flash app accessing webservice; "security error accessing url". crossdomain in place - web-services

I have a Flash app on SSL Internet Domain1 and web services on non-SSL Intranet Domain2. Firewall port 80 is open between them. A Crossdomain file is in place on Domain2.
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" to-ports="*"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>
I think that is pretty wide open.
I can access web services on Domain2 directly from Domain1 no errors.
When flash app loads, Fiddler shows WSDL is loaded. An Init function calls the web service to load a combobox. I never see that call in Fiddler.
Everything works fine on my dev instance, which is all on Domain2.
I'm 98% sure that its a Crossdomain issue, but 2% reserved for unknowns. I have looked at Crossdomain posts on many forums for weeks (really! it's a side project) and tried many different changes. Nothing has made any difference.
Any suggestions are hugely appreciated.
Thanks!

<allow-access-from> and <allow-http-request-headers-from> have a not well know attribute secure.
This attribute is there specifically to indicate if we authorize secure connections from an insecure domain (ie https from http); and its true by default (connection refused).
try with this crossdomain, it may solve your issue.
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" to-ports="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>

Related

Web pages take forever to load when using burp suite

I'm new to burp suite and I'm getting lot of errors with it, one of the errors are this. When I'm trying to access web pages (ex:- google.com, hackerone etc.) it just never load in the web page( Intercept is off) and I'm using chrome. Please help me with this matter.
OS : Windows
Proxy : FoxyProxy(127.0.0.1 : 8080)
note : intercept is off when I'm browsing
Well I can't understand your problem but here are some points to keep in note while using Burpsuite.
Make sure CA Certificate is properly installed in browser
Add your target host to scope. For example if you are testing on xyz.com then add this host to scope so even if intercept in ON other host's requests will be ignored by interceptor.
Slow loading is might be your internet issue
Make sure your 8080 port is not blocked by any other service.
Try changing your browser incase of getting errors
Burpsuite will not work while having VPN or other proxy is ON

Port blocked creating web app on AWS

I'm trying to create a web app on AWS and I'm running into port issues. I would like to have multiple apps providing different services on different ports. I've created a website (on the same instance) to receive a text query and pass it to my app on port 3000. The app listening on 3000 is written in CherryPy.
We are using a VPN to provide security for the AWS instance. When logged into the VPN, everything works fine. The web page loads, the query returns the correct data. When I disconnect from the VPN, or someone else goes to the page, the page still loads, but queries to the service time out.
I've used netstat to make sure the service is listening but I'm not sure what could be blocking traffic. I've worked through the CORS issues as evident by the fact it works when I'm signed into the VPN.
What can I check now?
When I disconnect from the VPN, or someone else goes to the page, the page still loads, but queries to the service time out.
My assumption is that the web server and the app are on the same server.
It sounds very much like the connection from web server to app is happening via a routed IP address rather than localhost. In addition to being slower, it's also hitting your firewall rules.
Configure the web server to access your app on localhost:3000 and the issue should clear up.
I actually got it working. I have an AWS instance with nginix and CherryPy. When the user goes to a web address, the nginix page loads with a form for a query string. When they submit a string, the string is POSTed to a CherryPy service running on port 3000. The CherryPy service does some computations and returns a result via JSON.
I thought I had opened up everything completely for testing, but I was having so many issues. It turned out that having CherryPy set
"Access-Control-Allow-Origin" = "*"
wasn't working, instead I needed to specifically set the origin of the calling page.

Whitelist http: content for Django application running SSL?

In my Djanog web application I have added SSL security. Now In the django application I have integrated an external API which is running over http://.
This is the error i get after calling the external API.
[blocked] The page at 'https://mywebsite.com' was loaded over HTTPS, but ran insecure content from 'http://api.external.com/moto.json?': this content should also be loaded over HTTPS.
Can anyone help me out here on how should i whitelist the required external domains. And I am running the application on Apache server. So will this have to be done in Apache settings or Django.
Unfortunately this is something that is being done at the browser as is not something you can control from your application or your web server.
Here is the help article from Chome that explains this behavior:
Websites that ask for sensitive information, such as usernames and
passwords, often use secure connections to transmit content to and
from the computer you're using. If you're visiting a site via a secure
connection, Google Chrome will verify that the content on the webpage
has been transmitted safely. If it detects certain types of content on
the page coming from insecure channels, it can automatically prevent
the content from loading and you'll see a shield icon Insecure content
shield icon appearing in the address bar. By blocking the content and
possible security gaps, Chrome protects your information on the page
from falling into the wrong hands.
The only way to stop this from happening is to access the API over HTTPS.

Fiddler blocks some HTTPS connections like Dropbox

I work on a project which make ajax query to a webservice so I use fiddler to see JSON responses.
But I have encounter troubles using Fiddler. When I launch it on my laptop, Dropbox can't synchronize my files anymore but I can debug my ajax requests. The real problem is when I use Fiddler on my desktop computer, all my requests to my WebService are blocked. My WebService runs on localhost.
I don't understand how it works, can you help me?
Dropbox connections don't work because that application uses a feature called "Certificate Pinning" that reject's Fiddler's HTTPS interception certificate. Why this happens is discussed in the Fiddler book, but you can configure Fiddler not to decrypt dropbox.exe's connections which resolves the issue.
To avoid blocking DropBox App traffic while Fiddler is running, you can use Tools > Fiddler Options > HTTPS to either only decrypt Browser traffic or you can configure Fiddler not to decrypt traffic to *.dropbox.com.
The issue with your "WebService" is almost certainly completely unrelated. You need to be far more specific for anyone to help: What is the client? What is the service written in? What do you see in Fiddler when this happens?

AS3 flash can't make calls to http or https webservice on a facebook app

I have an iframe facebook application with a problem i am not able to solve, because i can't understand the source of it.
On the iframe there is a flash movie (in AS3) that makes https calls to a webservice (it basically calls an https address and waits for an xml response).
It is fine on 90% of the cases, but some clients are not able to run any calls and i can't understand why.
They install the app, load the flash movie, but it seems there is something that stops the flash from calling the https address.
Can you think of any reason?
An antivirus? a strict security setup on the browser?
Thanks for the help!
Loading XML files in Flash over an SSL Connection in Internet Explorer fails if the Pragma:no-cache or Cache-control:no-cache HTTP headers are set on the XML file.
Here is a helpful blog post about this: http://www.blog.lessrain.com/flash-loading-and-browser-cache-test-suite/