I have a new ALB that has requests logging as 411 or "Length Required" that were previously 200 OK when the requests went to an old ELB classic. The requests are on loop from the source in another VPC out of my control and haven't been changed. Access control and the security group rules are all identical. The following fields in the log are 411; elb_status_code, target_status_code and target_status_code_list.The POST body is empty so the request is essentially acting like a GET in that the full set of parameters, key and id, are used inline like the example below.
https://hostname.example.com/api/method/getdata?key=1234&id=16
How can I convince the ALB that the POST request is valid?
Related
I need to get value for X-AnchorMailbox and X-PublicFolderMailbox header for public folder requests. I was using both of those articles first and second to retrieve values for headers but a problem happened during autodiscover process.
To send autodiscover request I use derived endpoint because i write my application in C++ and use only SOAP/POX requests to retrieve any data from EWS. If i understood correctly this kind of endpoints should be derived from user's e-mail address. So if the user has address user#test.onmicrosoft.com one of the endpoints should be https://test.onmicrosoft.com/autodiscover/autodiscover.xml (for POX). But this endpoint doesn`t work at all.
Is there any way to get correct endpoint or other ways to retrieve values for headers?
There are multiple endpoints (https and http redirect). Plus the endpoints from AD and DNS.
Start at Autodiscover for Exchange
In your particular case (redirect to a hosted M365 mailbox), you will most likely end up going through the unsecured (http://autodiscover.YourDomain.demo/autodiscover/autodiscover.xml) redirect (301, 302, 307, 308) to https://outlook.office365.com/autodiscover/autodiscover.xml
You can also see autodiscover steps if you try the connectivity analyzer at
https://testconnectivity.microsoft.com/tests/Ola/input
I've created a few resources in AWS in an attempt to create MRE showcasing how the WAF can be used to prevent malicious requests from being sent to an API Gateway RestAPI.
Ive created
S3 Bucket
Kinesis Data Firehose
WAF Web ACL
API Gateway RestAPI
Ive associated the RestAPI with the WAF ACL at the stage-level. The WAF Web ACL has been configured to use the an AWS managed rule
AWS-AWSManagedRulesSQLiRuleSet
The SQL database rule group contains rules to block request patterns
associated with exploitation of SQL databases, like SQL injection
attacks. This can help prevent remote injection of unauthorized
queries. Evaluate this rule group for use if your application
interfaces with an SQL database.
https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
Configured with defaults shown below
This is the only rule and all other defaults were chosen, as shown below.
Ive created a serverless api POST resource endpoint and despite having everything configured as described above, requests with payload/body as shown below are not blocked by the WAF.
{
"MyString":"SELECT username, password FROM Users"
}
Why arent requests being blocked by the WAF? How can I configure so that requests with SQL within request payload are rejected at the WAF before being sent to RestAPI?
I assumed that my SQL above would be enough. Is that not true? What SQL code can I use to validate the WAF and AWS Managed Rule is working as expected? What logic could explain why my request above is not being blocked?
Ive also configured S3 logging, and here is an example of 1 of the records from the s3 log, showing that this request was allowed
"timestamp": 1612921225458,
"formatVersion": 1,
"webaclId": "ABC",
"terminatingRuleId": "Default_Action",
"terminatingRuleType": "REGULAR",
"action": "ALLOW",
"terminatingRuleMatchDetails": [],
"httpSourceName": "APIGW",
"httpSourceId": "ABC:ABC:Prod",
"ruleGroupList": [{
"ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet",
"terminatingRule": null,
"nonTerminatingMatchingRules": [],
"excludedRules": null
}
],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [],
"requestHeadersInserted": null,
"responseCodeSent": null,
What assumption am I making that is incorrect here?
I would like an MRE that shows how WAF rejects the request when post body contains malicious looking SQL, and also return 4xx response. I'm assuming this is achievable.
Update 1: Ive tried to add my own rules and rule groups, using rule builder and specifically looking at the request body. Even with these in place, it still does not reject.
Ive added rules for Body, Query string, Path. Still, request was not rejected
So I am trying to automate a JMeter script that creates Keycloak users and then signs them in.
First It GETs the login page and stores the code, here is an example request:
GET http://Keycloak.com:8001//auth/realms/REALM/protocol/openid-connect/auth?response_type=code&client_id=CLIENT&scope=openid%20profile%20email&nonce=N5b3a2da23c04a&response_mode=form_post&resource=RESOURCE&state=2SJwtlVZrswlGkw&redirect_uri=REDIRECTURI
However, when I then GET the registration page, the code changes and the tab_id also changes. How can I keep keycloak from generating a new code token with every HTTP request in a thread?
In addition, why is each HTTP request with JMeter acting like a new session instead of the next request in a series?
EDIT:
I am using Regular Expression Extractors in order to track the code and execution variables, in addition to using a HTTP Cookie Manager and HTTP Cache Manager for the thread.
Looking at my POST request, both variables are the same as those from the previous HTTP request, and all of my cookies are being maintained, yet every time I try this automated login, I get a 400 error and the keycloak event log displays an invalid_code error.
Edit:
As requested here is a screenshot of all my sign in requests
Most probably your Regular Expression Extractor is not nested in the HTTP Request you are trying to extract data from.
If its scope is too wide, it applies to all HTTP Requests, so first time it succeeds extracting, but then for the next request that does not contain the token, the extractor runs and overwrites the old value by an empty one.
See scoping rules in JMeter:
https://jmeter.apache.org/usermanual/test_plan.html#scoping_rules
You need to maintain the corelation between hits. Please go through below blog
https://www.blazemeter.com/blog/how-to-handle-correlation-in-jmeter
According to keycloak you must use https if you are using keycloak.com
Keycloak can run out of the box without SSL so long as you stick to private IP addresses like localhost, 127.0.0.1, 10.0.x.x, 192.168.x.x, and 172..16.x.x. If you don’t have SSL/HTTPS configured on the server or you try to access Keycloak over HTTP from a non-private IP adress you will get an error.
So you have 3 options: use private IP address, use a reverse proxy or load balancer to handle HTTPS or enable HTTPS for the Keycloak server.
Is it possible to restrict requests on Parse.com to a certain domain (i.e. the hosting domain)?
The request in question is a cloud function.
Thanks!
You can get the ip address as part of the request object. You can apply a filter in cloud code to allow request from certain ip otherwise send 401 Unauthorized Request http code.
I'm getting the following error intermittently when invoking the custom search api from a server side setup:
HttpError 403 when requesting https://www.googleapis.com/customsearch/v1?q=John+Doe+john%40simpler.com&alt=json&cx=&key= returned "There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed.
I'm using a server api key, and have confirmed that the configured server ip address is correct. And about 50% of the time my request come back fine, too. I'm issuing the request from the server like this:
service = build("customsearch", "v1",
developerKey=api_key)
custom_search_context = <my_context>
res = service.cse().list(
q=search_query_string,
cx=custom_search_context,
).execute()
My requests per sec are well with in the configured limit of 10/sec and daily purchased limit of 5000 requests.
One more thing I noticed is that Google counts a forbidden request towards the daily limit, too.
Any pointers on why I'm being presented with the error only intermittently would be very helpful
The error can be raised when you're exceeding a request/second limit. Can you confirm that your request rate is below your configured user rate limit? It might be worth noting that the limit is enforced even if you don't explicitly provide a user value in your requests.