Can't login to ASPX CSRF secured websites

[stebiger]

Hey bahmutov,

I just experimented in accessing a CSRF protected ASPX Login form - unfortunately I was not able to do any successfull login.

The ASPX Login seems to have more than one hidden field so in the first steps I simply enhanced your code to gather up to three tokens from the page and add it to the form during the post.

I checked and saw they were successfully added with wireshark by inspecting the POST.
Anyhow I always get referred back to the login page.

As my understanding of ASPX is pretty almost nothing more than what I have already found out and written here I thought maybe you have an idea and perhaps this could be a nice feature for csrf-login.

[bahmutov]

hmm, I guess we would need more info to debug this problem, weird that the backend does not like it

[stebiger]

To reproduce a problem have a look at any CSRF-protected Login-Site that is developed with APSX .NET.

Have a look at the sourcecode and see, that there are more than just one hidden token field (it consists of three).
In Addition I think these information (or other information) will then have to be included in the cookie.
I am sorry I can not assist you with further inforamtion as I did not succeed in using csrf-login to login to such a site.