bet365 added X-Net-Sync-Term value into requests headers and in ws connect. Does anyone know how they are generating that value ?
Related
First you must know I'm a total beginner, I'm trying to learn so I almost don't know anything.
On the basic page of the API, there is a curl command used as an example to show us how to make requests.
I'm using Ruby on Rails so I used "curl-to-ruby" website to translate it, but it did not work as expected.
I wanted it to show me this :
uri = URI.parse("REQUEST_URL")
response = JSON.parse(Net::HTTP.get(uri))
Instead I got this :
uri = URI.parse("REQUEST_URL")
response = Net:HTTP.get_response(uri)
I don't understand any of this, I thought I wouldn't need to and just use "curl-to-ruby", but apparently I really need to get this.
Would you please try to explain me ?
Or give me links ?
Or matters to read (curl, API, http) ?
Thank you very much, have a nice day.
It's because that command doesn't return just the content, it returns the whole HTTP response object including headers and body. You need to extract the response body and parse that using JSON.parse(), e.g.
JSON.parse(response.body)
See documentation here: https://docs.ruby-lang.org/en/2.0.0/Net/HTTP.html#method-c-get_response
(Also, there is nothing in the cURL command which would hint to the converter that the content-type of the response was expected to be JSON (e.g. perhaps an "accepts" header or something), so even if it were able to produce extra code adding the JSON.parse part, it has no way of knowing that it would be appropriate to do so in this case.)
How would you think a hacker is doing the following, and how would you prevent (looking for some helpfull links, keywords or assessment of the sitution)?
Their is a website where users can register and get an invitation Email. The invaitation link (https) contains the token. It looks like 'https://www.example.com/token/123456' (123456 is the token).
It seems that a day after my users clicked on this link, someone else uses the same links too.
How is this possible and how can I prevent this sort of hack?
Thanks
EDIT:
Sorry I should have given more information. I can eliminate the opinion that it is not just a try of random token variations. Why? The exact token is used a day after one of the user had use the link. The token is a hash token of more that 20 characters.
They can just run a script to try any numerical value in the token value.
it's easy. How long is your token? I would also suggest using a hash token rather than a simple numerical one to limit automatic processing, as the "hack" is scripting to try a number, gets a result - store the result, and then number = number + 1;
Edit: What evidence do you have you've been hacked? What happens in your script once someone has clicked the token link?
A simple logic to apply could be:
define a string pattern. like: secretconstant%email
hash the string and now you have the token (and save it)
create your invitation url with the token
If someone call your service with random token you can reject them because your information system don't have saved that token.
Then if you have the token you must discard it so the link will not be valid anymore.
You could check also if the email used in the registration is the same used for calculate the token.. so you may block the registration!
Link to API
There is a param "nonce":
An additional security element must be passed into the post:
nonce - All requests must also include a special nonce POST parameter with incrementing integer. The integer must always be
greater than the previous requests nonce value.
Of course I can implement it via integer param and perform ++ operation each time I use it, but what to do if this value is less than it is required and it causes request error? For example if it was reset for example after application reinstall?
Suddenly I found a solution:
#((int)[[NSDate date] timeIntervalSince1970])
I saw in php they use microtime() function. I hope my function will give the same result
I am trying to pass multiple values for a parameter in a POST request body as follows
var1=1&var2=2&var34=3,4&var5=5
I've tried several ways to pass var34 as a string of values 3 and 4 but still not working. Need some help.
Thanks!!!
This isn't really a question about Fiddler, so it's not clear what you're asking specifically.
The server interprets POST data according to its own rules, and there's no standard for handling duplicate name/values in urlencoded data.
Some servers would accept var1=1&var2=2&var34=3,4&var5=5 as you've used, while some would prefer var1=1&var2=2&var34=3&var34=4&var5=5.
What error or problem are you encountering?
It turns out that it's the server (I use R) side that I need to adjust the codes to accommodate the POST request. It has nothing to do with the request. Thank you so much for the suggestion!
Why does this link return xml content...?:
https://gdata.youtube.com/feeds/api/videos/uENITui5_jU#!?v=2&alt=json
while this one returns proper JSON?
https://gdata.youtube.com/feeds/api/videos/Zce-QT7MGSE?v=2&alt=json
I suspect it's because the bang or hash signs in the video_id field of the URL. Does anyone know how to fix it? No, quoting them does not work either.
There will never be an anchor (#) in a YouTube ID, and all YouTube IDs are 11 characters. Basically, everything after an anchor is treated differently by a web server, so "!?v=2&alt=json" is getting ignored in your request.
The video id you are looking for is "uENITui5_jU", so this would be the proper request:
https://gdata.youtube.com/feeds/api/videos/uENITui5_jU?v=2&alt=json
Not sure how you got the extra "#!" characters in there..