Using CURL to test a restricted web resource (URL for authenticated users) sending cookies headers.
When accessing an URL that is protected and intended for authenticated users, the browsers authenticates to the server with a cookie (PHPSESSID or whatever else). Based on that cookie, the server does internal checks to see if the user is authenticated or not.
If you have access to that URL and you want to test it from CLI, here is how to test it with CURL.
First, I'll test this such resource with curl without being authenticated:
Code:
# curl -k -v --header "Host: domain.com" https://10.0.1.176/members.html
* About to connect() to 10.0.1.176 port 443 (#0)
* Trying 10.0.1.176...
* Adding handle: conn: 0x80388b600
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x80388b600) send_pipe: 1, recv_pipe: 0
* Connected to 10.0.1.176 (10.0.1.176) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-SHA256
* Server certificate:
* subject: description=rC3rJgFyyRdqI25U; C=NL; CN=ssl1.verisign.com; emailAddress=postmaster@verisign.com
* start date: 2013-05-08 11:54:53 GMT
* expire date: 2014-05-08 23:57:39 GMT
* issuer: C=IL; O=StartCom Ltd.; OU=Secure Digital Certificate Signing; CN=StartCom Class 1 Primary Intermediate Server CA
* SSL certificate verify ok.
> GET /repository.html HTTP/1.1
> User-Agent: curl/7.33.0
> Accept: */*
> Host: domain.com
>
< HTTP/1.1 302 Moved Temporarily
* Server Apache is not blacklisted
< Server: Apache
< Date: Wed, 15 Jan 2014 14:05:55 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=60
< Set-Cookie: asdf=asdfasdg; expires=Wed, 15-Jan-2014 16:05:55 GMT; path=/; domain=.domain.com
< Set-Cookie: SESSID=tiup07q2occif50to4ics69d54; path=/; domain=.domain.com
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Location: https://domain.com/members/members_gate?target=repository.html
< Cache-Control: max-age=315360000, public
< Strict-Transport-Security: max-age=315360000; includeSubdomains
< X-Frame-Options: DENY
<
* Connection #0 to host 10.0.1.176 left intact
As you can see, the "/members.html" is an URI that cannot be accessed by guests. The client is redirected to another URL with a 302 HTTP response code and a "location" attribute.
Let's say I authenticate via a browser and I take the PHP session id from my browser and serve it to the web server along with "Host " header with CURL:
Code:
# curl -k -v --cookie "SESSID=ekjgaqivpkfjp6iohlsi3a6ia2" --header "Host: domain.com" https://10.0.1.176/members.html
* About to connect() to 10.0.1.176 port 443 (#0)
* Trying 10.0.1.176...
* Adding handle: conn: 0x80388b600
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x80388b600) send_pipe: 1, recv_pipe: 0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 10.0.1.176 (10.0.1.176) port 443 (#0)
* SSL connection using ECDHE-RSA-AES128-SHA256
* Server certificate:
* subject: description=rC3rJgFyyRdqI25U; C=NL; CN=ssl1.verisign.com; emailAddress=postmaster@verisign.com
* start date: 2013-05-08 11:54:53 GMT
* expire date: 2014-05-08 23:57:39 GMT
* issuer: C=IL; O=StartCom Ltd.; OU=Secure Digital Certificate Signing; CN=StartCom Class 1 Primary Intermediate Server CA
* SSL certificate verify ok.
> GET /repository.html HTTP/1.1
> User-Agent: curl/7.33.0
> Accept: */*
> Cookie: SESSID=ekjgaqivpkfjp6iohlsi3a6ia2
> Host: domain.com
>
< HTTP/1.1 200 OK
* Server Apache is not blacklisted
< Server: Apache
< Date: Wed, 15 Jan 2014 14:11:10 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=60
< Set-Cookie: _asdf=asdfasdg; expires=Wed, 15-Jan-2014 16:11:10 GMT; path=/; domain=.domain.com
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Pragma: no-cache
< Cache-Control: max-age=315360000, public
< Strict-Transport-Security: max-age=315360000; includeSubdomains
< X-Frame-Options: DENY
<
{ [data not shown]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
Once CURl has sent the appropriate cookie header and host header, the request is authenticated.
News 
Site map 
SitemapIndex 
RSS Feed 