Use php Curl to login into website and parse a restricted webpage

Question

I have been struggling a lot to make a script (for personal use) to login my chess.com account remotly, access my friends page and parse my friends list. Despite many tries, I am still stuck at the first step (login remotly to my account).

I have created a test account on chess.com for the purpose of this test code. Username: "stackoverjohndoe" Password: "stackoverjohndoepassword"

   
/The username or email address of the account.
define('USERNAME', 'stackoverjohndoe');

//The password of the account.
define('PASSWORD', 'stackoverjohndoepassword');

//The password of the account.
define('TPATH', 'https://www.chess.com/');

//The password of the account.
define('TOKEN', 'iwQZkjg8fnm9FhgLcjaOwxlB5MgSIYVTdW5vSkib2m');


//Set a user agent. This basically tells the server that we are using Chrome ;)
define('USER_AGENT', 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36');

//Where our cookie information will be stored (needed for authentication).
define('COOKIE_FILE', 'cookie.txt');

//URL of the login form.
define('LOGIN_FORM_URL', 'https://www.chess.com/login_check');

//Login action URL. Sometimes, this is the same URL as the login form.
define('LOGIN_ACTION_URL', 'https://www.chess.com/login_check');


//An associative array that represents the required form fields.
//You will need to change the keys / index names to match the name of the form
//fields.
$postValues = array(
    '_username' => USERNAME,
    '_password' => PASSWORD,
    '_target_path' => TPATH,
    '_token' => TOKEN,
    'login' => ''

);
    

//Initiate cURL.
$curl = curl_init();

//Set the URL that we want to send our POST request to. In this
//case, it's the action URL of the login form.
curl_setopt($curl, CURLOPT_URL, 'https://www.chess.com/login_check');

//Tell cURL that we want to carry out a POST request.
curl_setopt($curl, CURLOPT_POST, true);

//Set our post fields / date (from the array above).
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($postValues));

//We don't want any HTTPS errors.
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);

//Where our cookie details are saved. This is typically required
//for authentication, as the session ID is usually saved in the cookie file.
curl_setopt($curl, CURLOPT_COOKIEJAR, COOKIE_FILE);

//Sets the user agent. Some websites will attempt to block bot user agents.
//Hence the reason I gave it a Chrome user agent.
curl_setopt($curl, CURLOPT_USERAGENT, USER_AGENT);

//Tells cURL to return the output once the request has been executed.
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

//Allows us to set the referer header. In this particular case, we are 
//fooling the server into thinking that we were referred by the login form.
curl_setopt($curl, CURLOPT_REFERER, 'https://www.chess.com/login');

//Do we want to follow any redirects?
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, false);

//Execute the login request.
curl_exec($curl);

//Check for errors!
if(curl_errno($curl)){
    throw new Exception(curl_error($curl));
}

//We should be logged in by now. Let's attempt to access a password protected page
curl_setopt($curl, CURLOPT_URL, 'https://www.chess.com/home/friends');

//Use the same cookie file.
curl_setopt($curl, CURLOPT_COOKIEJAR, COOKIE_FILE);

//Use the same user agent, just in case it is used by the server for session validation.
curl_setopt($curl, CURLOPT_USERAGENT, USER_AGENT);

//We don't want any HTTPS / SSL errors.
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);

//Execute the GET request and print out the result.
echo curl_exec($curl);

Answer 1

Chances are you won't succeed, I'm afraid. Because chess.com, like a gazillion of other sites, is protected by Cloudflare:

$ curl --head https://www.chess.com

This yields:

...
set-cookie: __cfduid=...
cf-cache-status: ...
cf-request-id: ...
set-cookie: __cf_bm=...
server: cloudflare
cf-ray: 63ff9eb5db5b2c9d-LHR
...

These are either Cloudflare headers, or Cloudflare cookies.

Now, if you'd acquire a valid token and try to login afterwards via curl, you'll be presented with Cloudflare's Under Attack Mode page:

<div class="cf-browser-verification cf-im-under-attack">
    <!-- ... -->
    <form class="challenge-form" id="challenge-form" action="/login_check?__cf_chl_jschl_tk__=..." method="POST" enctype="application/x-www-form-urlencoded">
    <!-- ... -->
    </form>
    
    <script type="text/javascript">
        //<![CDATA[
        (function(){
            // ...
            cpo.src="/cdn-cgi/challenge-platform/h/b/orchestrate/jsch/v1?ray=63ff96d8a9b8070a";
            document.getElementsByTagName('head')[0].appendChild(cpo);
        }());
        //]]>
    </script>
</div>

One of the purposes of this page is to check whether or not you've JavaScript enabled, thus ruling out any attempts to login via curl.

Because Cloudflare also happens to be a moving target, past solutions to bypass its checks will most likely not work anymore, and attempts to analyze the techniques employed by Cloudflare might have become obsolete:

• cURL - Load a site with CloudFlare protection
• https://github.com/KyranRana/cloudflare-bypass
• https://github.com/yottaiq/CloudAttack (Python, JS)
• https://khromov.wordpress.com/2013/02/05/cloudflare-client-side-ddos-detection-how-does-it-work/
• https://blog.detectify.com/2019/07/31/bypassing-cloudflare-waf-with-the-origin-server-ip-address/