I have a Rails server which runs on port 3000, and a react app which runs on port 3001. The problem is:
when I want to create a new object from react side current_user is empty. I can create object from Rails side
without any problem. I have checked the headers of request for both side, "HTTP_COOKIE" are set for both side.
There is no error in console as well. I also put skip_before_action :verify_authenticity_token in application_controller. The output of pp request.headers.env.select{|k, _| k =~ /^HTTP_/} when I am trying to create object from react side, is :
{"HTTP_VERSION"=>"HTTP/1.1",
"HTTP_X_FORWARDED_HOST"=>"localhost:3001",
"HTTP_X_FORWARDED_PROTO"=>"http",
"HTTP_X_FORWARDED_PORT"=>"3001",
"HTTP_X_FORWARDED_FOR"=>"127.0.0.1",
"HTTP_COOKIE"=>
"_ALL THE COOKIES ARE SET HERE ",
"HTTP_CONNECTION"=>"close",
"HTTP_ORIGIN"=>"http://localhost:3000",
"HTTP_X_REQUESTED_WITH"=>"XMLHttpRequest",
"HTTP_X_CSRF_TOKEN"=>"undefined",
"HTTP_ACCEPT_ENCODING"=>"gzip, deflate",
"HTTP_ACCEPT_LANGUAGE"=>"en-US,en;q=0.5",
"HTTP_ACCEPT"=>"*/*",
"HTTP_USER_AGENT"=>
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0",
"HTTP_HOST"=>"localhost:3000"}
Any idea what I am missing here?
Your rails session is different than the react session. You will need to implement Authorization header and fill your current_user on before_action.
Check my response here: How to use postman to request an API that is protected with devise?
Related
I am trying to read the contents of a web page using a Groovy script. The page contains the readings from one of my temperature sensors that I want to save regularly. I have tried the simplest variant:
def url = "https://measurements.mobile-alerts.eu/Home/MeasurementDetails?deviceid=021B5594EAB5&vendorid=60122a8b-b343-49cb-918b-ad2cdd6dff16&appbundle=eu.mobile_alerts.mobilealerts&fromepoch=1674432000&toepoch=1674518400&from=23.01.2023%2000:00&to=24.01.2023%2000:00&command=refresh"
def res = url.toURL().getText()
println( res)
The result is:
Caught: java.io.IOException: Server returned HTTP response code: 403 for URL: (my url)
In any browser, this URL works without problems.
I would be very grateful for any tips on how to solve this problem.
HTTP code 403 means that a client is forbidden from accessing a valid URL. In other words, the server knows that you are not making a request via a web browser. To bypass this restriction, you need to specify a User-Agent in the request header.
For example:
def url = 'https://measurements.mobile-alerts.eu/Home/MeasurementDetails?deviceid=021B5594EAB5&vendorid=60122a8b-b343-49cb-918b-ad2cdd6dff16&appbundle=eu.mobile_alerts.mobilealerts&fromepoch=1674432000&toepoch=1674518400&from=23.01.2023%2000:00&to=24.01.2023%2000:00&command=refresh'
def res = url.toURL().getText(requestProperties:
['User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0'])
println res
You can switch to other valid user-agent values.
I discovered that six years ago, the previous developer commented out this line of code (Ruby, Rails):
#protect_from_forgery
I replaced it with the default:
protect_from_forgery with: :exception
and now I mysteriously get the following error when I try to add items to my cart while logged out:
Access to XMLHttpRequest at 'https://id.foo-staging.com/openid/checklogin?return_to=http%3A%2F%2Flocalhost.foo-staging.com%3A3000%2Fcart%2Fitems' (redirected from 'http://localhost.foo-staging.com:3000/cart/items') from origin 'http://localhost.foo-staging.com:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
I've pinned down that this is happening because of the following lines:
def get_user_identity_from_open_id_server
redirect_to "#{OPEN_ID_PROVIDER_URL}/openid/checklogin?return_to=#{Rack::Utils.escape(request.url)}"
end
def open_id_authentication
#stuff
get_user_identity_from_open_id_server
end
before_filter :open_id_authentication
I understand what causes a preflight request, at a very high level, thanks to the documentation. But I don't think I'm doing any of those things.
* the request method is anything other than GET, HEAD, or POST
* you’ve set custom request headers other than Accept, Accept-Language, Content-Language, Content-Type, DPR, Downlink, Save-Data, Viewport-Width, or Width
* the Content-Type request header has a value other than application/x-www-form-urlencoded, multipart/form-data, or text/plain
So my initial question is how do I determine what is triggering the preflight request, and then maybe I can figure out how to prevent it from happening. Is this a situation that I can change on my end, or does something need to change on id.foo-staging.com (which I don't have access to, but could probably ask the right person to fix it for me).
I've been Googling all day, and nothing seems to make any sense to me, especially because I can't pin down precisely what's wrong.
I can solve the issue with this code:
skip_before_filter :open_id_authentication, :only => [:create], :if => :current_user and :anonymous_cart
But I have to assume that this is unsafe, from a security standpoint?
ETA: This is what I see on the Network tab for this request:
General:
Request URL: https://id.foo-staging.com/openid/checklogin?return_to=http%3A%2F%2Flocalhost.foo-staging.com%3A3000%2Fcart%2Fitems
Referrer Policy: no-referrer-when-downgrade
Request Headers:
Provisional headers are shown
Access-Control-Request-Headers: x-requested-with
Access-Control-Request-Method: GET
Origin: http://localhost.foo-staging.com:3000
Referer: http://localhost.foo-staging.com:3000/p/Product0/1?id=1&slug=Product0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Query String Parameters:
return_to: http://localhost.foo-staging.com:3000/cart/items
I presume the problem is the x-requested-with request header. But I don't know how to resolve this.
EATA:
Many JavaScript frameworks such as JQuery will automatically send this header along with any AJAX requests. This header cannot be sent cross-domain:
I guess my only option is to figure out how to rewrite this without AJAX?
To avoid the preflight request you have to remove x-requested-with header but the error that you have is because the response location in the preflight call is different from the Origin.
To fix the problem, update your code to use the new URL as reported by the redirect, thereby avoiding the redirect.
I am using Sendgrid to send emails from my rails app. Sendgrid send HTTP POST requests back to my app when events occur on the emails that I send - such as when an email is opened.
Sendgrid requires a URL to be provided which post requests are sent to. Mine is
my_domain.com/contact_processor
My routes.
resources :contact_processor
I know I can define a specific route, I used resources however and learned that the post request was looking for a create action.
My terminal shows the params being received.
parameters: {"_json"=>[{"ip"=>"66.249.82.220",
"sg_event_id"=>"YWRREWM4ZmItMzY4YS00MjY1LWE3YTAtOTI0MzcwNTJhMTBj",
"sg_message_id"=>"YZ8_123AQzOXoILstbNB4Q.filter0018p1las1.11190.577E6B3116.0",
"useragent"=>"Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko Firefox/11.0 (via
ggpht.com GoogleImageProxy)", "event"=>"open", "foo_id"=>"19",
"email"=>"test#mydomain.com", "timestamp"=>1467905735,
"bar_id"=>"23"}], "contact_processor"=>{}}
I'm wanting to access the foo_id, bar_id, and event values so as to use them to update attributes of objects within my app.
What appeared to be a fairly simple task has stumped me.
Any help on how to access these and a bit of an explanation as to what I'm dealing with here would be greatly appreciated.
You can access them in the controller action hit by the callback, just like normal.
1.9.3-p551 :024 > params['_json']
=> [{"ip"=>"66.249.82.220", "sg_event_id"=>"YWRREWM4ZmItMzY4YS00MjY1LWE3YTAtOTI0MzcwNTJhMTBj", "sg_message_id"=>"YZ8_123AQzOXoILstbNB4Q.filter0018p1las1.11190.577E6B3116.0", "useragent"=>"Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko Firefox/11.0 (via \n ggpht.com GoogleImageProxy)", "event"=>"open", "foo_id"=>"19", "email"=>"test#mydomain.com", "timestamp"=>1467905735, "bar_id"=>"23"}]
1.9.3-p551 :025 > params['_json'].first['ip']
=> "66.249.82.220"
I am currently trying to write an auxiliary module for Metasploit. The module basically tries multiple default credentials to get access to the router's management page. The authentication is done via web, i.e. HTTP POST.
Currently, the module works as expected for plain HTTP connections, i.e. unsecured connections, however every connection attempt via HTTPS (port 443), returns nil. Below is the function used within the Metasploit class to retrieve the login page:
def get_login_page(ip)
begin
response = send_request_cgi(
'uri' => '/',
'method' => 'GET'
)
# Some models of ZyXEL ZyWALL return a 200 OK response
# and use javascript to redirect to the rpAuth.html page.
if response && response.body =~ /changeURL\('rpAuth.html'\)/
vprint_status "#{ip}- Redirecting to rpAuth.html page..."
response = send_request_cgi(
'uri' => '/rpAuth.html',
'method' => 'GET'
)
end
rescue ::Rex::ConnectionError
vprint_error "#{ip} - Failed to connect to Web management console."
end
return response
end
When trying to connect via HTTPS, the first send_request_cgi call returns nil. No exception are caught or thrown. I have tried with 3 different hosts to make sure the issue was not with a specific endpoint. All my 3 attempts failed to return a response. At every attempt, I set the RPORT option to 443;
RHOSTS 0.0.0.0 yes The target address range or CIDR identifier
RPORT 443 yes The target port
Note that I have replaced the real IP with 0.0.0.0. Using a web browser, I can actually connect to the router via HTTPS with no issue (other than having to add an exception since the certificate is untrusted) and am presented the login page. With Wireshark, I tried to look at the generated traffic. I can clearly see that nothing is sent by the router. I notice the 3-way handshake being completed and the HTTP GET request being made:
GET / HTTP/1.1
Host: 0.0.0.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
There are 3-4 ACK after and then a FIN/PUSH sent by the server.
Based on this page on Metasploit's GitHub, I was under the impression that connections to HTTPS websites were handled by the underlying framework. I have not seen any articles/tutorial/source that leads me to believe otherwise. The doc about the send_request_cgi does not specify any specific requirement to establish a HTTPS connection. Other posts did not had the exact same issue I'm having. At this point I suspect either the OS, the framework or me forgetting to enable something. Other modules I have looked at either only targets HTTP websites - which I doubt - or do not have any special handling for HTTPS connections.
Any help determining the cause would be greatly appreciated.
Version of Metasploit:
Framework: 4.9.3-2014060501
Console : 4.9.3-2014060501.15168
Version of OS:
SMP Debian 3.14.5-1kali1 (2014-06-07)
As per this post on SecurityStreet, the solution was to set SSL to true in the DefaultOptions in the initialize function:
def initialize
super(
...
'DefaultOptions' =>
{
...
'SSL' => true
}
)
...
end
Connections to routers using HTTPS worked afterwards.
Currently I am working on project like web analytic using rails 3.2.3
I have two server, one is running on port 3001 and other one running on port 3000.
Here port 3001 is the server (let's say this is Google web analytic server) and port 3000 server is the end user (let's say this is your site). Now I need to get
request object from port 3000.
If I will write below code I can get the Browser details.
application.html.erb - This is user side code.
<script type="text/javascript"
src="http://localhost:3001/tracks/track_client?bwname=<%= request.env["HTTP_USER_AGENT"] %>">
</script>
This is the server side coce
def track_client
params.each do |key,value|
Rails.logger.warn "Param #{key}: #{value}"
end
end
{bwname=>Mozilla/5.0 (Windows NT 6.1", " WOW64) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2}
But I need user's request object with all properties not specific. like I need other properties too like
"GATEWAY_INTERFACE", "PATH_INFO", "QUERY_STRING", "REMOTE_ADDR", "REMOTE_HOST", "REQUEST_METHOD", "REQUEST_URI", "SCRIPT_NAME", "SERVER_NAME", "SERVER_PORT", "SERVER_PROTOCOL", "SERVER_SOFTWARE", "HTTP_HOST", "HTTP_USER_AGENT",
"HTTP_ACCEPT", "HTTP_ACCEPT_LANGUAGE", "HTTP_ACCEPT_ENCODING", "HTTP_DNT"=>"1", "HTTP_CONNECTION", "HTTP_COOKIE", "HTTP_IF_NONE_MATCH", "HTTP_CACHE_CONTROL"
Along with this I need some other params too like something like this
<script type="text/javascript"
src="http://localhost:3001/tracks/track_client?userid=1234&bwname=<%= request.env %>">
</script>
Are you looking for request object?
Please check here
http://techoctave.com/c7/posts/25-rails-request-environment-variables