Am trying to send a SOAP SONAR request using GreenHat Tester, but end up with the error below:
<faultstring>WSDoAllReceiver: Incoming message does not contain required Security header</faultstring>
but the same request gives the correct and expected results in SOAP UI.
Can anyone please help me add WS-Security Headers in GreenHat Tester?
You need to open the request message and right-click on the text (String) etc... node. Choose Properties and then WS-Security. Enable it and then add the fields you need to add.
You can see how the entire message will look (raw XML) by hitting the Preview button in the WS-Security tab.
Related
I want to change the text present on the swagger authorization UI screen.
I want to change the Authorized label to Stored.
Please find the below screenshot from swagger UI authorization screen
The reason I want to change it as it is miss leading. If the user passes an invalid credential still it is showing as authorized.
Actual validation of Username and password is happening once we execute the request.
I am also good if anyone has an answer to validate the credentials once we hit the Authorize button as shown below.
Note: I am using Spring-boot, Spring security, and springdoc
Any thought or ideas will be appreciated
Thank you !!
sprindoc-openapi project relies on swagger-ui configuration properties and there is no such configuration property in this project:
https://swagger.io/docs/open-source-tools/swagger-ui/usage/configuration/
You can ask the swagger-ui team, to this kind of configuration property.
If you don't want depend on their tasks priority, you can simply rebbuild the swagger-ui webjars that are available here or use the exploded mode of the webjars, where you can modify the static resources:
https://github.com/swagger-api/swagger-ui
In my ASP.NET MVC application, I want to resolve the HTTP Request Smuggling Vulnerability issue.
I thought it would be sufficient if I blocked the requests which have a Transfer-Encoding: chunked header. In the IIS administration menu, I added a new Request Filtering rule for this. However that does not seem to fix it.
I wrote little .NET code to test if IIS generates a 404 error when chunked content is sent. When I add the transfer encoding header 1 time to my test client code as below, I do NOT receive 404—I receive 200.
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
Interestingly, if I add the header 2 times (I mean duplicate it) like
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
The filtering rule applies, and I receive 404 as I expected.
How can I fix it?
A few months later, Microsoft added a patch wherein you can disable request smuggling with a registry key.
Click Start, click Run, type Regedit in the Open box, and then click OK.
Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
Set DWORD type value DisableRequestSmuggling to one of the following:
Set to 0 to disable the filter
Set to 1 to enable the filter
Exit Registry Editor.
Restart the computer.
I'm creating a load test with JMeter. I'm trying to make a Post request to create a new resource but it always responds with 500 error, even though I'm sending the same headers and parameters as the browser and I also tried with postman and it works fine, it's just with JMeter that's not working.
The script was recorded with the BlazeMeter Chrome extension and adjusted as needed.
The next configurations are for the Test Plan in general:
HTTP Header Manager with the header "User-Agent".
User Defined Variables with only one variable "BASE_URL_1".
HTTP Request Defaults with the "Retrieve All Embedded Resources" and "Parallel downloads" selected and "Number" set to 6.
DNS Cache Manager with "Clear cache each iteration" selected and "Use system DNS resolver".
HTTP Authorization Manager with nothing selected.
HTTP Cookie Manager with "Clear cookies each iteration?" selected.
HTTP Cache Manager with "Clear cache each iteration?" selected and "Max Number of elements in cache" set to 5000.
I set the "CookieManager.save.cookies" option to "true" in "jmeter.properties".
Here's an image of what the "HTTP Request" looks like:
Inside the "HTTP Request" there's a "HTTP Header Manager" with the next headers:
Inside the "HTTP Request" there's also a "Uniform Random Timer" with "Random Delay Maximum" set to 26344.0 and "Constant Delay Offset" set to 13172.
The cookies seemed to be sent fine with the session data. I do log in a user and get the session data before attempting to do the post request and other get requests work fine under the same session. I teste this same headers with Postman and it worked. I have no idea why this is not working in JMeter. I tried doing several changes to the configuration without success. This is a .NET service.
The API is not built the best way, but what makes me think that this 500 error might be from JMeter and not the API is that I was able to successfully make the request from postman.
Anyone has an idea of what could be wrong on the test config?
EDIT
Here are some images from the View Results Tree:
Sampler Result
Request Body
Request Headers
Response Headers
The Response Body is HTML saying that there's an error.
Given your request works in Postman you should be able to record it using JMeter's HTTP(S) Test Script Recorder.
Prepare JMeter for recording, the fastest and the easiest way is using JMeter Templates feature
From JMeter's main menu choose File -> Template -> Recording and click "Create"
Open HTTP(S) Test Script Recorder and click "Start"
Prepare Postman for recording.
From Postman main menu choose File -> Settings -> Proxy
Use 127.0.0.1 as the proxy host and 8888 as the proxy port
Run your request in Postman
JMeter will capture the request under the Recording Controller
Parameterize and correlate the request
It should be working fine. If not - compare the requests which are being sent by Postman and JMeter using a 3rd-party sniffer tool like Wireshark of Fiddler, detect and eliminate any inconsistencies.
User will type www.abc.com/Email/abc#abc.com
above code not work, It generates the error,
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
Most likely causes:
The directory or file specified does not exist on the Web server.
The URL contains a typographical error.
A custom filter or module, such as URLScan, restricts access to the file.
Things you can try:
Create the content on the Web server.
Review the browser URL.
Check the failed request tracing log and see which module is calling SetStatus. For more information, click here.
Please read more here http://perishablepress.com/stop-using-unsafe-characters-in-urls/http://perishablepress.com/stop-using-unsafe-characters-in-urls/.
You should encode # to '%40' and decode it back to # in your MVC action.
To decode you can use encodeURIComponent
http://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_encodeuricomponent
you can use UrlDecode on backed http://msdn.microsoft.com/en-us/library/6196h3wt.aspx
I am trying to create a chrome extension that calls my rails app's api. currently the api returns json and it works fine, however when I try to build it into a chrome extension, it says :
Refused to load script from 'http://mysite.com/demo?q=hello?callback=jQuery16409466155741829425_1342489669670&_=1342489677171' because of Content-Security-Policy.
I looked up the document http://code.google.com/chrome/extensions/contentSecurityPolicy.html and it sounds like I can't do this unless I implement my site into a https version. (under "Relaxing the default policy" section) I am not sure if I understood correctly and it feels ridiculous to make such a big change just because of this. Am I misunderstood? Or is there a workaround to this? Thank you.
In a Chrome extension, cross-site XMLHttpRequests are allowed, provided that you define the source in the manifest file - see http://code.google.com/chrome/extensions/xhr.html.
A JSONP implementation loads an external script using the <script> tag, and inserts it in the document. Unless the source is whitelisted through the "content_security_policy" entry, JSONP cannot be used when manifest version 2 is active (do not use manifest v1 to overcome this, because it's deprecated, and a suitable alternative already exist).
When you're unable to receive a JSON response instead of JSONP, use an ordinary request to fetch the data, cut off the callback, then parse it. Eg:
// response is the response from the server
// Received through `XMLHttpRequest`, jQuery.ajax, or whatever you used
// cuts of jQuery....( and the trailing )
response = response.replace(/^[^(]*\(/, '').replace(/\);?$/, '');
By default browsers do not allow this because of the same origin policy.
However you can get around this by making a jsonp request.
As you using jquery this super easy with getJSON method