So I am using a burp suite to intercept a request to
stage.training.com/ats/getAllStates.html?countryCode=CR
Once Intercepted I change the Hostname to localhost:4502
The localhost uses an authentication which I have already added to Platform Authentication under
User Options --> Platform Authentication
However I keep getting a 400 Bad Request response.
Any idea whats going wrong here
Firstly, we need to understand why 400 Http Bad Request is causing the response.
400 - Bad request. The request could not be understood by the server due to malformed syntax. The client should not repeat the request without modifications.
You can check the following operations from inside the burp suite for authentication.
User options > Connections > Platform Authentication > Add
Destination host: target URL
Authentication type: Basic, NTLMv1, NTLMv2 or Digest
Username and Password
Both sides need updating. from both intercept and user options. Otherwise, you will continue to receive errors.
Related
Infra of system
Expected:
I want to block requests, which is not from Server FE (domain.com)
Ex: Users make request from another apps such as Postman -> it will response 403, message access denied.
I used the rules of ALB, it works but users can cheat on Postman
Also I use AWS WAF to detect request. But it's not work.
Is there any way to block request from Postman or another apps?
We can generate secret_key and check between Server FE and Server BE. But users can see it on Headers and simulator the headers on Postman and call API success.
Current Solution:
I use Rule of Application Load Balancer to check Host and Origin. But users can add these params on Postman and request success.
Rule ALB
When I add Origin matching value (set on ALB) -> We can request successful
Postman success
Postman denied
Users can cheat and call API success.
Thanks for reading. Please help me give any solution for this one. Thanks a lot.
No. HTTP servers have no way to know what client is being used to make any HTTP request. Any HTTP client (Browsers, PostMan, curl, whatever) is capable of making exactly the same requests as each other.
The user-agent header is a superficial way to do this, but it's easy enough for PostMan or any other HTTP client to spoof the user-agent header to one that makes the request look like it is coming from a web browser agent.
You can only make it more challenging to do so. Some examples to thwart this behavior includes using tools like Google captcha or CloudFlare browser integrity check, but they're not bulletproof and ultimately aren't 100% effective at stopping people from using tools/automation to access your site in unintended ways. At the end of the day, you're limited to what can be done with HTTP, and PostMan can do everything at the HTTP layer.
From our web application we are authenticating user [Azure AD B2C] through Msal.js and version is 1.2.1. Facing an issue while redirecting user to loginRedirect() when acquireTokenSilent throwing "User Login Required".
Issue is "Bad Request - Header Field Too Long" and Http Status is 400, browser [Chrome -Ver - 80.0.3987] cookies had chunk of entries like below -
Forcing user to logout() and redirecting to loginRedirect() did not resolve the issue. Still cookies are available, probably cookies are not cleaning due to this -
msal.js
I want to clear cookies by using "clearMsalCookie" method, but it requires "State". Where do I get the State? or else is there a way to delete the msal cookies. However "resetCacheItems" not clearing the cookies....
Regards,
Deb
--
i'm trying to call my api flask on postman or on google chrome and i always get this:
POSTMAN :
Could not get any response
There was an error connecting to 192.168.1.178:5000/.
Why this might have happened:
The server couldn't send a response:
Ensure that the backend is working properly
Self-signed SSL certificates are being blocked:
Fix this by turning off 'SSL certificate verification' in Settings > General
Proxy configured incorrectly
Ensure that proxy is configured correctly in Settings > Proxy
Request timeout:
Change request timeout in Settings > General
Google chrome
Ce site est inaccessible
192.168.1.178 a mis trop de temps à répondre.
This looks like an issue with your flask server or could be related to the authentication method or missing data in your request.
What you can do is use the Postman Console to debug your outgoing request to the server.
What you can look for is:
Check the URL (in your case I think it's an IP address) of the request
Check the request method, for eg. 'GET', 'POST' - you might be calling the request with the wrong method.
Check the authentication method and credentials
Check the request body and headers.
And so on.. make sure you fulfill all the requirements of a complete request.
You can also put print statements in your flask server and see if the endpoints are being called (if it's a local server).
I have a web service that requires authentication for GET request. Now for Options method we know that authentication is not requiref. But if someone still pass the authentication for Options method then what should be the http error code that we should returned?
Preflight request are meant for the browser to go ahead with actual request if http status code of OPTIONS are in 2XX series.
So for most cases go ahead with any of the HTTP status code 200 , 204.
For about CORS - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
I have created a new project using the template 'Building a SOAP WebService Test Plan' in jmeter (followed the steps in the tutorial from the apache jmeter website to set this up). The responses aren't being accepted and in the results log I am seeing the message:
1446205258738,20995,Soap Request,Non HTTP response code: org.apache.http.conn.HttpHostConnectException,Non HTTP response message: Connection to http://(server name).com refused,Number of Users 1-10,text,false,2273,1,1,0
It's making the connection to http rather than https which I think is why the connection is not being made. Is there anyway to change this? I've tried using the different implementations in the soap request but this hasn't worked, currently using HttpClient4.
Please see the http request details
HTTP REQUEST DETAILS
As per #Rage answer (who should answer in response not comment , I'll be happy to remove my answer if he does), just change :
Protocol [http] value to https
See:
As per your last comment, you modified to https and now you face another issue , getting a 404.
So most probably your Path or Server Name or IP are wrong, as the hoster or developer for the correct connection informations.