I am trying to make use of functional url in case of mono lambda function, I have created a functional url with no security.
URL was created successfully, but Not able to hit that url using postman. So I use chrome web browser to hit my url(Get request). But the problem was whenever I hit the url, My function gets executed twice.
If anyone have faced same issue, Please assist.
There are two possibilities I can think off-
Chrome/browser sending another request for favicon.png
If you have configuration on server side that enforce HTTP to HTTPS conversion of the request, like re-direct to enforce SSL connection. In that case as well, browser send one request HTTP and redirect request to HTTPS. e.g when you hit- http://example.org, if it enforce the https, then again browser send another request to https://example.org.
You need to check possibilities here using network trouble shooting. Hope this will help you!
Related
Infra of system
Expected:
I want to block requests, which is not from Server FE (domain.com)
Ex: Users make request from another apps such as Postman -> it will response 403, message access denied.
I used the rules of ALB, it works but users can cheat on Postman
Also I use AWS WAF to detect request. But it's not work.
Is there any way to block request from Postman or another apps?
We can generate secret_key and check between Server FE and Server BE. But users can see it on Headers and simulator the headers on Postman and call API success.
Current Solution:
I use Rule of Application Load Balancer to check Host and Origin. But users can add these params on Postman and request success.
Rule ALB
When I add Origin matching value (set on ALB) -> We can request successful
Postman success
Postman denied
Users can cheat and call API success.
Thanks for reading. Please help me give any solution for this one. Thanks a lot.
No. HTTP servers have no way to know what client is being used to make any HTTP request. Any HTTP client (Browsers, PostMan, curl, whatever) is capable of making exactly the same requests as each other.
The user-agent header is a superficial way to do this, but it's easy enough for PostMan or any other HTTP client to spoof the user-agent header to one that makes the request look like it is coming from a web browser agent.
You can only make it more challenging to do so. Some examples to thwart this behavior includes using tools like Google captcha or CloudFlare browser integrity check, but they're not bulletproof and ultimately aren't 100% effective at stopping people from using tools/automation to access your site in unintended ways. At the end of the day, you're limited to what can be done with HTTP, and PostMan can do everything at the HTTP layer.
So I found an old http page of a shopping website that doesn't have any filtering occurring. Using a proxy, I can inject whatever I want into the page, and it reflects in the application's response. If I load the same request in a browser, I get redirected to their HTTPS site. Is there any possibility of having XSS occur before the redirect happens? Or is the Javascript after the server side redirect, therefore is the reason why my payload isn't executing? I'm using a simple alert(1) which is reflected in the response on the http site, but not on the https page.
it depends on the sort or redirection, When the server redirects you, the Browser wont execute javascript code.
If its a Client side redirection with javascript your code should be executed.
I am using Spring Boot and While I am able to set the cookie on the server, it is available in the response on the browser, however it is not submitted in the further request, and reason seems to be a sub-domain issue. I will detail it with exact issue and content
Requesting Page: http://stgapi.py.com
it makes a API call -> http://secure.stgapi.py.com
Cookies is set with
Domain-> .py.com Also tried with .stgapi.py.com
path-> /
This is visible in the browser, however in the subsequent call to
http://secure.stgapi.py.com the cookies are not submitted
and hence re-login is requested and enters an infinite loop of login and failure.
Any help is much appreciated, entire web says this is how it works, not able to make it work.
After much brainstorming, figured out that we need to set
("Access-Control-Allow-Credentials", "true")
And client(User-Agent) should also send withCredrentials:true
Further ("Access-Control-Allow-Origin") should not be set to "*" and only one value(origin) is supported.
Reason: Being the above example is considered to be CORS request and not the way it looks at the very first place.
I want to know when I'm using IE8 open a website (like www.yahoo.com), which API will be called by IE8? so I can hook these API to capture which website that IE8 opening currently.
When you enter a URL into the browser, the browser (usually) makes an HTTP request to the server identified by the URL. To make the request, the IP address of the server is required, which is obtained by a DNS lookup of the host (domain) name.
Once the response -- usually containing HTML markup -- is received, the browser renders it to display the webpage.
More details available here: what happens when you type in a URL in browser
So, in the general case, no "API" request as such is made. (Technically speaking, you can think of the original HTTP request to the server as an API request). The sort of "API" request you presumably mean, however, is not made in this general case just described. Those requests happens when the JavaScript executing on the page makes an Ajax HTTP request (XmlHttpRequest) to the web server to carry out some operation.
I am not sure about IE8, but the "developer tools" feature of most modern browsers (including IE9 and IE10), would let you see the Ajax HTTP requests that the webpage made as it carried out different operations.
Hope this helps.
IE uses Microsoft's WinSock library API to interact with web servers.
You may want to look for a network monitoring/sniffing API, which you could use to examine HTTP requests, and determine the URLs the browser is using.
I made an application using Qt/C++ that reads some values every 5-7 seconds and sends them to a website.
My approach is very simple. I am just reading the values i want to send and then i make an HTTP POST to the website. I also send the username and password to the website.
The problem is that i cannot find out if the request is successful. I mean that if i send the request and server gets it, i will get an HTTP:200 always. For example if the password is not correct, there is no way to know it. It is the way HTTP works.
Now i think i will need some kind of a protocol to take care the communication between the application and the website.
The question is what protocol to use?
If the action performed completes before the response header is sent you have the option of adding a custom status to it. If your website is built on PHP you can call header() to add the custom status of the operation.
header('XAppRequest-Status: complete');
if you can modify the server side script you could do the following
on one end :
You can make the HTTP post request via ajax
and evaluate the result of the ajax request.
On the serve side
On the HTTP request you do your process and if everything goes accordingly you can send data back to the ajax script that called it.
solves your problem .. ?