Question: POST request with CSRF works in Postman but fails in cURL

Question

POST request with CSRF works in Postman but fails in cURL

Answers 1
Added at 2016-12-14 12:12
Tags
Question

I make a POST request to REST API to upload a file. In Postman everything works fine. I add Basic authorization and custom CSRF (XSRF) token which I get from the server.

I want to make the same using cURL. I copied the code from Postman, and it does not seem to work. I believe that the error is related to CSRF because if I turn off CSRF on server and make the same cURL call without CSRF token, everything works fine.

Now some more details: That's what the command for cURL which Postman gives:

curl -X POST -H "XSRF: 79f51981-8e85-4e26-be1b-bf63aed92a42" -H "Authorization: Basic bbhjbjb=" -H "Cache-Control: no-cache" -H "Postman-Token: 76a7a43b-f407-15a2-aaff-5242b44d0f47" -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW" -F "package=@C:\Downloads\hello-world.zip" "http://host:port/api/import"

And that's the reply I get with --verbose

  • timeout on name lookup is not supported
  • Trying ::1...
  • Connected to localhost (::1) port 7777 (#0)
  • POST /api/import HTTP/1.1
  • Host: localhost:7777
  • User-Agent: curl/7.47.1
  • Accept: /
  • XSRF: 79f51981-8e85-4e26-be1b-bf63aed92a42
  • Authorization: Basic bbhjbjb=
  • Cache-Control: no-cache
  • Postman-Token: 76a7a43b-f407-15a2-aaff-5242b44d0f47
  • Content-Length: 31281
  • Expect: 100-continue
  • Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW; boundary=------------------------742d3475ac5f6aba
  • < HTTP/1.1 302 Found
  • < Set-Cookie: JSESSIONID=1qfjmbntrthxll;Path=/api < Expires: Thu, 01 Jan 1970 00:00:00 GMT
  • < Set-Cookie: XSRF=b29bd143-cc80-49ad-b495-711125678o;Path=/;Expires=Thu, 15-Dec-2016 10:28:46 GMT
  • < XSRF: b29bd143-cc80-49ad-b495-711125678o < Location:
  • http://localhost:7777/api/login/error.jsp?errorMessage=Access Denied
  • < Content-Length: 0
  • < Server: Jetty(9.2.17.v20160517)
  • HTTP error before end of send, stop sending
  • Closing connection 0

I am probably missing something very obvious here, but don't know what yet. Looks like I am redirected to login page, not being authenticated correctly, but do not know why (I do send XSRF in cURL). I tried also adding sessionid in cURL - also didn't work.

Any ideas and directions about where to search would be very appreciated!!!

Answers to

POST request with CSRF works in Postman but fails in cURL

nr: #1 dodano: 2016-12-20 12:12

It is unclear how your server side code is implemented. One visible difference can be seen here is the UserAgent string in request header User-Agent: curl/7.47.1. You may try with adding -A "Mozilla/5.0" with your curl request.

About the comment above regarding XSRF 1-time token; Your server is returning Set-Cookie header in response. It can happen that the postman is using that as cookie for second time request, and that's why it works for it over and over. You can try adding -H "Cookie: XSRF=b29bd143-cc80-49ad-b495-711125678o" at the end of your curl and see if that makes any difference.

Those are all wild guess. Better you add some code at your server side that can print the request-headers. Then make two requests, one from curl and other one from postman. After that check the difference between the request headers. That will give you some clue.

Source Show
◀ Wstecz