Added CSRF handling

2021-07-24 02:49:55 +05:30 · 2021-07-24 02:49:55 +05:30 · 15b6a9eac4
parent 2788c9429f
commit 15b6a9eac4
1 changed files with 38 additions and 8 deletions
--- a/default-logins/apache/apache-superset-default-credentials.yaml
+++ b/default-logins/apache/apache-superset-default-credentials.yaml
@ -8,23 +8,53 @@ info:
  tags: apache, default-login

 requests:
-  - method: POST
-    path:
-      - "{{BaseURL}}/login/"
-    headers:
-      Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+  - raw:
+      - |
+        GET /login/ HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+        Connection: close
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+        Accept-Language: en-US,en;q=0.9

-    body: 'username=admin&password=admin'
+      - |
+        POST /login/ HTTP/1.1
+        Host: {{Hostname}}
+        Content-Length: 152
+        Cache-Control: max-age=0
+        Origin: {{BaseURL}}
+        Content-Type: application/x-www-form-urlencoded
+        Referer: {{BaseURL}}/admin/airflow/login
+        Accept-Encoding: gzip, deflate
+        Accept-Language: en-IN,en;q=0.9
+        Connection: close
+
+        csrf_token={{csrff_token}}&username=admin&password=admin
+
+    extractors:
+      - type: regex
+        name: csrff_token
+        group: 1
+        part: body
+        internal: true
+        regex:
+          - 'value="(.*?)">'

    matchers-condition: and
    matchers:
      - type: word
+        part: body
+        condition: and
        words:
          - '<title>Redirecting...</title>'
          - '<h1>Redirecting...</h1'
          - '<a href="/">'
-        part: body
-        condition: and
+
+      - type: word
+        part: header
+        words:
+          - 'session'

      - type: status
        status: