Obtaining the CSRF Token ID from web site using c#

Question

I have a situation where i will have to download the file from the website. It is a secured site (https) and also It requires the client certificate authentication.

I have a client certificate and managed to get in. After logged in, when i tried to download the file, i am not able to download the file. In turn, the file contains the html with csrftoken. How to get this token id? In order to download the file i need this token. Could someone share what kind of authentication this, and how can i get the csrf token id using c#.

Thanks

Answer 1

It is not authentication. Its security to prevent cross site request forgery .

The technique is:

• Any state changing operation requires a secure random token (eg CSRF token) to prevent against CSRF attacks.
• Unique per user & per user session
• Tied to a single user session
• Large random value
• Generated by a cryptographically secure random number generator
• The CSRF token is added as a hidden field for forms or within the URL if the state changing operation occurs via a GET
• The server rejects the requested action if the CSRF token fails validation

In your case the workflow should be near to this:

1. Client make a request (tipicaly a HTTP GET ) to see info in their screen.
2. The response HTML has a hidden field in the generated Form with the CSRF token.
3. Client makes a POST when click on a button with the following data: File identification he wants to download and the CSRF token.
4. Server checks that this token is valid for this POST .
5. Server sends the file bites to the response stream.

So, if you want to download a file programmatically with C# I think that you should do a GET first as if you were a webBrowser; retrieve the CSRF token parsing the responsed HTML and send a POST whith the file and the CSRF token.