Request gets denied with 403 when triggered from script

Question

I am writing a script to impersonate a browser. Just as browser logs in to a WebApp/Website, get cookie and use that cookie for further request, I am doing the same using scripts. I am able to login, get the cookie and further requests gets denied with 403 "Permission denied for object". I tried copying the exact request headers as the browser does but still getting the same error. Is there anything on the server which detects request is from script and not browser? Any workaround for this?

Response from server after successful auth :

HTTP/1.1 200 OK
Server: XXXXX
Date: Wed, 06 Mar 2024 15:55:45 GMT
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'
Cache-Control: no-store
Strict-Transport-Security: max-age=2592000
Set-Cookie: session=00000007-P4liEibOE; path=/; SameSite=Strict; HttpOnly
Content-Type: text/plain
Content-length: 20

The next Request body:

curl -X POST https://10.x.x.x/form-submit/Settings/Change \
-H "Accept: */*" \
-H "Accept-Encoding: gzip, deflate, br, zstd" \
-H "Accept-Language: en-US,en;q=0.9" \
-H "Connection: keep-alive" \
-H "Content-Length: 32" \
-H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" \
-H "Cookie: session=00000007-P4liEibOE" \
-H "Host: 10.x.x.x" \
-H "Origin: https://10.x.x.x" \
-H "Referer: https://10.x.x.x/index.htm" \
-H "Sec-Fetch-Dest: empty" \
-H "Sec-Fetch-Mode: cors" \
-H "Sec-Fetch-Site: same-origin" \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" \
-H "X-Requested-With: XMLHttpRequest" \
-H "sec-ch-ua: \"Chromium\";v=\"122\", \"Not(A:Brand\";v=\"24\", \"Google Chrome\";v=\"122\"" \
-H "sec-ch-ua-mobile: ?0" \
-H "sec-ch-ua-platform: \"macOS\"" \

Answer 1

You can include cookie in this way:

curl --cookie '<cookie-value>' ...

Reference this link: https://curl.se/docs/http-cookies.html Section: Cookies with curl the command line tool

In addition, for easier to read, you can use single quote ' instead of double quote " for header content, like: 'sec-ch-ua-platform: "macOS"' instead of "sec-ch-ua-platform: \"macOS\""