I have a website using angular.js and my backend is using asp.net web api. When a new user register a e-mail is send with an activation link and a token inside it like this :
localhost:51426/#/activation?userid=test&code=FCuuf27NzVvmwp2Ksd7IDt83C2XZmZ2paCrZPBLgr9qR8xCaXELvqKCsWlg4uiokb07XK5sQ+2BazHN1+2B74q14grkQY2OHDAVeWlin5GE8ugkyw+2BJFFzd3Q2YiVuMxkmkO6OFdhIyfzUQMV8NPipME+2FST1pa0OuQs90kRUNR5kTkPlGQYKflDOMQvDGV84fZIw
When the user click the link I have an angular controller that basically just take the parameter and call the good method inside the web.api like this :
return $http.post(baseUrl + 'api/v1/account/confirmAccount?userId=' + userId + '&code=' + code);
The problem it seems all the + are replace by space in the server side so when I try to validate the token in my web api it doesn't work.
Not sure to understand why the + it's replace by space and how to avoid this.
Thanks
The problem is that in query strings + characters are replaced by spaces:
URL Encoding:
The HTML specifies the following transformation:
SPACE is encoded as '+' or "%20" [9]
What you could do is replace the space characters with + on the server:
string newCode=code.Replace(' ','+')
One option might be to build the string first and eliminate the + altogether.
Related
I'm currently developing a script where users can access a page and scrape data from it.
Problem is, it has an HTTP Basic Authentication.
At first I was using the http://user:password#site.com and it works. But when the password contains special characters besides the Base64, it doesn't login.
I am using phantomjs and watir-webdriver for this script.
I already tried this code:
caps = { 'phantomjs.page.settings.userName' => 'admin', 'phantomjs.page.settings.password' => 'password' }
browser = Watir::Browser.new :phantomjs, :desired_capabilites => caps
sometimes it works, sometimes not.
I also tried the custom headers:
caps = {'phantomjs.page.customHeaders.Authorization'=> "Basic " + Base64.encode64(admin+ ":" + password).chomp}
but it doesn't work.
I also tried this solution from another link:
popup = RAutomation::Window.new(:title => /Authentication/i)
popup.text_field(:index => 0).set('XXXXXX') # USER ID
popup.text_field(:index => 1).set('YYYYYYYYY') # PASSWORD
popup.button(:index => 1).click
but it doesn't see the dialog box.
What are the other possible solutions for this? I cannot ask users to change their passwords for them to login.
this is my native url:
127.0.0.1//myweb/home.php?u=daniel
now when I include this type of xss:
127.0.0.1//myweb/home.php/"><script>alert('hacked')</script>?u=daniel
it now appears to be hacked, how can I avoid this type XSS attack ?
ADDED
Here is the other codes: (I do not add the fetching the users the data)
require_once 'core/init.php';
$currentUser = new User();
$report = null;
if(!$currentUser->isLoggedIn()) {
Redirect::to('index.php');
}
You can always use php to filter away all the unnecessary part of the url.
This is your web site so you know what character is useless in your web site.
For example, I know that in my web site, the double quotes/" character is useless in my web site.
So, I can straight away filter out any part with double quotes/" character.
You can get your current url from the following code.
$url = $_SERVER['REQUEST_URI']
Then, you just ignore anything after double quotes character by using explode.
$safe_url = explode("\"", $url);
So, you will just use $safe_url[0] as your url.
Below I have this code:
string _strTemplate = _strDownloadTemplate + IDReq + "/" + _strFileName;
Uri url = new Uri(_strTemplate);
As you can see, I'm converting the strTemplate (which carries the link of a page that I need to sent by email for the user) to a URL Format. My email body has several fields that I'm replacing with the correct value:
strMailMessage = strMailMessage.Replace("_LinkTemplate", url);
I'm getting an error because the method string.Replace takes strings as parameters only.
Is there a way to get around this?
I was thinking about pass the URL value through my page (page.aspx) but if there's a way to do so through this method, it would be better for me.
Thanks!
Assuming this is C# and .NET, yes, String.Replace() works with strings.
Did you try:
strMailMessage = strMailMessage.Replace("_LinkTemplate", url.ToString());
I have successfully setup the oauth authentication to access my dropbox using sharpbox. Sharpbox is an open source "front end" that handles the nuts and bolts of the process. Using it i can return file info in a particular folder in my account.
I bind the filename and a generated URI to a gridview in a VS 2010 web app. I have a hyperlink with the text set to name and the DataNavigateUrlFields to the unique URL. It works great IF there is no "+" character in the oauth_signature part of the url string. If the plus is there, it returns "{"error": "Invalid signature. Expected signature base string:"
Thanks for your consideration.
Thank you for your help, here is my code
Public Sub MakeURL()
dbOpen()
Dim myfolder As ICloudDirectoryEntry = dropBoxStorage.GetFolder("/DIR/SUBDIR/")
Filename = Filename & "_POID_" & poid & ".pdf"
pdfurl = dropBoxStorage.GetFileSystemObjectUrl(Filename, myfolder).ToString
dbClose()
pdfurl = pdfurl.Replace("+", "%2B")
Response.Redirect(pdfurl)
End Sub
OAuth 1 Signature uses Percent Encoding (See RFC 5849). The specification clearly states that a space should not be encoded to a +, instead it should be encoded with %20. Replace your + with %20.
I have a need to store files on Amazon AWS S3, but in order to isolate the user from the AWS authentication I want to go via an ASP page on my site, which the user will be logged into. So:
The application sends the file using the Delphi Indy library TidHTTP.Put (FileStream) routine to the ASP page, along with some authentication stuff (mine, not AWS) on the querystring.
The ASP page checks the auth details and then if OK stores the file on S3 using my Amazon account.
Problem I have is: how do I access the data coming in from the Indy PUT using JScript in the ASP page and pass it on to S3. I'm OK with AWS signing, etc, it's just the nuts and bolts of connecting the two bits (the incoming request and the outgoing AWS request) ...
TIA
R
A HTTP PUT will store the file at the given location in the HTTP header - it "requests that the enclosed entity be stored under the supplied Request-URI".
The disadvantage with the PUT method is that if you are on a shared hosting environment it may not be available to you.
So if the web server supports PUT, the file should be available at the given location in the the (virtual) file system. The PUT request will be handled by the server and not ASP:
In the case of PUT, the web server
handles the request itself: there is
no room for a CGI or ASP application
to step in.
The only way for your application to
capture a PUT is to operate on the
low-level, ISAPI filter level
http://www.15seconds.com/issue/981120.htm
Are you sure you need PUT and can not use a POST, which will send the file to a URL where your ASP script can read it from the request stream?
OK, Ive got a bit further with this. Code at the ASP end is:
var PostedDataSize = Request.TotalBytes ;
var PostedData = Request.BinaryRead (PostedDataSize) ;
var PostedDataStream = Server.CreateObject ("ADODB.Stream") ;
PostedDataStream.Open ;
PostedDataStream.Type = 1 ; // binary
PostedDataStream.Write (PostedData) ;
Response.Write ("PostedDataStream.Size = " + PostedDataStream.Size + "<br>") ;
var XML = AmazonAWSPUTRequest (BucketName, AWSDestinationFileID, PostedDataStream) ;
.....
function AmazonAWSPUTRequest (Bucket, Filename, InputStream)
{
....
XMLHttp.open ("PUT", URL + FRequest, false) ;
XMLHttp.setRequestHeader (....
XMLHttp.setRequestHeader (....
...
Response.Write ("InputStream.Size = " + InputStream.Size + "<br>") ;
XMLHttp.send (InputStream) ;
So I use BinaryRead, write it to a binary stream. If I write out the size of the stream I get the size of the file I POST'ed from my application, so I reckon the data is in there somewhere. I then call a routine (with the stream as a parameter) which sets up the AWS authentication/signing and does a PUT.
The AWS call returns no errors and a file of the correct name is created in the right place, but it has a size of zero! InputStream.Size has a value the same as the stream parameter passed to the routine - i.e. the size of the original file.
Any ideas?
POSTSCRIPT. Found the problem. It's caught me a few times with streams, this one. When you write data to a stream, don't forget to reset the stream position back to zero before trying to read from the stream again. I.e. just before the line:
XMLHttp.send (InputStream) ;
I needed to add:
InputStream.Position = 0 ;
My thanks for the interest and suggestions.