Programmatically login to website that uses 2 steps.
-
I'm working on making an app that scrapes my debit card account for my current balance and account activity. (I recently bought a Windows Phone, and they don't have an app for WP, and their website is not mobile friendly). I'm running into an issue that has me a bit stumped. They use 2 steps for authentication. The first form submits the username and password, the 2nd asks for your date of birth as a secondary authentication. I'm not sure where it's failing. I know the first request is good, as it brings up the DOB verify page, however after posting the DOB data, the 3rd response is back at the login screen. The cookie headers are being filled, and all the response codes seem to be good. Does anyone see where the potential problem might be in this?
HttpWebRequest http = WebRequest.Create(LoginURL) as HttpWebRequest; http.KeepAlive = true; http.Method = "POST"; http.ContentType = "application/x-www-form-urlencoded"; //http.CookieContainer = AuthCookies; string postData = "languageCode=&reqType=&j\_username=myuser&j\_password=mypass&sign-in.x=29&sign-in.y=7"; byte\[\] dataBytes = UTF8Encoding.UTF8.GetBytes(postData); http.ContentLength = postData.Length; using (Stream postStream = http.GetRequestStream()) { postStream.Write(dataBytes, 0, dataBytes.Length); } HttpWebResponse httpResponse = http.GetResponse() as HttpWebResponse; //foreach (Cookie ck in httpResponse.Cookies) //{ // AuthCookies.Add(ck); //} using (Stream respStream = httpResponse.GetResponseStream()) { StreamReader reader = new StreamReader(respStream, Encoding.UTF8); File.WriteAllText("loginresp.html", reader.ReadToEnd()); reader.Close(); } //DOB Verify httpResponse.Close(); HttpWebRequest http2 = WebRequest.Create(DOBVerifyURL) as HttpWebRequest; http2.KeepAlive = true; http2.Method = "POST"; http2.ContentType = "application/x-www-form-urlencoded"; //http2.CookieContainer = AuthCookies; http2.Headers\["Cookie"\] = httpResponse.Headers\["Set-Cookie"\]; http2.Referer = LoginURL; http2.UserAgent = "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36"; postData = "reqType=&cmd=checkSecu&languageCode=&additionalHolderAuthValue=urlencodeddob&continue.x=86&continue.y=13"; dataBytes = UTF8Encoding.UTF8.GetBytes(postData); http2.ContentLength = postData.Length; using (Stream postStream = http2.GetRequestStream()) { pos -
I'm working on making an app that scrapes my debit card account for my current balance and account activity. (I recently bought a Windows Phone, and they don't have an app for WP, and their website is not mobile friendly). I'm running into an issue that has me a bit stumped. They use 2 steps for authentication. The first form submits the username and password, the 2nd asks for your date of birth as a secondary authentication. I'm not sure where it's failing. I know the first request is good, as it brings up the DOB verify page, however after posting the DOB data, the 3rd response is back at the login screen. The cookie headers are being filled, and all the response codes seem to be good. Does anyone see where the potential problem might be in this?
HttpWebRequest http = WebRequest.Create(LoginURL) as HttpWebRequest; http.KeepAlive = true; http.Method = "POST"; http.ContentType = "application/x-www-form-urlencoded"; //http.CookieContainer = AuthCookies; string postData = "languageCode=&reqType=&j\_username=myuser&j\_password=mypass&sign-in.x=29&sign-in.y=7"; byte\[\] dataBytes = UTF8Encoding.UTF8.GetBytes(postData); http.ContentLength = postData.Length; using (Stream postStream = http.GetRequestStream()) { postStream.Write(dataBytes, 0, dataBytes.Length); } HttpWebResponse httpResponse = http.GetResponse() as HttpWebResponse; //foreach (Cookie ck in httpResponse.Cookies) //{ // AuthCookies.Add(ck); //} using (Stream respStream = httpResponse.GetResponseStream()) { StreamReader reader = new StreamReader(respStream, Encoding.UTF8); File.WriteAllText("loginresp.html", reader.ReadToEnd()); reader.Close(); } //DOB Verify httpResponse.Close(); HttpWebRequest http2 = WebRequest.Create(DOBVerifyURL) as HttpWebRequest; http2.KeepAlive = true; http2.Method = "POST"; http2.ContentType = "application/x-www-form-urlencoded"; //http2.CookieContainer = AuthCookies; http2.Headers\["Cookie"\] = httpResponse.Headers\["Set-Cookie"\]; http2.Referer = LoginURL; http2.UserAgent = "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36"; postData = "reqType=&cmd=checkSecu&languageCode=&additionalHolderAuthValue=urlencodeddob&continue.x=86&continue.y=13"; dataBytes = UTF8Encoding.UTF8.GetBytes(postData); http2.ContentLength = postData.Length; using (Stream postStream = http2.GetRequestStream()) { posTo be perfectly honest, I wouldn't do this. Partly because it's going to fail in interesting ways - my bank throws in additional security questions at random intervals to throw keyloggers off and yours probably does the same. Partly becuase my bank changes its login page pretty often, again for the same reason. But mostly because you are planning on writing an application which automatically logs into your bank account and you want to put it on a phone. Tell me, which is the easiest piece of electronic kit you own to steal? Which is the most commonly lost or stolen? Yes - it's your phone. And if it's stolen, or found you have just handed the keys to your bank account to total strangers... Are you really sure this is a good idea?
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
-
I'm working on making an app that scrapes my debit card account for my current balance and account activity. (I recently bought a Windows Phone, and they don't have an app for WP, and their website is not mobile friendly). I'm running into an issue that has me a bit stumped. They use 2 steps for authentication. The first form submits the username and password, the 2nd asks for your date of birth as a secondary authentication. I'm not sure where it's failing. I know the first request is good, as it brings up the DOB verify page, however after posting the DOB data, the 3rd response is back at the login screen. The cookie headers are being filled, and all the response codes seem to be good. Does anyone see where the potential problem might be in this?
HttpWebRequest http = WebRequest.Create(LoginURL) as HttpWebRequest; http.KeepAlive = true; http.Method = "POST"; http.ContentType = "application/x-www-form-urlencoded"; //http.CookieContainer = AuthCookies; string postData = "languageCode=&reqType=&j\_username=myuser&j\_password=mypass&sign-in.x=29&sign-in.y=7"; byte\[\] dataBytes = UTF8Encoding.UTF8.GetBytes(postData); http.ContentLength = postData.Length; using (Stream postStream = http.GetRequestStream()) { postStream.Write(dataBytes, 0, dataBytes.Length); } HttpWebResponse httpResponse = http.GetResponse() as HttpWebResponse; //foreach (Cookie ck in httpResponse.Cookies) //{ // AuthCookies.Add(ck); //} using (Stream respStream = httpResponse.GetResponseStream()) { StreamReader reader = new StreamReader(respStream, Encoding.UTF8); File.WriteAllText("loginresp.html", reader.ReadToEnd()); reader.Close(); } //DOB Verify httpResponse.Close(); HttpWebRequest http2 = WebRequest.Create(DOBVerifyURL) as HttpWebRequest; http2.KeepAlive = true; http2.Method = "POST"; http2.ContentType = "application/x-www-form-urlencoded"; //http2.CookieContainer = AuthCookies; http2.Headers\["Cookie"\] = httpResponse.Headers\["Set-Cookie"\]; http2.Referer = LoginURL; http2.UserAgent = "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36"; postData = "reqType=&cmd=checkSecu&languageCode=&additionalHolderAuthValue=urlencodeddob&continue.x=86&continue.y=13"; dataBytes = UTF8Encoding.UTF8.GetBytes(postData); http2.ContentLength = postData.Length; using (Stream postStream = http2.GetRequestStream()) { posRather than copying the cookie headers around manually, just create a new instance of the CookieContainer class[^] at the start, and assign it to the CookieContainer property[^] of each
HttpWebRequestobject. If your bank is doing their job properly, there should be an anti-CRSF[^] token in the form, which you will need to scrape from each response and post to the next request. You might also need to set theRefererproperty on the second and third request. If you still can't make it work, try using Fiddler[^] to capture the requests from the browser and from your code to see what the difference is.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
To be perfectly honest, I wouldn't do this. Partly because it's going to fail in interesting ways - my bank throws in additional security questions at random intervals to throw keyloggers off and yours probably does the same. Partly becuase my bank changes its login page pretty often, again for the same reason. But mostly because you are planning on writing an application which automatically logs into your bank account and you want to put it on a phone. Tell me, which is the easiest piece of electronic kit you own to steal? Which is the most commonly lost or stolen? Yes - it's your phone. And if it's stolen, or found you have just handed the keys to your bank account to total strangers... Are you really sure this is a good idea?
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
Normally, I'd agree with you 100%. However, the only thing you can do with this website is check your balance and the latest activity on your account. Neither the card number nor my social are listed on there. And in order to change anything on the account, you need to call customer service and provide both of those. It's not a bank account, per say, just a payroll deposit account with a debit card attached. If it was anything more, I'd not even consider doing this myself. And in the 4 years I've had the account, the front page hasn't changed, nor have I been asked for anything other than my dob
-
I'm working on making an app that scrapes my debit card account for my current balance and account activity. (I recently bought a Windows Phone, and they don't have an app for WP, and their website is not mobile friendly). I'm running into an issue that has me a bit stumped. They use 2 steps for authentication. The first form submits the username and password, the 2nd asks for your date of birth as a secondary authentication. I'm not sure where it's failing. I know the first request is good, as it brings up the DOB verify page, however after posting the DOB data, the 3rd response is back at the login screen. The cookie headers are being filled, and all the response codes seem to be good. Does anyone see where the potential problem might be in this?
HttpWebRequest http = WebRequest.Create(LoginURL) as HttpWebRequest; http.KeepAlive = true; http.Method = "POST"; http.ContentType = "application/x-www-form-urlencoded"; //http.CookieContainer = AuthCookies; string postData = "languageCode=&reqType=&j\_username=myuser&j\_password=mypass&sign-in.x=29&sign-in.y=7"; byte\[\] dataBytes = UTF8Encoding.UTF8.GetBytes(postData); http.ContentLength = postData.Length; using (Stream postStream = http.GetRequestStream()) { postStream.Write(dataBytes, 0, dataBytes.Length); } HttpWebResponse httpResponse = http.GetResponse() as HttpWebResponse; //foreach (Cookie ck in httpResponse.Cookies) //{ // AuthCookies.Add(ck); //} using (Stream respStream = httpResponse.GetResponseStream()) { StreamReader reader = new StreamReader(respStream, Encoding.UTF8); File.WriteAllText("loginresp.html", reader.ReadToEnd()); reader.Close(); } //DOB Verify httpResponse.Close(); HttpWebRequest http2 = WebRequest.Create(DOBVerifyURL) as HttpWebRequest; http2.KeepAlive = true; http2.Method = "POST"; http2.ContentType = "application/x-www-form-urlencoded"; //http2.CookieContainer = AuthCookies; http2.Headers\["Cookie"\] = httpResponse.Headers\["Set-Cookie"\]; http2.Referer = LoginURL; http2.UserAgent = "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36"; postData = "reqType=&cmd=checkSecu&languageCode=&additionalHolderAuthValue=urlencodeddob&continue.x=86&continue.y=13"; dataBytes = UTF8Encoding.UTF8.GetBytes(postData); http2.ContentLength = postData.Length; using (Stream postStream = http2.GetRequestStream()) { posIn addition to the replies here. There are also many security schemes in place to avoid "machines" (programmes) to login or submit forms. Think of captchas eg. or like my bank requiering my bank card in a device and codes that are generated on the fly. (there are many others) Steer away from this venture young padawan :)
V.
(MQOTD rules and previous solutions)
-
To be perfectly honest, I wouldn't do this. Partly because it's going to fail in interesting ways - my bank throws in additional security questions at random intervals to throw keyloggers off and yours probably does the same. Partly becuase my bank changes its login page pretty often, again for the same reason. But mostly because you are planning on writing an application which automatically logs into your bank account and you want to put it on a phone. Tell me, which is the easiest piece of electronic kit you own to steal? Which is the most commonly lost or stolen? Yes - it's your phone. And if it's stolen, or found you have just handed the keys to your bank account to total strangers... Are you really sure this is a good idea?
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
Steal a Windows Phone?? :doh:
Luc Pattyn [My Articles] Nil Volentibus Arduum
-
Steal a Windows Phone?? :doh:
Luc Pattyn [My Articles] Nil Volentibus Arduum
Did anyone say criminals are clever? :laugh:
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
