I'm new to burp suite and I'm getting lot of errors with it, one of the errors are this. When I'm trying to access web pages (ex:- google.com, hackerone etc.) it just never load in the web page( Intercept is off) and I'm using chrome. Please help me with this matter.
OS : Windows
Proxy : FoxyProxy(127.0.0.1 : 8080)
note : intercept is off when I'm browsing
Well I can't understand your problem but here are some points to keep in note while using Burpsuite.
Make sure CA Certificate is properly installed in browser
Add your target host to scope. For example if you are testing on xyz.com then add this host to scope so even if intercept in ON other host's requests will be ignored by interceptor.
Slow loading is might be your internet issue
Make sure your 8080 port is not blocked by any other service.
Try changing your browser incase of getting errors
Burpsuite will not work while having VPN or other proxy is ON
Related
I'm using a Microsoft add-in for Powerpoint called 'Web Viewer' (it's just an iframe, you insert a URL, it displays it in the slide).
I inserted a webpage that uses Socket.IO, and I'm seeing it is not able to connect to the server (even the long polling it's falling back on is not working).
Clearly this is not an issue with the add-in: Any ideas what is going on here?
I tested on Mac 10.13.4 (latest) / Powerpoint (16.12, Office 365 Home) (latest).
The same webpage works in an iframe in the latest Chrome, Firefox, Safari, IE11, so I'm thinking something wonky is going on with the embedded (Webkit) browser that Powerpoint is using on Mac.
The general request flow is:
Browser -> AWS ALB (with stickiness enabled) -> Nginx -> Node
UPDATE
Looked into this further, and having tested other pages that use Socket.IO, I think the only difference in their setups and here is the ALB.
Even with stickiness enabled, the load balancer is clearly seen (in the logs) passing traffic between all EC2s. This leads me to believe the cookie they use is either not being set or not being passed with the requests.
First of all, based on this github issue it should be possible to open a websocket.
There might be a problem with using the unsecure ws://. I know that officejs rejects all requests to http:// and forces you to use https:// with a secure certificate. So they might do the same with WebSockets and force you to use wss:// with a valid certificate.
You can test this more easily in Power Point Online with Chrome. The addin is the same but you get much better error logging in the Devtools Console (hit F12). If it's asecurity issue there should be an error message indicating it.
I had the same issue and S.Freederle is correct. Now I'm able to use socket.io via ngrok to create a secure tunnel (HttpS) to connect to my server and emit the data to my client side in office add-in.
I've been trying to figure this out for a while now and nothing I've found has really been helping.
I've got a remote Linux server running with Apache installed, and right now everything going to the server is redirected to HTTPS through Apache. This all works fine and I can access the files I need to normally, but now I'd like to also add in a Django site to my server under a new "subdomain". (For example I'd like to still be able to access non-Django files as usual 'https://www.thesite.com/path/to/file.php' and also be able to access the Django site like 'https://www.thesite.com/djangosite/some/site/page')
Could someone please give me some direction as to how I'd be able to do this? I can supply more information if it's needed.
Thanks in advance!
Edit 1: The Django server seems to dislike connecting via HTTPS and I'm getting an error that it can only support HTTP, but I need it because I want the site to be secure, and currently Apache is redirecting all HTTP requests to HTTPS, so do I need some other method of making it work?
https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm
Check out SNI and also potentially wild card certificates
This is my first time using IIS and it has become a big headache. The objective is to run a web application trough an IIS on a windows 2012 server. The application is hosted on tomcat 8.5.
The application runs perfectly on 'localhost:8000/application', but then an issue occur when trying to do the URL rewrite to 'application.domain.com'.
The URL correctly accesses the needed javascript files and styles the page correctly, but error code 500() is returned on a call to 'application.domain.com/subdirectory'. Unfortunately error 500 just implies some server error has occurred. The subdirectory is used to get data to the application and contain HTTP GET and HTTP POST methods.
My current implementation of the IIS:
I crated a new site 'application'. This site has an inbound and an outbound URL Rewrite reverse proxy rule.
I am suspecting that there could be issues with the RegEx pattern, but i am not sure.
I am aware that there are some implications routing tomcat trough IIS and i have attempted to solve that with Application Request Routing(ARR), but without luck. I set up the ARR with a tomcat server farm according to this guide but ended up with error 502.2 - "Bad Gateway" instead.
This is the first time i have to mess with these things, so it's likely I got it all wrong and there is a much simpler solution. Thanks in advance.
I am building a Facebook app using Django. So, for development, I connected the app to localhost. My app is loading on canvas and working fine but the Facebook debugger is unable to test it correctly when I give localhost address as input.
These are the requests I tried in debugger
http://localhost
https://localhost/
http://127.0.0.1/
localhost
etc
Almost for all possible combinations.. It showed me
Error Parsing URL: Error parsing input URL, no data was scraped.
When I deployed the same code on heroku and tried.. It was working!
So,
Can't I debug the project on localhost? What's the point in working on it then??
If I can work, how should I fix it?
Can't I debug the project on localhost? What's the point in working on it then??
You can debug your code etc. on localhost – but of course you can’t have Facebook’s debug tool reach a site on your localhost, because Facebook (and everyone else on the web) does have no idea what machine your localhost actually is. (Absolute bascis, dude!)
If I can work, how should I fix it?
You have to make your web server accessible from the “outside”, over the internet.
Set up your test server so that it accepts requests from outside IPs, and get a DynDNS address (basically something that can be resolved by third parties like Facebook over the DNS).
You can access Facebook apps locally but you need to fake the domain of your local computer. You can do this by adding
127.0.0.1 mysite.test.example.com
to /etc/hosts. You should update mysite.test.example.com to your domain. Your Facebook app needs to be configured for that domain. You can then use the Facebook app locally and debug your project.
The alternative is to setup up a web server and use its domain for testing purposes (but this is not ideal because you'll need to commit and build the code before you can see your changes).
I have a web service running under IIS7 on a server with a host header set so that it receives requests made to http://myserver1.mydomain.com.
I've set Windows INtegrated Authentication to Enabled and everything else (basic, anonymous, etc) to Disabled.
I'm testing the web service using a powershell script, and it works fine when I run it from my workstation against http://myserver1.mydomain.com
However, when I run the same exact script on the IIS server itself, I get a 401-Unauthorized message.
In addition, I've tried installing the web service on a second server, myserver2.mydomain.com. Again I can call my test script fine from BOTH my workstation and from myserver1.
So it seems the only issue is when the client is on the same box as the web server itself - somehow the windows credentials are not being passed or recognized.
I tried playing with IE settings on myserver1 (checked and unchecked 'Enable Windows Integrated Authentication', and added the URL to Local Sites). That did not seem to have an effect.
When I look at the IIS logs, I see the 401 unauthorized line but very little other information.
I see basically the same behavior when testing with IE (v9) - works from my workstation but not when IE is running on the IIS server.
I found the answer after several hours:
By default, there is something called a LoopbackCheck which will reject windows authentication if the host header used for the site does not match the local host's name. This behavior will only be seen when the client is on the local host. The check is there to defeat possible reflection attacks.
More details here:
http://support.microsoft.com/kb/896861
The kb item discusses ways to disable the Loopback check, but I ended up just switching from using host headers to ports to distinguish the different sites on the IIS server.
Thanks to those who gave assistance.
Try checking the actual credential that is being passed when you are running on the server itself. Often times you will be running on some system account that doesn't have access to the resource in question.
For example, on your box your credentials are running as...
MYDOMAIN\MYNAME
and the server will be something like...
SYSTEM\SYSTEM_ACCOUNT
and so this will fail because 'SYSTEM\SYSTEM_ACCOUNT' doesn't have credentials.
If this is the case, you can fix the problem in one of two ways.
Give 'SYSTEM\SYSTEM_ACCOUNT' access to the resource in question. Most people would avoid this strategy due to security concerns (which is why the account has no access in the first place).
Impersonate, or change the credentials of the client manually to something that does have access to the resource, 'MYDOMAIN\MYNAME' for example. This is what most people would probably go with, including myself.