Redirecting an iOS MDM native agent - ios

I’ve observed a strange but consistent behavior of the iOS MDM native agent.
When we redirected it to another URL by responding with an HTTP 301, 302 or 307, the agent has changed its HTTP PUT verb to GET while dropping the HTTP request body completely.
For example, this was the device’s first HTTP request to [URL-1]:
PUT [URL-1] HTTP/1.1
Host: [HOST]
User-Agent: MDM/1.0
Content-Length: 306
Accept: */*
Content-Type: application/x-apple-aspen-mdm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Status</key>
<string>Idle</string>
<key>UDID</key>
<string>86ff0b7c0129f1c1ed4ff36984c1a2a3e5e06c81</string>
</dict>
</plist>
We have responded with HTTP 301 and redirected it to [URL-2]:
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: [URL-2]
X-Powered-By: ASP.NET
Date: Tue, 10 Jul 2012 10:48:31 GMT
Content-Length: 182
<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found here</body>
The device has accessed [URL-2] with this HTTP request (changed the HTTP verb to GET and dropped the
HTTP body completely):
GET [URL-2] HTTP/1.1
Host: [HOST]
User-Agent: MDM/1.0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Connection: keep-alive
Does the MDM native agent support HTTP redirections?
If it does, what do we need to change in order for it to not drop the HTTP body and not change the HTTP PUT verb?

It supports HTTP redirections with exceptions. Use a Secure Layer for redirection instead.

Related

what is the problem with my post batch request?

I am using the batch to send updates to backend.
here is my batch call (copied from developper tool)
--batch_803d-f2f6-f119
Content-Type: multipart/mixed; boundary=changeset_1734-3336-d120
--changeset_1734-3336-d120
Content-Type: application/http
Content-Transfer-Encoding: binary
POST ZPM_PHOTO_CREATESet HTTP/1.1
X-Requested-With: XMLHttpRequest
sap-contextid-accept: header
Accept: application/json
Accept-Language: en-US
DataServiceVersion: 2.0
MaxDataServiceVersion: 2.0
x-csrf-token: vs9mX4SuO6tubA1-COum6w==
Content-Type: application/json
Content-Length: 3761
{"Reqdefectnotificationid":"000013215480","Reqphoto":"<base64 photo string>","Reqphotoname":"test_1600778272163.jpg","Documentnumber":"1"}
--changeset_1734-3336-d120
Content-Type: application/http
Content-Transfer-Encoding: binary
POST ZPM_PHOTO_CREATESet HTTP/1.1
X-Requested-With: XMLHttpRequest
sap-contextid-accept: header
Accept: application/json
Accept-Language: en-US
DataServiceVersion: 2.0
MaxDataServiceVersion: 2.0
x-csrf-token: vs9mX4SuO6tubA1-COum6w==
Content-Type: application/json
Content-Length: 3761
{"Reqdefectnotificationid":"000013215479","Reqphoto":"<base64 photo string>","Reqphotoname":"test_1600778262092.jpg","Documentnumber":"1"}
--changeset_1734-3336-d120--
--batch_803d-f2f6-f119—
And this is the response I get:
<?xml version="1.0" encoding="UTF-8"?>
<error xmlns="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata"><code>/IWFND/CM_BEC/026</code><message xml:lang="en">RFC Error: The current application has triggered a termination with a short dump.</message><innererror><application><component_id>PM</component_id><service_namespace>/SAP/</service_namespace><service_id>ZPM_MOBILE_REPORTING_SRV</service_id><service_version>0001</service_version></application><transactionid>5F6A4914294E4AEEE10000000AC83065</transactionid><timestamp>20200922185333.4113780</timestamp><Error_Resolution><SAP_Transaction>Run transaction /IWFND/ERROR_LOG on SAP Gateway hub system and search for entries with the timestamp above for more details</SAP_Transaction><SAP_Note>See SAP Note 1797736 for error analysis (https://service.sap.com/sap/support/notes/1797736)</SAP_Note><Batch_SAP_Note>See SAP Note 1869434 for details about working with $batch (https://service.sap.com/sap/support/notes/1869434)</Batch_SAP_Note></Error_Resolution><errordetails/></innererror></error>
Can anyone advise what might be the problem?

How to print Rack::Request as raw HTTP request?

I interested in the standard way to print an instance of a Rack::Request class as a text HTTP request. Example below.
POST /cgi-bin/process.cgi HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Content-Type: text/xml; charset=utf-8
Content-Length: length
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
<?xml version="1.0" encoding="utf-8"?>
<string xmlns="http://clearforest.com/">string</string>
It would be nice for debugging and share with users. I have a team with non-rails stack using my API and raw requests will be useful.

SignalR security warning : Missing Cross-Frame Scripting Defence

A security scanning app picked up a risk against a signalR link in my asp.net MVC 5 website.
the X-Frame-Options response header is missing, which may allow
Cross-Frame Scripting attacks
Any one can tell me what's this about?
And How to solve it?
ASP.NET SignalR Input Validation Flaw Permits Cross-Site Scripting Attacks
Should not be the problem since I am using SignalR 2.1.x
The request is :
POST ***/signalr/send?transport=serverSentEvents&clientProtocol=1.4&connectionToken=bla**bla** HTTP/1.1
Host: ****
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/plain, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: myhost
Pragma: no-cache
Cache-Control: no-cache
Cookie: authentication token
Content-Length: 113
data=********
The Response is :
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8
Expires: -1
Server: Microsoft-IIS/8.0
X-Content-Type-Options: nosniff
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Some html body
I think this warning can safely be ignored. The X-Frame-Options header is used to prevent clickjacking. SignalR responses don't have any links or any other clickable content.
However, it might be a good idea to set an X-Frame-Options header on every response to be extra safe. You can do this via IIS manager or web.config. If you are not using IIS, you can use OWIN middleware instead.

Play / Run captured HTTP traffic from file

I have a raw HTTP traffic file with following format :
---------------------- dataset.txt ----------------------------------
GET http://localhost:8080/tienda1/index.jsp HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.8 (like Gecko)
Pragma: no-cache
Cache-control: no-cache
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: x-gzip, x-deflate, gzip, deflate
Accept-Charset: utf-8, utf-8;q=0.5, *;q=0.5
Accept-Language: en
Host: localhost:8080
Cookie: JSESSIONID=1F767F17239C9B670A39E9B10C3825F4
Connection: close
POST http://localhost:8080/tienda1/publico/anadir.jsp HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.8 (like Gecko)
Pragma: no-cache
Cache-control: no-cache
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: x-gzip, x-deflate, gzip, deflate
Accept-Charset: utf-8, utf-8;q=0.5, *;q=0.5
Accept-Language: en
Host: localhost:8080
Cookie: JSESSIONID=933185092E0B668B90676E0A2B0767AF
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 68
id=3&nombre=Vino+Rioja&precio=100&cantidad=55&B1=A%F1adir+al+carrito
...
...
Is there any utility to read this file and submit to my local web server?
You have two requests here.
First is GET, second is POST.
Provided that you are having such format as above, you could write simple program that will ( in order)
Divide the sheet into separate HTTP requests
Parse requests and divide them into variables like : type of request (GET or POST), User-Agent and "headers" in general, request DATA, request submit URL
Create and maintain session with specific server (cookies etc)
Iterate through the loop and submit the data
It would be perfect to solve the problem in python-requests. Parsing may be done in python basic lib.

D2L Dropbox - Posting issue

I'm getting an error trying to post a file to the dropbox in D2L. I'm using HttpRequest in PHP. The Org ID and Folder ID are both valid - I am retrieving the folder ID from the API (using the OrgID).
Here is the HttpRequest output:
POST /d2l/api/le/1.1/61381/dropbox/folders/677320/submissions/mysubmissions/?x_a=d0RNh1RjRGSMJu-dyj_wmw&x_b=_098IyP4bzkow_G-7Ke4Dv&x_c=3_L5VOX5RarK7mztTyX67sL_TyceBOK5r18GnRu9VbE&x_d=jVPR_DXuVf1JIl-YLe3Ad_OM2Ph8xG8UiMYriJVRc2w&x_t=1350769323 HTTP/1.1
User-Agent: PECL::HTTP/1.6.1-dev (PHP/5.2.6)
Host: <hostname>
Accept: */*
Content-Type: multipart/mixed; boundary=65ace1fa6e1f
Content-Length: 251
--65ace1fa6e1f
Content-type: application/json
{"Text":"test","HTML":null}
--65ace1fa6e1f
Content-Disposition: form-data; name=""; filename="file.txt"
Content-Type: application/octet-stream
eyAiVGVztCI6IlRsaXMgfXMgdGVzdYBkYXRhLiIgfQ==
--65ace1fa6e1f--
And the response:
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 131
Content-Type: text/html; charset=utf-8
Location: /d2l/error/404
Server: Microsoft-IIS/6.0
X-XSS-Protection: 0
X-Powered-By: ASP.NET
Date: Sat, 20 Oct 2012 21:42:26 GMT
It appears to be a 404 (No such dropbox folder, or no such org unit), but I know both values to be valid.
I've logged into D2L and the OrgID and DropboxID are both correct in the URL when I'm editing the dropbox settings. The user in question has permission to access the dropbox, and can do so in D2L.
Any help would be appreciated!

Resources