There is a website I need to use for work, it is an MS sharepoint site. When accessing this site from a browser, I first get redirected to an RSA login page where I have to input my username, PIN, and RSA token code and then I get redirected to the real sharepoint site. After logging in to the RSA redirect page, I can browse the sharepoint site normally until such time as it decides that a time limit has expired or the broswer "session" has been lost/cleared (I checked and it appears to be using a browser cookie that expires at the end of the browsing session) and then I have to re-enter my credentials.
Anyways the problem is that I want to use some software that can sync with a sharepoint site but if I just put the site URL into the software it doesn't understand how to deal with the RSA credential page that appears first (it doesn't prompt for my credentials, it just errors).
So I was thinking that there could be some way to have a program/script connect to the site that understands how to prompt for my credentials (or just display the webpage so I could type them in) and then keep that same session/connection alive and act as a kind of proxy server for the other syncing application.
Does anything like this exist? Or would this be hard to make in python or something? Or at the very least does anyone know what words I should google for to get information on how to solve this problem because I am having trouble finding anything because I don't really know what to search for.
The site uses SSL, if this matters.
Captain Riggs fucked around with this message at Jun 17, 2014 around 22:46
|# ? May 30, 2014 05:55|
|# ? Mar 21, 2019 11:00|
If you use curl with the cookiejar option enabled, it can store the session cookies for you. You'd need to write a simple script (like in python or ruby, or even a batch file since this is so simple) to use it. Something like
1) Use curl to attempt to retrieve the sharepoint URL. Enable the cookiejar option, and the option to follow redirects. This should return you the RSA login page.
curl --cookie-jar mycookies --location https://mysharepoint.site.com/
2) Submit a POST request via curl to the RSA login page with your credentials, emulating you POSTing the webform. Use the same cookiejar, and follow redirects again. This should return you to the sharepoint site.
curl --cookie-jar mycookies --location -F username=myloginname -F password=mypassword https://rsa.login.com/
3) By now all the appropriate cookies should be set up in the cookie jar. Use curl to get the URL you want from the sharepoint site.
curl --cookie-jar mycookies --location https://mysharepoint.site.com/actualurl/I/want
Some website scraper tools may be able to do this for you, but the above is pretty simple and should work.
|# ? Jun 12, 2014 06:08|
Powershell can do that too with Invoke-Webrequest http://technet.microsoft.com/en-us/...y/hh849901.aspx
The general procedure is that you launch Fiddler in the background, do a manual login, then check the Fiddler capture for the important GET and POST requests.
You can then duplicate them with the web requests, using the -SessionVariable argument to remember the cookies.
Edit: As an example this is a script I use to check our 20+ scanners for deleted user accounts:
peak debt fucked around with this message at Jun 13, 2014 around 09:01
|# ? Jun 12, 2014 19:59|
Thanks for the info. I was not aware of either of those methods before.
I actually solved my problem by using some code in Fiddler's CustomRules.js to capture the cookie from a browser login to the site and reuse the cookie in any other app that made a request to the site.
Both of your suggestions solve the problem of capturing the cookie and including it in another request in a script but what about inserting it into a request from another application? For example I am using microsoft onenote and colligo briefcase (http://www.colligo.com/products/sha...ligo-briefcase/) to connect to the sharepoint site. I could not figure out any way other than fiddler acting as a proxy to insert the cookie into the requests from these applications.
Do you know of any way to solve that problem? Since the sharepoint site uses SSL I think pretty much the only way to do it would be to use your own root certificate and basically do a main-in-the-middle type attack (which is what the fiddler proxy does)...
Fiddler does work but It seems to slow things down a bit since it is doing so many other things.
|# ? Jun 18, 2014 00:22|