in the requirements for using the Gmail REST APIs: https://developers.google.com/terms/api-services-user-data-policy#additional-requirements-for-specific-api-scopes
There is the statement:
Do not mislead Google about an application's operating environment. You must accurately represent the environment in which the authentication page appears. For example, don't claim to be an Android application in the user agent header if your application is running on iOS, or represent that your application's authentication page is rendered in a desktop browser if instead the authentication page is rendered in an embedded web view.
We have an Electron version of our app, that is only wrapping the web version URL in a desktop app. So we are using the OAuth flow for Web Server applications for both the web app and the desktop app. Can this be considered a valuation of the User Data Policy?
The key is agent header. This corresponds with the HTTP header User-Agent.
What Google is asking is that you use a User-Agent string that matches the platform that you are running on (android, iOS, Windows 10, ...). This link will give you more information about User-Agent.
You can test what strings are included by your browser using this site. This should give you a better understanding. For example on my Windows 10 desktop using Chrome:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
This link is the RFC7231 standard.
If your software is running in the browser, you don't need to do anything except don't override the User-Agent value. If you are writing your own custom software, then do some research and specify a User-Agent string that identifies the platform and append your software / company name.
Electron publishes a list of its User-Agent strings. My initial recommendation is just leave the User-Agent header alone and let Electron manage this for you.
This StackOverflow answer shows how to set the Electron User-Agent header if you choose to do so.
Related
I've set my django 1.8 app to warn me when some user gets 404 or any crash.
Then I started constantly getting emails from my server pointing to requests like this one:
Referrer: <my_ip>:80/web-console/ServerInfo.jsp
Requested URL: /web-console/ServerInfo.jsp
User agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 2Pac; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
IP address: 127.0.0.1
And this one:
Referrer: <my_ip>:80/invoker/JMXInvokerServlet
Requested URL: /invoker/JMXInvokerServlet
User agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 2Pac; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
IP address: 127.0.0.1
It's a huge number of different url's. It seems a server is shooting tons of requests to several servers trying to discover some entrypoint to attack. Right?
My question is: should I do something? Assuming I don't even use the technologies this requests are looking for? Can this cause me any damage?
A few days ago security researchers has disclosed a very critical vulnerability on Java Serialization methods (Details : http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/) .Right after that publication, I've seen some exploitation attempts in the wild that try to exploit exactly same vulnerability . I'm telling this story because your log shows exactly same exploitation attempts. As long as you DON'T support Jboss or other Java technologies on your server, you will be secure against these kind of attacks.
I have a C++ (QT5) application and now I wanted to connect to TFS and get the projects and few other details of the project. The main intention is to pull out the Test Cases from MTM.
So many examples using their API with C# and easily solving this problem. However I am having no such luck with C++. I am not sure how to proceed, should I write my own web service using the SDK and then use it or does TFS provide SOAP support.
I thought it did and hence fired fiddler to get to it, but never saw an auth method anywhere. All the requests I saw was GET. And there was a NTLM authorization as shown below.
GET http://localhost:8080/tfs HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAvAjAAAADw==
Any suggestions I can have or tips I would be grateful. I wish there was some documentation or samples/examples using C++.
If it has SOAP functions (WSDL) I could use KdSoap and use it with my application.
Thanks.
There is no way to bypass the API.
While you can connect to the web services for TFS directly there is no support for this method. Your code can break with any update to TFS. I would recommend that you create a web service with c# and then call that from your code. I would expect that the rest api's will become available on premises at some point.
Another option, although I am dubious of the support would be to create a hybrid DLL, C++ Managed, that can call the C# API's. You can then call the hybrid code from the native code. This is one extra level of wrapper and is really designed to help teams migrate from C++ to C#, but I believe that it will work.
http://en.wikipedia.org/wiki/C%2B%2B/CLI
I have a webservice which is hosted on api server and application on app server which have url's like https://webservice.test.com/ for webservice server and https://app.test.com/ for application.
In application we get live data from database using several service we developed on webservice server using CORS http request.
In some service like login we have passed custom header x-auth-token from server.
Above is the screen shot of response we have got in Google Chrome for the request. The Custom header shown in last is available in application when we use it in chrome or Mozilla. The same response we got in Safari too, x-auth-token also available in response when we check in headers but can't able to read it through code.
Finally, after a lot of search i got answer for my problem, Custom headers from CORS http request can be read only in Safari for latest webkit version i.e above 537. I have checked in all safari browser which is above this webkit version will provide me cusom header value. And similarly in chrome if webkit is less than 537 version you can't able to read it.
Maybe this answer on github could helpa bit : https://github.com/angular/angular.js/issues/6254
I'm trying to invoke a webservice using the classes generated by Visual Studio in an ASP MVC project, here is my code:
var serviceClient = new UserSoapClient("UserSoap");
var isValid = serviceClient.CheckEmail(email);
ViewBag.ServiceOutput = isValid? "Email is valid" : "Email is not valid";
return View();
However, the message is timing out and it seems that the problem is that the request header of the SoapClient is not sending the User-Agent property because I tried executing the same service with SOAP UI and that was the only difference. Is there any way of setting the User Agent because I'm looking at the documentation and it doesn't seem to be very obvious.
I have faced with a similar problem while trying to consume a service with SoapClient. I was able to get response from the service via browser but when I execute the code within the project service was returning Protocol Exception with The remote server returned an error: (502) Bad Gateway. message.
After several hours of tracing I have realised that the Exception was caused by the user-agent definition. I have tried to add user-agent to the Soap request header but no way. You can not add user-agent to Soap request registered as Service Reference. But it is possible to define user-agent header to a request registered as Web Service Reference.
What my solution is:
Remove the Service Reference from the project
Add the same reference as Web Reference from the advanced menu of Add Service Reference Window
Create a new object and define UserAgent property like below.
var svc = new ServiceReference.QueryService();
svc.UserAgent = "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36";
We use NTLM auth to access an ASP.net web services from our MonoTouch app and everything works fine.
One of our customers uses the same app and the NTLM auth fails from our app but works from the iPad's Safari browser.
Looking at the packet flow from the customer, the server does not return NTLMSSP_CHALLENGE, when our app sends NTLMSSP_NEGOTIATE message.
Looking the differences between our app's NTLMSSP_NEGOTIATE message and iPad's Safari same message
Our MT app sets the NTLM flags to 0xb203 and Safari sets this to 0x88207.
The NegotiateNtlm2Key is set to 0 in our app and 1 in Safari
Our app also sends the calling workstation domain and name fields whereas Safari send both as null.
The client's server is Windows Server 2003 and they also use Kerberos as their main authentication scheme and fall back on NTLM.
Would setting the NegotiateNtlm2Key flags in Mono.Security.Protocol.Ntlm.NtlmFlags help?
NTLMv2 Session and NTLMv2 Authentication has now been implemented in Mono (mono/master commit 45745e5).
See this article for a description of the different NTLM versions.
By default, Mono now uses NTLMv2 Session Authentication whenever the server supports it and falls back to LM & NTLM otherwise.
The default behavior can be configured by using the new Mono.Security.Protocol.Ntlm.Type3Message.DefaultAuthLevel property in Mono.Security.dll (see Type3Message.cs and NtlmAuthLevel.cs in mcs/class/Mono.Security/Mono.Security.Protocol.Ntlm).
This is similar to the Lan Manager Authentication Level in Windows.
Update 01/26/13
There has been an issue with Microsoft Server 2008 RC2 not accepting the domain name that it sent back in the Type 2 Message's Target Name (or Domain Name from the Target Info block).
Therefore, we are now using the domain name from the NetworkCredential to allow the user to specify the desired domain. This is also the domain name that's initially being sent to the server in the Type 1 Message.
Simply setting flags ? Maybe but IMHO that's quite unlikely.
That code base was written in 2003 (and updated in 2004) and I'm pretty sure that I (as the author of the low-level code) did not have access to a Windows 2003 server or a Kerberos-enabled domain at that time.
The amount of required change, for a fallback, might not be too large (but I would not bet 5$ on that ;-) if you already have the environment to test it. I'm 100% positive that the Mono project would be happy to receive patches to enable this. You can also fill a bug report (priority enhancement) to ask for this feature at http://bugzilla.xamarin.com
An alternative is to use the iOS API, which I assume Safari is using, to communicate with the ASP.NET web service and deserialize the data yourself. Hard to say which options is more complex.