I can't get POSTMAN to send any post variables to my Django app. Suppose I have a post variable called 'report_request' and it has a value that is a JSON string. On the Django side I want to get request.POST['report_request'] and parse the JSON into a dictionary. But POSTMAN never seems to send the POST data. How exactly do I do this? Is there some magical header I need to send?
Doh! My bad. The URL I need to connect to is really HTTPS rather than HTTP, but I was specifying the URL as http://. Apparently if Postman is asked to connect to an HTTPS site using HTTP, it silently just drops all POST variables. How lovely. Anyway it was an easy fix, just change the http:// url to https:// and all is well.
Be sure to provide the POST data in the body (body tab) of the request and not in the parameters (params tab).
Otherwise, POSTMAN will interpret your POST request as being without data and on a url with GET parameters.
See these specifications about csrf if needed
Check if you're sending the csrf token, it's a security feature.
https://docs.djangoproject.com/en/1.8/ref/csrf/
Related
I am getting familiar with both Postman and SoapUI. I already have a doubt. When I make a GET call with from the postman-echo service, I get slightly different responses shown to me in Postman and in SoapUI.
In particular, in Postman I get
"postman-token": "1ef2b330-3a46-4681-a304-d72f020cb194"
This field-value pair is not shown by SoapUI.
Can anyone explain me the apparent difference?
The parameter postman-token being added while you send a request from Postman. So, it's a custom parameter, you cannot expect it to be present with other tools.
If you check Postman doc of General settings They have explained what is that param is for:
This is primarily used to bypass a bug in Chrome. If an XmlHttpRequest
is pending and another request is sent with the same parameters then
Chrome returns the same response for both of them. Sending a random
token avoids this issue. This can also help you distinguish between
request on the server side.
You can disable it from Postman settings. Goto Settings > General > Send Postman Token header.
I'm following the instructions to support TokenAuthentication in my rest-api site, shown here. Using cURL, I have been able to obtain my user's token (username - example, password - example), through the following command:
curl -X POST -d "username=example&password=example" localhost:8000/api/login/
This returns a successful response, with example's authentication token.
Yet when I do (what I think is) the same thing through Postman, it simply does not work. See image below.
From the error code (400 - Bad request), it seems like it's not even receiving the POST parameters at all. Can anyone help me here?
See your URL in postman. There is attached query String with the URL.So remove that query String from the URL and send parameters as a post request like this.
http://localhost:8000/api/login/
Even this is very old question, but if this answer would be helpful...
I had exactly same issue
solution:
don't put username and password in address bar,but only
and in body put json data of your username and password as below
be careful, don't use single quotation marks'', but use double quotation marks "" instead, otherwise will fail, no clue why
Depending on how your API is set up, you probably need to specify the content type in your request headers, Content-Type: application/json.
I've run into a few problems with setting cookies, and based on the reading I've done, this should work, so I'm probably missing something important.
This situation:
Previously I received responses from my API and used JavaScript to save them as cookies, but then I found that using the set-cookie response header is more secure in a lot of situations.
I have 2 cookies: "nuser" (contains a username) and key (contains a session key). nuser shouldn't be httpOnly so that JavaScript can access it. Key should be httpOnly to prevent rogue scripts from stealing a user's session. Also, any request from the client to my API should contain the cookies.
The log-in request
Here's my current implementation: I make a request to my login api at localhost:8080/login/login (keep in mind that the web-client is hosted on localhost:80, but based on what I've read, port numbers shouldn't matter for cookies)
First the web-browser will make an OPTIONS request to confirm that all the headers are allowed. I've made sure that the server response includes access-control-allow-credentials to alert the browser that it's okay to store cookies.
Once it's received the OPTIONS request, the browser makes the actual POST request to the login API. It sends back the set-cookie header and everything looks good at this point.
The Problems
This set-up yields 2 problems. Firstly, though the nuser cookie is not httpOnly, I don't seem to be able to access it via JavaScript. I'm able to see nuser in my browser's cookie option menu, but document.cookie yeilds "".
Secondly, the browser seems to only place the Cookie request header in requests to the exact same API (the login API):
But, if I do a request to a different API that's still on my localhost server, the cookie header isn't present:
Oh, and this returns a 406 just because my server is currently configured to do that if the user isn't validated. I know that this should probably be 403, but the thing to focus on in this image is the fact that the "cookie" header isn't included among the request headers.
So, I've explained my implementation based on my current understanding of cookies, but I'm obviously missing something. Posting exactly what the request and response headers should look like for each task would be greatly appreciated. Thanks.
Okay, still not exactly what was causing the problem with this specific case, but I updated my localhost:80 server to accept api requests, then do a subsequent request to localhost:8080 to get the proper information. Because the set-cookie header is being set by localhost:80 (the client's origin), everything worked fine. From my reading before, I thought that ports didn't matter, but apparently they do.
So I know there are a lot of questions about CSRF (because I have read some of them) but there is one point I still don't understand. Let's imagine the following case:
I am logged in(with cookies) on my server where there is a page with a button 'Delete my account'. Which I don't want to press.
I visit a hacker's server:
a. My browser requests 'bad.html', which contains JS, with a callback function defined. It also has a script like:(thus avoiding the Same-Origin Policy problem)
var s = document.createElement('script');
s.src = 'url to "deleteAccountPage" of my server?'
s.src += 'callback=hackerCallback';
s.type = 'text/javascript';
document.body.appendChild(s);
b. Script is "appended" the browser will load the page and then call hackerCallback passing the page HTML text as parameter.
c. With this HTML, the callback can parse the token in there.
The hackerCallback now has the token, sends an Ajax request to my server on the "deleteMyAccount" page.
My account is now deleted, because the Token, the cookies and even the browser trace matches the ones registered by the server.
How do you avoid that behaviour ? I have read things about only allowing certain Headers on my server. This would cut short all Cross-Domain request on my server, however according to this link (http://blog.alexmaccaw.com/jswebapps-csrf) it is not enough... (Which I totally believe)
Thansk for the help
Seba-1511
You are using JSONP in order to make a cross domain request via a scr tag. The JSONP is only allowed for GET requests and you shouldn't have GET endpoints that make changes (not idempotent).
deleteAccount should be a POST endpoint that couldn't be requested via JSONP.
If you insist in use GET on deleteAccount you should use CSRF tokens or send the token in a header instead of a cookie (if you're using XHR requests)
I want to integrate a credit card processing in my website using Paybox.com API's.
I have to send a POST request (using urllib2) to Paybox API's with credit card details (number, date, cvv) when a user submit a form.
How can I secure that? is it enougth to put https://www.mywebsite.com/card/processing in my form action?
How can I send POST data over HTTPS using urllib2?
PS: I work on Django.
Well in terms of security refer to this QA: POST data encryption - Is HTTPS enough?
As far as how to do it, here's an explanation about using urllib: http://www.codercaste.com/2009/11/28/how-to-use-the-urllib-python-library-to-fetch-url-data-and-more/
The idea is to use the urlencode command to create a parameters object for the request, then create a request object from the url and the parameters object, and then call urlopen on the request object in order to actually send the request.
Here are solutions using python-request lib: http://www.python-requests.org/en/latest/user/advanced/
request using ssl: http://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification
request using post: http://docs.python-requests.org/en/latest/user/quickstart/#more-complicated-post-requests (should also allow verify=True parameter)
By the way, python-request is a very powerful and easy way to make requests.