Now can correctly handle complex token-based CSRF protections by grabbing all
fields from the login form and using session cookies from the form request.
These cookies are sent with subsequent redirect-following requests for better
failure detection. On success, cookies are cleared and re-acquired.
A database of known web apps' login forms is used for form detection, helpful
for those whose username and password fields do not begin with "user" and
"pass". Form mangling (to remove cookie checks in one instance) and custom
onsuccess functions are also supported. Tested: django, wordpress, mediawiki.
This *may* be a replacement (upon suitable testing) for http-wordpress-brute and
http-joomla-brute.
Cases where the format string does not contain any placeholders, but
values are given anyway. Cases where string.format is used without any
placeholders or arguments.
In addition to fitting better (brute library is the verb, creds library
is the noun), this will allow creds.lua to use creds.Account internally
where necessary (see subsequent commits)
Also change old references to string argument "OPEN" into
creds.State.VALID.
There's no reason we can't use other verbs besides GET and POST. Other
verbs are handled like GET requests (parameters in the URI string). Any
redirect responses will be followed with GET requests, though.
- autodetecting form fields is now a bit more robust
- only the password field is mandatory
- HTTP re-directs are followed in case they're detected
- the detection of incorrect login attempts has been changed and supports
two new arguments (onsucces, onfailure)
[Patrik]
