View cfhttp request - coldfusion

I would like to view the actual http request that gets sent via my cfhttp tag. What is the best tool to capture this?
Specially, I want to see exactly what headers and content are being sent.

To expand on what Edward has said and to answer your question about how you can view a request on ColdFusion;
Create a page that simply dumps everything out from GetHttpRequestData().
Have a look at the livedocs on getHttpRequestData() for more information.

Use Charles http proxy. Add the proyport and proxyhost attribute that points to your running instance of Charles. Caveat is that your machine will need to be reachable, and the port open for the server to reach.

I'd use sniffer if other side is also CF/Java based server http://kb2.adobe.com/cps/193/tn_19352.html

Related

Block part of a request using WAF or ModSecurity

Is it possible to block just part of a request using ModSecurity, Azure WAF or similar? For example could you block a cookie because it contains invalid characters while allowing the rest through
I'm trying to trace an issue where sometimes a cookie is lost
ModSecurity or the web server could possibly be used to drop cookies, the easiest way to troubleshoot will be to use an application proxy like BurpSuite and see what's going on with the cookie, often the browser is the one taking the decision to use or not the cookie.

Understanding CORS

I've been looking on the web regarding CORS, and I wanted to confirm if whatever I made of it is, what it actually is.
Mentioned below is a totally fictional scenario.
I'll take an example of a normal website. Say my html page has a form that takes a text field name. On submitting it, it sends the form data to myPage.php. Now, what happens internally is that, the server sends the request to www.mydomain.com/mydirectory/myPage.php along with the text fields. Now, the server sees that the request was fired off from the same domain/port/protocol
(Question 1. How does server know about all these details. Where does it extract all these details froms?)
Nonetheless, since the request is originated from same domain, it server the php script and returns whatever is required off it.
Now, for the sake of argument, let's say I don't want to manually fill the data in text field, but instead I want to do it programmatically. What I do is, I create a html page with javascript and fire off a POST request along with the parameters (i.e. values of textField). Now since my request is not from any domain as such, the server disregards the service to my request. and I get cross domain error?
Similarly, I could have written a Java program also, that makes use of HTTPClient/Post request and do the same thing.
Question 2 : Is this what the problem is?
Now, what CORS provide us is, that the server will say that 'anyone can access myPage.php'.
From enable cors.org it says that
For simple CORS requests, the server only needs to add the following header to its response:
Access-Control-Allow-Origin: *
Now, what exactly is the client going to do with this header. As in, the client anyway wanted to make call to the resources on server right? It should be upto server to just configure itself with whether it wants to accept or not, and act accordingly.
Question 3 : What's the use of sending a header back to client (who has already made a request to the server)?
And finally, what I don't get is that, say I am building some RESTful services for my android app. Now, say I have one POST service www.mydomain.com/rest/services/myPost. I've got my Tomcat server hosting these services on my local machine.
In my android app, I just call this service, and get the result back (if any). Where exactly did I use CORS in this case. Does this fall under a different category of server calls? If yes, then how exactly.
Furthermore, I checked Enable Cors for Tomcat and it says that I can add a filter in my web.xml of my dynamic web project, and then it will start accepting it.
Question 4 : Is that what is enabling the calls from my android device to my webservices?
Thanks
First of all, the cross domain check is performed by the browser, not the server. When the JavaScript makes an XmlHttpRequest to a server other than its origin, if the browser supports CORS it will initialize a CORS process. Or else, the request will result in an error (unless user has deliberately reduced browser security)
When the server encounters Origin HTTP header, server will decide if it is in the list of allowed domains. If it is not in the list, the request will fail (i.e. server will send an error response).
For number 3 and 4, I think you should ask separate questions. Otherwise this question will become too broad. And I think it will quickly get close if you do not remove it.
For an explanation of CORS, please see this answer from programmers: https://softwareengineering.stackexchange.com/a/253043/139479
NOTE: CORS is more of a convention. It does not guarantee security. You can write a malicious browser that disregards the same domain policy. And it will execute JavaScript fetched from any site. You can also create HTTP headers with arbitrary Origin headers, and get information from any third party server that implements CORS. CORS only works if you trust your browser.
For question 3, you need to understand the relationship between the two sites and the client's browser. As Krumia alluded to in their answer, it's more of a convention between the three participants in the request.
I recently posted an article which goes into a bit more detail about how CORS handshakes are designed to work.
Well I am not a security expert but I hope, I can answer this question in one line.
If CORS is enabled then server will just ask browser if you are calling the request from [xyz.com]? If browser say yes it will show the result and if browser says no it is from [abc.com] it will throw error.
So CORS is dependent on browser. And that's why browsers send a preflight request before actual request.
In my case I just added
.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
to my WebSecurityConfiguration file issue is resolved

How do I get the source URL of the data being recv'd through a socket?

I thought about keeping track of redirects because they would have the next URL in the header until I get a HTTP200 ok, then I would have the FQDN of the source of the 200.
But I don't think that is how a browser does it, my proxy can do a hard redirect of the browser request, but the browser displays the correct URL of the redirected data without having received any HTTP301's.
I want to know what the browser does to get the source of its data and then do that in winsock. Anyone?
Whatever the browser does, it win't retrieve the information from the winsock layer: the sockets only travel in IP addresses and ports. I don't really know much about winsock (I'm UNIX guy) but it seems to sufficiently similar to UNIX socket layer to be quite sure that any transport level information is coming from a higher level abstraction. If you look at the [OSI model]{http://en.m.wikipedia.org/wiki/OSI_model} you see that winsocks is addressing level 5 while the thing you are looking for are level 7. The API typically stay within thecorresponding level. This view seems to be backed up by the [winsock FAQ]{http://tangentsoft.net/wskfaq/intermediate.html#appproto}.
Not all HTTP redirects result in a URL change. A 301 redirect certainly does, but other 3xx redirects do not. If a browser receives a redirect other than 301, it may decide whether to continue displaying the original URL or to display the new redirected URL.
There are ways to redirect without a 301. There's also 302. There's the element
<meta http-equiv="refresh" content="0; url=http://foo.com/">
Finally, there's JavaScript:
<html><head><script language="javascript">
window.location.href = "http://www.bar.com";
</script></head><body></body></html>
The Winsock solution to my question is to use the getpeername() function after connect()'ing to a remote connection. That should return IP:Port info from which I can get the hostname at least.

Connecting a desktop application with a website

I made an application using Qt/C++ that reads some values every 5-7 seconds and sends them to a website.
My approach is very simple. I am just reading the values i want to send and then i make an HTTP POST to the website. I also send the username and password to the website.
The problem is that i cannot find out if the request is successful. I mean that if i send the request and server gets it, i will get an HTTP:200 always. For example if the password is not correct, there is no way to know it. It is the way HTTP works.
Now i think i will need some kind of a protocol to take care the communication between the application and the website.
The question is what protocol to use?
If the action performed completes before the response header is sent you have the option of adding a custom status to it. If your website is built on PHP you can call header() to add the custom status of the operation.
header('XAppRequest-Status: complete');
if you can modify the server side script you could do the following
on one end :
You can make the HTTP post request via ajax
and evaluate the result of the ajax request.
On the serve side
On the HTTP request you do your process and if everything goes accordingly you can send data back to the ajax script that called it.
solves your problem .. ?

How to transfer Raphaeljs variable in a JSP page?

I'm in a position to get a value from JavaScript, which uses Raphaeljs and send it to a Servlet/JSP page for Display & DB related work. Kindly assist me for that.
You are going to have to do AJAX for this one. Be sure to load jQuery so is easy to do it.
Simply collect the var value and send it to the JSP using .get or .post. Then you can add your validation in the JSP for the value sent and do whatever you want with it.
Hope this helps!
Jorge C.
As far as i understand this is not Raphael related.
What you need to make sure is, that you understand the difference between client and server side. Javascript runs client side (given we're not talking about a server side application written with JS/nodejs) in the browser while JSPs are executed on the server
If you collect values via JS and want the server to process it then you you can either send it to the server with an AJAX request (which wont reload the page) or manipulate a form and submit it (which will be a GET or a POST request then and will reload the whole page).
On the server you can accept the values and process them and then render the response.
For Ajax request you could look at jQuery.