X-XSS-Protection: 1; mode block not working against reflected XSS - xss

****X-XSS-Protection: 1; mode block not working against reflected XSS****
GET /ApplicationName/Reserved.ReportViewerWebControl.axd?ReportSession=3goqe355i5khffrdfeofm2en&ControlID=1b5a5c1c7e314d1dabbb0797bf093da3&Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive&TimerMethod=KeepAliveMethodcntPlcHolder_ReportViewer1TouchSession038999%3balert(1)%2f%2f705&CacheSeed=Fri%20Apr%2013%202018%2015%3A41%3A24%20GMT%2B0530%20(India%20Standard%20Time) HTTP/1.1
Doing Attack from above response when we show report in Microsoft Report Viewer.
Is any solution for this?

Related

400 Bad Request Request Header Or Cookie Too Large using Sustainsys.Saml2

I'm getting a browser error when using SustainSys.Saml2 library with my app:
400 Bad Request
Request Header Or Cookie Too Large
nginx/1.14.0
I think that reducing my cookie size might help and I only really need the email from the claim data, so I thought that if I could just save the email claim and remove the other claims, that it might reduce my cookie size and fix this error.
I read the response to a similar question (SustainSys.Saml2 Request length header too long) and looked for some information on how to implement AcsCommandResultCreated to remove unused claims (and hopefully reduce cookie size). I didn't find a lot of documentation, but did piece together some ideas and code to try and take a stab at it.
I've tried this code in my global.asax as well as in a controller action (that I made the "returnUrl" after Saml2/Acs). It doesn't look like my FedAuth cookie (set by Saml2/Acs) is any smaller. Any comments or suggestions? Thank you.
// Check if email claim exists
var principal = ClaimsPrincipal.Current;
var userEmail = principal.Claims.FirstOrDefault(claim => claim.Type == ClaimTypes.Email)?.Value;
// Create new command result that only contains the email claim
if (userEmail != null)
{
var emailClaim = principal.Claims.FirstOrDefault(claim => claim.Type == ClaimTypes.Email);
Sustainsys.Saml2.Configuration.Options.FromConfiguration.Notifications.AcsCommandResultCreated =
(commandResult, response) =>
{
var newCommandResult = new Sustainsys.Saml2.WebSso.CommandResult();
newCommandResult.Principal.Claims.Append(emailClaim);
commandResult = newCommandResult;
};
}
UPDATE:
It turned out that the test environment that I was using (which used nginx) needed to increase the request header buffer size. Adding these cookies increased the size to around 9500 bytes and nginx by default has a request header buffer size that is lower than that (I think 8000). Contacting the code owners of the test server running nginx, and increasing this solved my problem, without me having to reduce my cookie size.
Do you have a lot of failed authentication attempts? That can leave a lot of Saml2.XYZ correlation cookies around on the domain. Try checking the browser dev tools and clean those up.
The "headers too large" is usually something that happens when a user has tried signing in several times with a failure and those cookies get stuck. The real issue is usually something else - causing the authentication to fail and those correlation cookies to be accumulating.

Hi How to handle 302 response in dp:url-open()

Hi How to handle 302 response in dp:url-open(), and how to deleate all the request http headers before sending to back-end. those headers are dynamic.
Thanks,
Manoj.
For(hypothetically) a Multi-Protocol Gateway, go in the "advanced" tab, switch the "Follow Redirects" option off. Then the 302 http response is treated just as any 2xx responses.
From that point on, you can create a GatewayScript code that test the error code (and if value == 302), then delete all headers.
The code would look something like this (please correct if I missed something):
var hm = require('header-metadata');
var all_Headers = hm.current.headers;
console.error(all_Headers);
if (hm.current.statusCode == 302) {
for (var headerName in all_Headers) {
hm.current.remove(headerName);
}
}
Here are some good references for GatewayScript:
Nice IBM "playground" site, click on "samples" for the cool part
Official GatewayScript code documentation
Specific part about header deleting in GatewayScript
I partially based my example on this healthcheck example

Setting a cookie using JavaFX's WebEngine/WebView

I cannot seem to find any way to set a cookie programatically using WebEngine / WebView in JavaFX. The API doesn't give any idea as to how to obtain an HttpRequest-like object to modify the headers (which is what I use in the app for XML-RPC), or any sort of cookie manager.
No questions on this page seem to touch on the issue either - there is this but it just disables cookies when in applet to fix a bug, my app is on desktop btw.
The only way I image I could do it is by requesting the first page (which requires a cookie with a sessionID to load properly), getting an "access denied"-style message, executing some javascript in the page context which sets the cookie and then refreshing. This solution would be a horrible user experience though.
How do I set a cookie using WebEngine?
Update: Taking a clue from a question linked above, I tried digging around for some examples of using CookieManager and related APIs. I found this code, which I then tried to incorporate into my app, with weird results;
MyCookieStore cookie_store = new MyCookieStore();
CookieManager cookie_manager = new CookieManager(cookie_store, new MyCookiePolicy());
CookieHandler.setDefault(cookie_manager);
WebView wv = new WebView();
Now lets say we do this:
String url = "http://www.google.com/";
wv.getEngine.go(url);
Debugging in Eclipse after this request has been made shows that the cookie store map holds a cookie:
{http://www.google.com/=[NID=67=XWOQNK5VeRGEIEovNQhKsQZ5-laDaFXkzHci_uEI_UrFFkq_1d6kC-4Xg7SLSB8ZZVDjTUqJC_ot8vaVfX4ZllJ2SHEYaPnXmbq8NZVotgoQ372eU8NCIa_7X7uGl8GS, PREF=ID=6505d5000db18c8c:FF=0:TM=1358526181:LM=1358526181:S=Nzb5yzBzXiKPLk48]}
THAT IS AWESOME
WebEngine simply uses the underlying registered cookie engine! But wait, is it really? Lets try adding a cookie, prior to making the request...
cookie_store.add(new URL(url).toURI(), new HttpCookie("testCookieKey", "testCookieValue"));
Then I look at the request in Wireshark...
GET / HTTP/1.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/535.14 (KHTML, like Gecko) JavaFX/2.2 Safari/535.14
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cache-Control: no-cache
Pragma: no-cache
Host: www.google.com
Connection: keep-alive
No cookie for me :(
What am I doing wrong?
I have managed to solve this issue with the help of Vasiliy Baranov from Oracle. Vasiliy wrote to me:
Try putting the cookie into java.net.CookieHandler.getDefault() after
the WebView is instantiated for the first time and before the call to
WebEngine.load, e.g. as follows:
WebView webView = new WebView();
URI uri = URI.create("http://mysite.com");
Map<String, List<String>> headers = new LinkedHashMap<String, List<String>>();
headers.put("Set-Cookie", Arrays.asList("name=value"));
java.net.CookieHandler.getDefault().put(uri, headers);
webView.getEngine().load("http://mysite.com");
This will place the cookie into the store permanently, it should be sent out on every subsequent request (presumably provided that the server doesn't unset it).
Vasiliy also explained that WebView will install it's own implementation of the CookieHandler, while retaining cookies put into the default one.
Lastly, he mentions something quite intriguing:
Do not waste your time trying to use java.net.CookieManager, and
java.net.CookieStore. They are likely to cause problems with many
sites because they implement the wrong standard.
I tried googling after this but it doesn't seem to be common knowledge. If anyone is able to provide more details I would be grateful. It seems weird, since it seems CookieStore and CookieManager are used by a lot of software out there.
Solution for java.net.CookieManager
Cookies serialization:
List<HttpCookie> httpCookies = cookieManager.getCookieStore().getCookies();
Gson gson = new GsonBuilder().create();
String jsonCookie = gson.toJson(httpCookies);
Cookies deserialization:
Gson gson = new GsonBuilder().create();
List<HttpCookie> httpCookies = new ArrayList<>();
Type type = new TypeToken<List<HttpCookie>>() {}.getType();
httpCookies = gson.fromJson(json, type); // convert json string to list
for (HttpCookie cookie : httpCookies) {
cookieManager.getCookieStore().add(URI.create(cookie.getDomain()), cookie);
}

c++ DMS with subtitle support on LG smart tv with platinium library

I'm trying to implement a simple DMS that can provide subtitle information to the DMR -LG SmartTV - using platinium library.
I already succeeded to render video on the DMR and i already found where the DMR receive the information of the subtitle associated to the video file.
Sample request from the DMR:
POST /upnp/services/ContentDirectory/control HTTP/1.1
HOST: 192.168.1.3:54444
CONTENT-LENGTH: 735
CONTENT-TYPE: text/xml; charset="utf-8"
SOAPACTION: "urn:schemas-upnp-org:service:ContentDirectory:1#Browse"
USER-AGENT: Linux/2.6.39.4.ps-110224-lg1152 UPnP/1.0 DLNADOC/1.50 INTEL_NMPR/2.0 LGE_DLNA_SDK/1.6.0
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:Browse xmlns:u="urn:schemas-upnp-org:service:ContentDirectory:1">
<ObjectID>ea06</ObjectID>
<BrowseFlag>BrowseDirectChildren</BrowseFlag>
<Filter>#id,#parentID,#restricted,#childCount,dc:title,dc:creator,upnp:artist,upnp:class,dc:date,upnp:album,upnp:genre,res,res#size,res#duration,res#protection,res#bitrate,res#resolution,res#protocolInfo,res#nrAudioChannels,res#sampleFrequency,upnp:albumArtURI,upnp:albumArtURI#dlna:profileID, res#dlna:cleartextSize</Filter>
<StartingIndex>0</StartingIndex>
<RequestedCount>24</RequestedCount>
<SortCriteria></SortCriteria>
</u:Browse>
</s:Body>
</s:Envelope>
now the response from a valid DMS that support subtitle display is:
HTTP/1.1 200 OK
SERVER: WINDOWS/5.1 UPnP/1.0 DLNADOC/1.50 Nero-MediaHome/4.5.20.145
CONTENT-TYPE: text/xml; charset=utf-8
EXT:
DATE: Mon, 14 Jan 2013 22:12:35 GMT
TRANSFER-ENCODING: chunked
CONNECTION: Keep-Alive
...
<item id="ea13" parentID="ea06" restricted="1">
<dc:date>2012-10-25</dc:date>
<dc:title>video.avi</dc:title>
<upnp:album>Filmes</upnp:album>
<upnp:class>object.item.videoItem.movie</upnp:class>
<res
bitrate="257570" duration="1:37:32" nrAudioChannels="6"
protocolInfo="http-get:*:video/avi:DLNA.ORG_OP=01;DLNA.ORG_CI=0;DLNA.ORG_FLAGS=01700000000000000000000000000000"
resolution="720x304" sampleFrequency="48000" size="1507196928">http://192.168.1.3:54444/server/80402875-CA74-4CCE-B7E0-D81CEF1913A2/D5E59F25/ea13?unknown-id</res>
<res protocolInfo="http-get:*:text/srt:*">http://192.168.1.3:54444/server/80402875-CA74-4CCE-B7E0-D81CEF1913A2/3A2C7131/ea13?sub=video.srt</res>
</item>
Now i'm trying to implement the same in my custom DMS, can anyone point me in the right direction or show any sample that implements subtitle info stored in res element as: srt_URL (content-type of response is text/srt)
Thanks
To add a SRT resource tag to UPnP item in Platinum, you should do at least the following. I don't claim the list being functional, complete or tested. It's just my best guess at what needs to be changed. If it doesn't immediately work as expected, i may not be able to help you more specifically. It's a navigation hint, not a driving assistance.
put your SRT file in the same folder as the media file, named the same way in some sensible way which would be easy for you to distinguish afterwards.
in PltMimeType.cpp add "srt","text/srt" to PLT_HttpFileRequestHandler_DefaultFileTypeMap. Platinum doesn't know SRT out of the box.
PltFileMediaServer.cpp is kinda dumb, it by default shows up all files found in a directory. It's an example, after all. You need to filter out SRTs from the visible listing by implementing PltFileMediaServer::ProcessFile filter.
still in PltFileMediaServer.cpp there is a method PLT_FileMediaServerDelegate::BuildFromFilePath. Here comes filepath which is the path of your media file (and ONLY that). Out of the filepath, you need to look in the folder whether there is a properly named subtitle file (with some NPT_File methods, look it up).
if there is, you must add extra PLT_MediaItemResource to the PLT_MediaObject* object. There is already one resource instance, but that's used exclusively for the media resource itself. Don't reuse it. You need to add another one, and IMO you need to set only resource.m_Uri (with BuildResourceUri) and resource.m_ProtocolInfo.
for m_ProtocolInfo, you need to call PLT_ProtocolInfo::GetProtocolInfo with parameter false so that the protocolInfo of your newly added <res> is not clobbered with DLNA profile id.

Getting "WSE003: The input was not a valid SOAP message" on every call to an WSE 2.0 SoapHttpRouter

I already tried some different SOAP-messages, even one which has an empty header and body, but without success to get into my SoapHttpRouter-derived class :-(
Also, when I hit the .asmx-URL with the browser it comes to that error.. here detailed stack trace of the error:
[NotSupportedException: WSE003: The input was not a valid SOAP message.]
Microsoft.Web.Services2.Messaging.SoapHttpRouter.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext httpContext, AsyncCallback callback, Object asyncState) +134
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +8677954
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
I hope that someone is out there who had the same problem. I would appreciate your help very much!
Typically when I get that message it's because there is a server side error and it's sending the default HTML error page back instead of the properly formatted SOAP message.
I would try stepping through the server-side code (if possible) to make sure there aren't any problems.
Were you aware that WSE 2.0 is extremely obsolete? Even more so than WSE 3.0.
I recently ran into this issue. The solution for me was to add the SOAPAction HttpHeader to the request, so that the request header looked something like this:
POST <web service url> HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: <action url>
Host: <host>
Content-Length: xxx