how to prevent cross site access - xss

ok i just did a test and it turns out that this is not blocked by the browser - which i kind of assumed because its the same way you can load jquery and still have access to the data it loads:
i have a script located here:
https://securedomain.com/cookie_test.php - it prints out the cookies as json
if i run this file here:
http://myotherdomain.com/cookie_test.php
the javascript loads with this content:
but it does not load with an AJAX request because of the same origin policy
it also looks like in order to work in the script tag, it has to be a valid js statement like:
data={secure_data:true}
but if i do it as just plain JSON, then it causes a javascript error:
{secure_data:true}
so am I correct in assuming that the data output in this file is safe, as long as i output JUST json in the json format? that it can't be retrieved by any other site on the clients browser?

Should be, but if you are worried, you could always add a comment around the json, load it into the browser as text fron ajax, revert the commenting in javascript and then do a JSON.parse.
Making all cookies available this way looks like a bad idea from the side of secure domain though, as it will kill sensible things like HttpOnly cookies.

Related

Jmeter HttpRequest shows "browser is currently set to block cookies"

I am new to Jmeter. I tried to send an HTTP request but the HTTP response showed "cookie is blocked"
enter image description here
I tried to create the HTTP Cookie Manager and set the cookie policy as Compatibility but doesn't work.
and also tried to set CookieManager.save.cookies=true in JMeter.properties file, but both don't work.
Any suggestions would be appreciated.
If this is a very first request - no cookies are involved, most probably the application you're testing tries to set a cookie via JavaScript and not using Set-Cookie header
As per Apache JMeter project main page:
JMeter is not a browser, it works at protocol level. As far as web-services and remote services are concerned, JMeter looks like a browser (or rather, multiple browsers); however JMeter does not perform all the actions supported by browsers. In particular, JMeter does not execute the Javascript found in HTML pages. Nor does it render the HTML pages as a browser does (it's possible to view the response as HTML etc., but the timings are not included in any samples, and only one sample in one thread is ever displayed at a time).
So you need to inspect the page, you're opening using browser developer tools and if the cookies are being created/set by JavaScript - you will need to replicate the same logic using JSR223 Test Elements and Groovy language, check out Modifying Cookies in JMeter with Groovy article for more details.

How to access the true RAW request body from post man on a pre-request script?

I'm trying to authenticate myself against an API. This API uses the raw body from the request to create the hash that it will use to authenticate against my token.
For testing purposes, I'm using postman with a pre request script to create the hash. Everything works fine, with one exception:
In the code tab I have this
however if on the pre request script I dump the value of the request body I get by using request.data I obtain
The problem is, its not exactly the same string, then the value retrieved by request.data creates a hash with a different body that the server uses to create its hash (the server uses the one beautified with line endings and tabs). This is the script where I use the request body content:
So unless someone have an idea of how to retrieve the json body exactly on the format it was written, pretty much seems I cant use postman for this
thanks!
EDIT: I don't know if this existed 5 years ago when the original Question was posted, but it's available in PostMan 8.12.2 at least.
When you have a request open in Postman, show the "Code" pane at the right by clicking the </> button seen in the right-hand toolbar.
Then in the dropdown header for code type, choose "HTTP".
The line numbers in the HTTP snippet are significant -- in my screenshot, the last four displayed lines are concatenated into line 6 of the actual HTTP.
just changed the post body tab to
new post body
and it went just fine. Not really the best solution i was expecting, but does the job :)

How to open the default browser in background and get the source code of a web page?

I'm using Dev-C++ and i'm looking for a mode to open(...or better...i need to load a browser intance in the background) the default browser (Example I.E.) and send a request to get the source code of the page I requested.
Can I do something like this in C++?
Thank you!
P.S. I need this for Windows
You seem to have imagined the wrong solution for your problem. If you want to get the HTML source for a web page, you don't need to somehow do it through the browser. You need to do whatever the browser does to get it.
When you enter an address into a browser, the browser sends a HTTP GET request to the server that hosts the resource you're requesting (often a web page) and the server sends a HTTP response back containing the resource content (often HTML) back.
You want to do the same in your application. You need to send a HTTP request to the server and read the response. A popular library for doing this is libcurl.
If you don't have to send a POST request (i.e. just a simple web request or with parameters passed on the URL (GET), then you could just use URLDownloadToFile().
If you don't want to use callbacks etc. and just download the file, you can call it rather simple:
URLDownloadToFile(0, "http://myserver/myfile", "C:\\mytempfile", 0, 0);
There are also a few other functions provided that will automatically push the downloaded data to a stream rather than a file.
It can't be done in pure C++. You should use native Windows library or other (like Qt Framework) and use it's capabilities of getting and parsing website. In Qt, you'd use QtWebkit.
edit: also if you want only the source code of a page, you can do this without using browser or their engines, you can use Winsock.

api request returns json files and not html/xml browser content

I am sending get httpwebrequests to the facebook graph api and all was working fine till I deployed to production server and now module that expects html/xml response is not working and when tested url in internet explorer, the save file dialog pops up and the file needs to be saved.
Other modules also send requests to the facebook graph but just differ in the form of requests so not sure what is going on here.
Any ideas appreciated
Edit:
Let me try and rephrase this. On my production server the httpwebrequest was not returning the correct result. So to Test it I copied the url http://graph.facebook.com/pepsi which is an example, should return the profile info viewable in the browser. The server has internet explorer v8 and I am not sure why it tries to download the file instead of displaying it in the browser. this is what is happening in my code and when I make a request to a different part of the api, then it works in my app but not in the browser
Your question is not very clear. From what I gather, you want the display the JSON response in a browser. Instead, you are being asked to download a file by the browser.
Well, this is normal behaviour. The response you get from Facebook would most likely have a MIME type of application/json. Most newer web browsers display the text in the browser itself. Some browsers, however don't know how to handle this content type and just ask you to download the file.
You mentioned that your module expects an html/xml response. Try changing this to application/json.
You also said that it works in your app but not in your browser. I don't know what you're making, but generally you wouldn't show raw json to the user in a browser, right?

How to transfer Raphaeljs variable in a JSP page?

I'm in a position to get a value from JavaScript, which uses Raphaeljs and send it to a Servlet/JSP page for Display & DB related work. Kindly assist me for that.
You are going to have to do AJAX for this one. Be sure to load jQuery so is easy to do it.
Simply collect the var value and send it to the JSP using .get or .post. Then you can add your validation in the JSP for the value sent and do whatever you want with it.
Hope this helps!
Jorge C.
As far as i understand this is not Raphael related.
What you need to make sure is, that you understand the difference between client and server side. Javascript runs client side (given we're not talking about a server side application written with JS/nodejs) in the browser while JSPs are executed on the server
If you collect values via JS and want the server to process it then you you can either send it to the server with an AJAX request (which wont reload the page) or manipulate a form and submit it (which will be a GET or a POST request then and will reload the whole page).
On the server you can accept the values and process them and then render the response.
For Ajax request you could look at jQuery.