XHR request using python

Hi, I am trying to create an assert (fluid assert) to validate http.has_user_enumeration()

the app I am testing is using Amazon Cognito for authentication.
(short diagram on how cognito works)

Problem:
when I enter the user name and password and submit the form, the WEB-APP then makes a XHR to authenticate with the Cognito service.
(the information sent using post XHR, is not the same as the one entered into the login field, is encrypted)

Expected solution:

I need to find a way to capture the XHR request / response (It has the token required to consume the service)

Is there a way in python / python-selenium to capture XHR request?

ps: I already have the http.has_user_enumeration() asserts, however the token is on the source code (it can change over time :neutral_face: ) that’s why I need a Dynamic way to retrieve the response token.

:grinning:

glosary:
XHR https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest
Amplify javascript https://aws-amplify.github.io/docs/js/authentication
Cognito https://aws.amazon.com/cognito/

As I see, there is no need to intercept the XHR request with encrypted values to replicate it in the exploit, just use Selenium to introduce the username and password in the form and let the browser do that heavy XHR stuff for you. Once all the authentication flow is done grab whatever cookie/bearer-token is returned by the server to represent the authentication/authorization in that app and use it to make requests as an authenticated user

(further, probably replicating XHR requests from the exploit is not going to work due to CORS and same origin policies, but it is implementation dependent)

1 Like

You can see here an example of how to get cookies (or any session information) using Selenium that can be used along with Asserts

1 Like

is it possible to instrument asserts to encapsulate this logic?

I think it’s possible but it’s not maintainable since every login has its own properties, its own flow, and its own way to persist the state

The logic is kind-of encapsulated through the fluidasserts.utils.generic.check_function method, in which the tester can Assert any logic that can be written in python

1 Like

@deep-web If this topic is solved, please mark it as such by checking the solution chart at the bottom of the post you consider that properly answers your question.

I moved the topic from random to product/asserts-questions

@deep-web If this topic is solved, please mark it as such by checking the solution chart at the bottom of the post you consider that properly answers your question. If not, please update the post with fuhrer information about the issue and/or the proposed solutions of the participants.