APIs and websites often use CSRF tokens as a form of bot and scraper detection to prevent unauthorized data access. By requiring a valid token linked to a user's session, sites can block scrapers and lock down their data.
In this comprehensive guide, I'll explain what CSRF tokens are, where to find them, and, most importantly – how to bypass them in your web scrapers.
What is CSRF, and Why Sites Use It?
CSRF stands for Cross-Site Request Forgey. It refers to the vulnerability of a site accepting unauthorized requests from an external domain. For example, say Site A has an internal API that deletes user accounts. A malicious Site B could make hidden requests to that API without any granted permissions from Site A.
To prevent this security issue, sites implement CSRF tokens – randomly generated strings that must be passed with API requests to validate they are from an authorized domain with an active session.
Here is how it works:
- A user visits Site A and receives a CSRF token tied to their current session
- The user's browser automatically appends this token value to any requests back to Site A
- Site A's server confirms the token is valid before responding with sensitive data or executing actions
Now only browsers holding Site A's tokens can interact with internal systems. Even if other sites make requests, they will be rejected without a verified token. According to recent statistics:
- Over 35% of the top 1 million websites now utilize CSRF protections
- Finance and banking sites lead with over 60% adoption
- High traffic web apps like social media networks employ CSRF broadly
- With 95%+ browser coverage, tokens can be seamlessly issued and validated
And adoption is only increasing as sites aim to lock down data. This presents a major hurdle for web scrapers that don't run authenticated browser sessions. Any headless requests tools make to CSRF protected APIs will fail without accounted-for tokens.
Next, let's explore where sites store these tokens for users – and how we can pinch them for our scrapers!
Where Sites Store CSRF Tokens
Since tokens need to be accessible by users' browsers, they are typically saved in a few common locations:
| Location | Example | Notes |
|---|---|---|
| Input Fields | <input type="hidden" name="csrfToken" value="abc123"> | Very common. Automatically attached to form submissions. |
| Cookies | Set-Cookie: csrfToken=abc123 | Persist through browser sessions. Requires cookie handling. |
| JavaScript Variables | var csrf = abc123 | Often in imported .js files. Must parse and execute scripts. |
| Local/Session Storage | sessionStorage.csrfToken = abc123 | Like cookies but only lasts until tab is closed. |
Input fields provide the most convenient place to inject tokens that get auto-submitted on each request. No real token management is needed by the site. However, I've increasingly seen sites go the cookie route for added complexity to block scrapers from easily finding tokens in page markup.
JavaScript usage also makes tokens trickier to access since it requires JavaScript execution vs. just parsing HTML. Additionally, CSRF values can be dynamically generated per session or even per request. So tokens may continuously change instead of being static.
Later I'll cover some best practices for handling frequently refreshed tokens. For now, let's move on to real hands-on examples of extracting tokens from sample sites.
Bypassing CSRF Tokens in Web Scrapers
Alright, time for the fun part – actually finding CSRF tokens and leveraging them to authenticate our scrapers! Let's walk through bypassing CSRF validation on an example e-commerce site, web-scraping.dev. This site conveniently implements CSRF header protection on certain API endpoints – perfect for us to hack.
My code examples use Python, but you can apply nearly identical techniques in JavaScript, Ruby, etc.
Step 1: Analyze the CSRF Header
First, let's figure out exactly where the CSRF token is expected by examining outgoing browser requests.
Visiting a product page and clicking to load more reviews executes an API call that is protected behind a CSRF header. Using Chrome DevTools, we spot the custom header:
X-CSRF-Token: abc123
This reveals that our scraper must supply this same dynamic abc123 value to authorize itself.
Now let's find where that token lives on the page…
Step 2: Parse for the CSRF Token
Viewing the raw product page source, we quickly spot the csrf-token value tucked away in a hidden input field:
<input type="hidden" name="csrf-token" value="abc123">
Success! The token used in the API call comes directly from this user-specific value.
Let's grab it with Python's BeautifulSoup parser:
from bs4 import BeautifulSoup
import requests
page = requests.get("https://web-scraping.dev/product/1")
soup = BeautifulSoup(page.content, "html.parser")
token = soup.find("input", {"name": "csrf-token"})["value"]
print(token) # abc123And our scraper now holds the keys to the kingdom!
Step 3: Make an Authenticated API Call
With token extracted, we add it to mimic an authorized user:
import requests
headers = {
"X-CSRF-Token": token
}
api_url = "https://web-scraping.dev/api/reviews?product_id=1&page=2"
response = requests.get(api_url, headers=headers)
print(response.status_code) # 200 🎉
print(response.json()) # full review data!And there we have it – scraped data from an API endpoint protected by CSRF! This authorization process works for any CSRF-locked target. Identify token -> Extract token -> Include in requests.
Next, let's cover some best practices for handling scenarios where tokens change or expire.
Step 4: Troubleshoot Invalid Tokens
One tricky aspect of CSRF security is token lifespan – how long until they expire. Some last for an entire user session. Others replenish every single request or minute. If you begin getting 403 errors, first double check for updated tokens before assuming failure:
# Re-extract token
new_token = get_fresh_token()
# Retry request
response = requests.get(api_url,
headers={"X-CSRF-Token": new_token})
# Check if refreshed token worked
if response.ok:
print("Updated token success!")I also recommend scraping across a range of site pages and endpoints. Token implementation may differ across sections. For example, product API tokens may persist for hours while account settings tokens refresh multiple times per minute.
Testing token validity windows will optimize large crawls. Browser automation tools like Selenium also help mimic natural browsing to trigger perpetual feed of new tokens.
Expanding Beyond CSRF Tokens
While extremely prevalent, CSRF headers make up one piece of the bot mitigation puzzle sites enact. Let's discuss a few other advanced tactics seen:
- User Fingerprinting analyzes thousands of subtle browser attributes like timezones, fonts, codecs, and more to detect patterns of automation tools vs genuine users statistically. Replicating human fingerprints minimizes red flags.
- Bearer Tokens handle API authentication specifically and carry user identity, scopes and expiration details. Check for expected
Authorization: Bearer <Token>headers. - CAPTCHAs employ on-demand challenges to assess humanity before permitting site actions. Leveraging commercial captcha-solving services can power through these.
- IP Blocking blacklists scraping infrastructure at the network level. Rotating IPs and residential proxies thwart blanket bans.
As you can see, sophisticated modes of protection require equally advanced countermeasures. Combining watertight headers, fingerprints, proxy rotations, and more ensures scraping resilience against even heavy-handed security teams.
Conclusion
And there you have it – a comprehensive guide to identifying, extracting, and bypassing CSRF tokens to access protected websites and APIs. The techniques we discussed can be implemented in any scraping language like Python, Node.js, etc.
The next time you encounter mysterious 403 errors or missing header warnings, remember to check for CSRF and other validation tokens. Following the browser chain of token storage > token passing > server validation will unlock the data you need.
Happy scraping!
