In some forum that I was viewed the JSON response of a POST request using Firebug.
Say, a user with the email X#Y.com and password Zabc123 posted something on his own page on this forum. And I wanted to post a comment on his post.
But before I posted the comment I opened Firebug's Net panel:
After I had posted the comment the response that I saw in Firebug was like this:
postid 1432
OTHER THINGS ...
email X#Y.com
password Zabc123
ip 111.111.111.111
lastlogin 1-1-2016
lastpasschange 2-2-2015
and so on ..
This info is not my own, it is the info of the person that I was posting a comment on.
Is this a symptom of a hack or an incorrectly programmed script in that forum?
If you see the account data of another user within the response info, then that's probably a bug in the server-side script you called in your POST request, especially if that happens equally in different browsers.
The programmers of the website could also have output it as debug info and forgot to remove the code when pushing it to the live server.
It could also be that the server got hacked and the script changed that way that it returns the user names and passwords in plain text.
Related
I am working on an old classic asp site that uses vbscript for the server code and HTML and JavaScript for the client end. I am communicating with an external server which handles the credit card payment details.
I have found loads of answers for getting the response from a POST to the server (both from the client using JavaScript and from our own website server using vbscript). However what I am failing to find is how to respond from my server to an POST made from the credit card gateway server.
The sequence goes something like this:
I post all the transaction details to the gateway server
They immediately respond with a success status, a security key, a transaction ID, and a URL to which I must immediately redirect.
They then send a 'notification' post to a URL, that I gave in the first post, with an MD5 hash made up from details of the transaction and, importantly, the security key. I must generate the same MD5 hash and check that it matches. This is obviously to confirm that the initial transaction has not been compromised in any way.
Having done the security check I am required to respond: "When we receive your response to our notification POST, we determine where to direct your customers browser based on your response Status:"
That last stage is the one I am struggling with. I'm sure it's something really simple and silly but I just can't find any information anywhere. I have found lots of stuff on HTTPResponse but that all seems to be getting the response from a POST that I have made (and I have used this in the earlier stages) whilst here I am wanting to generate a response to a POST I have received. Note this must all be done at my server end as the credit card gateway have the IP address of our server and will only accept these transactions from that IP address therefore none of this can be sent from the customer's browser.
Sorry if this is really dumb! I am a C++ developer not a web developer but, as is the way with these things, I am having to do this bit of web development!
What you are talking about here is a consumer (the Gateway server) sending a POST request to an endpoint on your web application, which you should handle just the same as if you were receiving a POST from a local request, the process is the same.
Here is a basic example;
<%
'Expect only POST data to this page
If UCase(Request.ServerVariables("REQUEST_METHOD") & "") = "POST" Then
'Craft your response
Call BuildResponse()
Else
'Anything other then a POST should be met with a 404 response.
Response.Status = "404 Not found"
End If
Call Response.End()
'Sub for crafting your response.
Sub BuildResponse()
'Do we have a form field of "somevalue" with a value of "yes"?
If LCase(Request.Form("somevalue") & "") = "yes" Then
Call Response.Write("Hello world - Valid")
Else
Call Response.Write("Hello world - Invalid")
End If
End Sub
%>
This is just a basic example that expects a form post parameter of "somevalue" with a value of "yes". Based on this it returns a conditional response.
Obviously, you will need to pad out the response based on your requirements but this should give you some idea of how to structure it.
Side-note: As you won't be the consumer yourself it might be an idea to output a text file or setup an email that reports the passed form parameters to help you debug what the consumer is POSTing to the page to help you work out how to handle the request and generate a valid response the consumer expects.
Useful Links
How to check form submission ASP classic
ASP - Printing the entire request contents
How to create a new text file with asp?
I initially asked this question, which shows that I see MVC errors of missing POST values. I was unable to reproduce - I still can't reproduce it on demand, but I did get the error myself on IE11, and I got a clue...
I have an application in IIS7.5 running with Basic authentication only. I look in Fiddler, and normally all transactions have Authorization: Basic xxxxx as expected. The body contains POST values as expected, and Content-Length is correct.
When I experienced this problem, I found that every single request (GETs and POSTs, including static content) was now showing Authorization: Negotiate xxxxx in Fiddler, with an empty body and zero Content-Length, even when I submitted a POST object via jQuery AJAX, and IE's dev tools shows the real POST body (which of course means IE is lying - not the first time). It gets a 401 response, and then a new request occurs with Basic, but also with an empty POST body, which means ASP.NET throws an error about missing parameter values.
Other web applications on the same top-level domain do use Windows authentication instead of Basic, and my suspicion is that the user goes to one of these sites, and IE becomes confused and thinks that my application should use Windows authentication as well - but I can't reproduce that every time. I have reproduced it twice, but out of a dozen or so times of doing the same thing over and over, so I'm not finding a way to make it reproduce every time.
I don't know why the POST body would get emptied, even if it does switch over and try to do WinAuth instead of basic - but that's when the problem occurs, so I'm sure it's related.
Any ideas on how to prevent IE from getting confused and using Negotiate, or at least how to detect and gracefully handle this on the server? I've only seen it in IE, but I can't be sure it's IE-only.
Here's what a normal POST looks like:
Then after the problem starts occurring, the exact same POST looks like:
EDIT
Here's an interesting edit - I just saw a new symptom. This time, all GET requests are coming in with no Authorization header at all, and the response comes back with a 401 for basic, and the GET is re-done properly with basic. But the POSTs are going through normally, with basic on the first try. I don't know what started this happening, but it's a similar symptom of the same problem.
We have realized that this URL http://Keyword:redacted#example.com/ redirects to http://example.com/ when copied and pasted into the browser's address bar.
As far as I understand this might be used in some ftp connections but we have no such use on our website. We are suspecting that we are targeted by an attack and have been warned by Google that we are passing PII (mostly email addresses) in our URL requests to their Google Adsense network. We have not been able to find the source, but we have been warned that the violation is in the form of http://Keyword:redacted#example.com/
How can we stop this from happening?
What URL redirect method we can use to not accept this and return an error message?
FYI I experienced a similar issue for a client website and followed up with Adsense support. The matter was escalated to a specialist team who investigated and determined that flagged violations with the format http://Keyword:redacted#example.com/ will be considered false positives. I'm not sure if this applies to all publishers or was specific to our case, but it might be worth following up with Adsense support.
There is nothing you can do. This is handled entirely by your browser long before it even thinks about "talking" to your server.
That's a strange URL for people to copy/paste into the browser's address bar unless they have been told/trained to do so. Your best bet is to tell them to STOP IT! :-)
I suppose you could look at the HTTP Authorization Headers and report an error if they come in populated... (This would $_SERVER['PHP_AUTH_USER'] in PHP.) I've never looked at these values when the header doesn't request them, so I'm not sure if it would work or not...
The syntax http://abc:def#something.com means you're sending userid='abc', password='def' as basic authentication parameters. Your browser will pull out the userid & password and send them along as authentication information, leaving the url without them.
As Peter Bowers mentioned, you could check the authorization headers and see if they're coming in that way, but you can't stop others from doing it if they want. If it happens a lot then I'd suspect that somewhere there's a web form asking users to enter their user/password and it's getting encoded that way. One way to sleuth it out would be to see if you can identify someone by the userid specified.
Having Keyword:redacted sounds odd. It's possible Google Adsense changed the values to avoid including confidential info.
I have this site:
https://acad.unoesc.edu.br/academico/login.jsp
And I want to put info in the fields values and submit then, to get the next page and navigate in that site. Thats because I want to create an android app or something like that. Im using lua in first case, with luasocket(http).
I know that the input has its names, but I dont know how to set then and send then to the server. If someone can help me with this.
Thank you.
You can use POST method with luasocket. See the official documentation and a detailed example in this SO answer.
Since you seem to be doing authentication, you'll probably need to save the cookie value returned to you as part of the login response and then pass that cookie back to the server (otherwise your subsequent requests will fail as the server will reject those requests as non-authenticated).
Since you are sending this over https, you'll need to use LuaSec, which provides ssl.https module as replacement for the http module that luasocket provides. You may check my blog post for some example of how this can be done.
is it possible to submit forms with yahoo pipes?
i basically need to log in somewhere, and get some stuff from the members area of a website into a feed.
Although this is not exactly programming related... I guess it is close enough.
No, logging into somewhere is impossible with Yahoo Pipes. Sending the username/password isn't even the only problem here.
The real problem is that most, if not all, web sites that require a log-in depend on a session cookie or something similar. Yahoo pipes can do a GET request, and that's about it. Even if it was possible to send your user name/password in the URL, you would not be able to use the session cookie, so subsequent requests would fail.
So... If you have access to a hosted web site somewhere: Write a small proxy script (in PHP or whatever is available) that does the login and fetches the data. Let Yahoo pipes read from your proxy page. But if you are that far, you can just as well produce RSS format right away. ;-)
I did a pipe that can log in and extract info. is working ok on a simple web form using POST.