no problems logging in via curl: 
curl1 -vv -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36" -H "Referer: https://www.website.com/session/login" --cookie "PHPSESSID=ehoj1hg8daist388b72k8c2roe" -d "OWhVNUhsOE5ZS2ZIc1hWdWtiZ05pUT09=ZFoyZjBjeWJzTWJMdjkwQWVndlQyUT09&email=my%40mail.com&password=12345" -o N:/login.html https://www.website.com/session/login
curl1 -vv -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36" -H "Referer: https://www.website.com/session/login" --cookie "PHPSESSID=ehoj1hg8daist388b72k8c2roe" -d "OWhVNUhsOE5ZS2ZIc1hWdWtiZ05pUT09=ZFoyZjBjeWJzTWJMdjkwQWVndlQyUT09&email=my%40mail.com&password=12345" -o N:/login.html https://www.website.com/session/login
However, attempt to sent POST with HttpClient always fails: 
const string baseURL = @"https://www.website.com";
HttpClient client = new HttpClient();
client.Timeout = new TimeSpan(0, 0, 30);
client.DefaultRequestHeaders.Add("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36");
//---
// Parsing CRSF tokens and PHPSESSID from first pass
//---
client.DefaultRequestHeaders.Add("Cookie", phpSession);
var credentials = new FormUrlEncodedContent(new[]
{
    new KeyValuePair<string,string>(match.Groups[1].Value, match.Groups[2].Value),
    new KeyValuePair<string,string>("email", "my@mail.com"),
    new KeyValuePair<string,string>("password", "12345"),
});
var req = new HttpRequestMessage(HttpMethod.Post, $"{baseURL}/session/login") { Content = credentials };
const string baseURL = @"https://www.website.com";
HttpClient client = new HttpClient();
client.Timeout = new TimeSpan(0, 0, 30);
client.DefaultRequestHeaders.Add("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36");
//---
// Parsing CRSF tokens and PHPSESSID from first pass
//---
client.DefaultRequestHeaders.Add("Cookie", phpSession);
var credentials = new FormUrlEncodedContent(new[]
{
    new KeyValuePair<string,string>(match.Groups[1].Value, match.Groups[2].Value),
    new KeyValuePair<string,string>("email", "my@mail.com"),
    new KeyValuePair<string,string>("password", "12345"),
});
var req = new HttpRequestMessage(HttpMethod.Post, $"{baseURL}/session/login") { Content = credentials };
The response should be 302 Found and then response header contain redirect to profile location, but I'm not getting it. I do get it with curl tho. So the issue is with Httpclient. Any idea what cold be the differences between curl and HttpClient that make the former work?
25 Replies
Buddy
Buddy15mo ago
Does said website allow requests to a non-official api?
Kein
Kein15mo ago
curl works just fine
Buddy
Buddy15mo ago
I'm not talking about if it works. I'm talking about the terms of service.
canton7
canton715mo ago
but I'm not getting it
What are you getting?
Kein
Kein15mo ago
200 OK which is a normal request to session/login page, should be 302 found + redirect I really dont want to spend gazzlion of effort for the next few days making BURP work with https, so I can just inspect difference in headers, it is pain I was wondering may be someone who uses both curl and HTTP client knows where the former excels by default so I can just use the info
canton7
canton715mo ago
I notice the referrer is different... But we're just taking it on trust that you've got all of the headers correct. First thing I'd check is the response body, see whether it contains e.g. an error message saying what's wrong. Second is to get fiddler up and running. It won't take a "gazillion" -- it'll take a few minutes, and you'll be able to see the exact difference between those two
Kein
Kein15mo ago
I've compared the headers, here aint that much to differ, Content-type, User-agent (not even needed but for posterity) and cookie, that is. I will try fiddler, hopefully it is less pain then BURP
canton7
canton715mo ago
Well, headers and body params, I mean I would just take a look at the response -- the server might be telling you what's wrong And yeah, fiddler is great. Sorts out its own SSL certs (I think you might need to click a button?), etc
Monsieur Wholesome
Monsieur Wholesome15mo ago
Use Fiddler and find the difference in the two requests made
Kein
Kein15mo ago
lmao it does not work for my location, rip
Monsieur Wholesome
Monsieur Wholesome15mo ago
ah, I see fiddler somewhere in this convo
Kein
Kein15mo ago
God I really have to go back to BURP Community and that cert nightmare
Kein
Kein15mo ago
But yeah it does not make any sense for any header dot content do not match, I've printed the FormURLEncoded data and it is exactly what I send with cURL, same with the headers, cookie is added via DefaultRequestHeaders I dont think it has anything to do with it, I think it is some default client setup between curl and HTTPClient, the former just have it being sent by default because it is often used as REST API debugging tool so it makes sense to hone it for that case, where was HttpClient is too generic Essentially my question boilds down if anyone else stepped on the same rakes and figured the differences out
canton7
canton715mo ago
Huh, it used to be entirely free, last time I looked That's a shame
Kein
Kein15mo ago
Huh, so there is no default Accept: */* for httpclient HTTPToolkit shows the request is pretty much exactly the same, sans Accept which I can add but it wont change anything @canton7 you have experience sending binay data (images) as mutipart form with boundary with HTTPclient? 
-----------------------------29077931424107458645579380474
Content-Disposition: form-data; name="uuid"

92da547b-ff8e-44af-aec5-f1c9f36ff65a
-----------------------------29077931424107458645579380474
Content-Disposition: form-data; name="batch"

R2N6cnpLdlRYUFU9
-----------------------------29077931424107458645579380474
Content-Disposition: form-data; name="file"; filename="12345.jpg"
Content-Type: image/jpeg
<BINARY_DATA_HERE>
-----------------------------29077931424107458645579380474
Content-Disposition: form-data; name="uuid"

92da547b-ff8e-44af-aec5-f1c9f36ff65a
-----------------------------29077931424107458645579380474
Content-Disposition: form-data; name="batch"

R2N6cnpLdlRYUFU9
-----------------------------29077931424107458645579380474
Content-Disposition: form-data; name="file"; filename="12345.jpg"
Content-Type: image/jpeg
<BINARY_DATA_HERE>
Do I need to compose it myself or is there a built-in boundary break
canton7
canton715mo ago
Yeah there's a content class for that
canton7
canton715mo ago
https://learn.microsoft.com/en-us/dotnet/api/system.net.http.multipartcontent?view=net-8.0
MultipartContent Class (System.Net.Http)
Provides a collection of HttpContent objects that get serialized using the multipart/* content type specification.
Kein
Kein15mo ago
nice, thanks!
Kein
Kein15mo ago
Do you know what the proper container to send content raw as in the example on the left:
Kein
Kein15mo ago
If there is a way to avoid serializing rawstrings to bytes I will take it but otherwise I will go that way
canton7
canton715mo ago
You mean, remove the content-type header? Just remove it from the HttpContent
Kein
Kein15mo ago
No I meant per entry, I'm just gonna go for ByteArrayContent for these strings. However I still have this. Not sure where can I specify MIME type for only last part of the payload, which is JPEG: 
var mp = new MultipartFormDataContent("---------------------------29077931424107458645579380474")
{
    { new ByteArrayContent(Encoding.ASCII.GetBytes("92da547b-ff8e-44af-aec5-f1c9f36ff65a")), "\"uuid\"" },
    { new ByteArrayContent(Encoding.ASCII.GetBytes("R2N6cnpLdlRYUFU9")), "\"batch\"" },
};
mp.Add(new ByteArrayContent(File.ReadAllBytes(@"12345.jpg")), "\"file\"", "\"12345.jpg\"");
var mp = new MultipartFormDataContent("---------------------------29077931424107458645579380474")
{
    { new ByteArrayContent(Encoding.ASCII.GetBytes("92da547b-ff8e-44af-aec5-f1c9f36ff65a")), "\"uuid\"" },
    { new ByteArrayContent(Encoding.ASCII.GetBytes("R2N6cnpLdlRYUFU9")), "\"batch\"" },
};
mp.Add(new ByteArrayContent(File.ReadAllBytes(@"12345.jpg")), "\"file\"", "\"12345.jpg\"");
canton7
canton715mo ago
I'm confused as to what you want... Were you using a StringContent before, but you didn't want a Content-Type header? Just remove that header from the StringContent. It's added by default, but you can remove it Or there are constructors which let you set the value of that header explicitly new StringContent(string content, (Encoding?)null, (MediaTypeHeaderValue?)null) might do it?
Kein
Kein15mo ago
@canton7 ah no, I figured it out, you need to force content type per payload: 
 new ByteArrayContent(data) { Headers = { {"Content-Disposition", @"form-data; name=""file""; filename=""12345.jpg"""}, {"Content-Type", "image/jpeg"} };
 new ByteArrayContent(data) { Headers = { {"Content-Disposition", @"form-data; name=""file""; filename=""12345.jpg"""}, {"Content-Type", "image/jpeg"} };
Accord
Accord15mo ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server
More Posts
❔ Returning the user object that was just created after web api [POST]I have a web API and the POST works just fine in Swagger. It does work fine if I use the web API fro❔ How to get file path of PDFs in project.Hello! I am facing an issue with my current project. I want to be able to get a combobox in my Winfo❔ Running ASP.NET file in RiderNot sure why i cant seem to run the file - I'd like to do some testing on this work in progress proj❔ ASP.NET Core Web API controller method parameter is not null, but property values are always null.I have a method on a controller that takes a model class as a parameter. Calling the method from an❔ change timezone of aspnet docker containerhow to change aspnet docker container's timezone? i am using this image `mcr.microsoft.com/dotnet/as❔ Processes and AsyncHow can I recreate this with Async? (BeginOutputReads and such) ```cs // If an error happens, prints❔ Need help translating this psuedocodeHello beginner here for my assignment of translating some psuedocode. i am not sure how to check if❔ Homework Help... Again... Chars and Conditional StatementsHi, for this problem, I am given a char, starter, and an int, number. I have to find the subsequent ❔ I wrote a discord bot but it's not answering me ?``` using DSharpPlus; using DSharpPlus.EventArgs; using System.Threading.Tasks; class Program { ❔ image finally stored as byte but when viewing I'm not getting an imageGood afternoon guy was wondering what I'm doing wrong now for the image not to show? Yes im sorry