I've recently started to work on Jmeter and my script is failing with 403 error code. I'm using Blazemeter recorded script so Cookie manager is added by default. Also, if I just execute the request on browser it works just fine.
Sampler Result -
hread Name: Thread Group 1-1
Sample Start: 2018-12-03 14:49:03 AEDT
Load time: 15
Connect Time: 0
Latency: 14
Size in bytes: 1069
Sent bytes:744
Headers size in bytes: 259
Body size in bytes: 810
Sample Count: 1
Error Count: 1
Data type ("text"|"bin"|""): text
Response code: 403
Response message: Forbidden
HTTPSampleResult fields:
ContentType: text/html
DataEncoding: nu
Request Body
GET https://www.tESTwEBSITEtOBEeNETERED.com.au/enable-cookies
GET data:
Cookie Data:
frontend=678e630f5a6f37fc997a718be54f75ba;
frontend_cid=Ze0Sr0REGmigveWw;
CUSTOMER_SEGMENT_IDS=deleted;
CUSTOMER=deleted;
CUSTOMER_INFO=deleted;
CUSTOMER_AUTH=deleted;
CUSTOMER_RATES=deleted;
CACHED_FRONT_FORM_KEY=AxoMsaUGdvGAQ1N1;
visid_incap_39856=opEg/ZzKQuCez9glT1rT55OnBFwAAAAAQUIPAAAAAADml4Q7vfuGxMnzp+hJTfV1;
incap_ses_435_39856=JxltQBT4wVV0t25WbG8JBpOnBFwAAAAA4SHNX9lfr1ZfxCbkdlxKyg==;
___utmvmiluoDOB=a;
___utmvailuoDOB=a;
___utmvbiluoDOB=a
Response data
<html style="height:100%">
<head>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<meta name="format-detection" content="telephone=no">
<meta name="viewport" content="initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<script type="text/javascript" src="/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3"></script>
</head>
<body style="margin:0px;height:100%">
<iframe src="/_Incapsula_Resource?CWUDNSAI=20&xinfo=1-40768151-0%200NNN%20RT%281543808943058%20210%29%20q%280%20-1%20-1%20-1%29%20r%280%20-1%29%20B16%20U5&incident_id=435001350115211124-218735417329125489&edet=16&cinfo=ffffffff" frameborder=0 width="100%" height="100%" marginheight="0px" marginwidth="0px">Request unsuccessful. Incapsula incident ID: 435001350115211124-218735417329125489</iframe>
</body>
</html>
If the same request works in browser and doesn't work in JMeter there must be a mismatch in the request headers or parameters.
Modern web applications widely use dynamic request parameters mostly for security reasons, if you haven't performed any correlation - most probably your test scenario fails at login step which have HTTP Status 200 therefore JMeter considers it successful. Inspect the responses of previous samplers using View Results Tree listener to ensure that your test does what it is supposed to be doing and each page matches the expected outcome.
Related
I am trying to set up Laravel Sanctum out of the box. I have barely changed a thing from the fresh install.
What I have done:
-Created a user and generated a token for them:
$token = Auth::user()->createToken('TestToken');
This works the token show up in the data base as expected.
-Added routes to my api.php
Route::get('testAPI', function () {
return 'API CONNECTED';
});
Route::middleware('auth:sanctum')->get('/testAuth', function () {
return 'AUTHENTICATED';
});
Using postman the testAPI route works.
However the calling the testAuth route returns what appears to be a blank Laravel view:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title inertia>Laravel</title>
...blah blah....
Note: the page return is NOT the Laravel error page:
<!doctype html>
<html class="theme-light">
<!--
ParseError: syntax error, unexpected 'Route'
...blah blah for reference...
The page returned remains unchanged regardless of adding the bearer token to the header.
What am I missing, any help appreciated :)
UPDATE: as per #ceejayoz comment I have added Accept: application/json to my headers. Now I am receiving a reponse of:
{
"message": "Unauthenticated."
}
Additionally, I have tried adding Referer: 127.0.0.1:8000,this still results in Unauthenticated
For the authentication header in postman, please follow this screenshot.
And If need more information about how to setup laravel sanctum, please follow https://laravel.com/docs/9.x/sanctum laravel docs. There can be nothing better than Laravel docs for setting up Laravel sanctum
I am making a SOAP call with using a Ruby On Rails gem Savon and when making a request, I get this error message:
Bad Request - Invalid Header
HTTP Error 400. The request has an invalid header name.
It sounds pretty descriptive, but I am still not able to figure out the problem. I also found a few topics here on SO, but none of them has unfortunately helped me.
Here's how I do make the connection:
client = Savon.client(endpoint: wsdl_url,
namespace: '',
env_namespace: :s,
basic_auth: ["username", "password"],
ssl_verify_mode: :none,
log: true,
logger: Rails.logger,
pretty_print_xml: true)
#response = client.call('MyAction',
soap_action: 'url address',
xml: xml_payload,
headers: {
'Content-Type': 'application/soap+xml; charset=utf-8',
})
And here's the generated error from the (terminal) console:
SOAP response (status 400)
<?xml version="1.0"?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML>
<HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"/>
<BODY><h2>Bad Request - Invalid Header</h2>
<hr><p>HTTP Error 400. The request has an invalid header name.</p>
</hr></BODY>
</HEAD>
</HTML>
If I change the header config from this:
#response = client.call('MyAction',
soap_action: 'url address',
xml: xml_payload,
headers: {
'Content-Type': 'application/soap+xml; charset=utf-8',
})
to this:
#response = client.call('MyAction',
soap_action: 'url address',
xml: xml_payload)
The error message says a lot less:
Savon::HTTPError - HTTP error (400):
So the header makes it a bit more descriptive. If I look at the headers generated by Savon, it looks like this:
SOAP request: https://URL_ENDPOINT
Content-Type: application/soap+xml; charset=utf-8, SOAPAction: "http://URL_ENDPOINT/MyAction", Content-Type: text/xml;charset=UTF-8, Content-Length: 2935
What headers are wrong? How do I debug/inspect it here?
I also tried to investigate this issue in Postman and got only this error message:
400 Bad Request - The request cannot be fulfilled due to bad syntax.
I also tried to validate the generated XML data I send to the server - and that's valid (verified on different validators).
How do I solve this problem?
Thank you
I am currently using laravel 5.8 and pusher 3.0.3 and I am new to these new tech. I have created a simple chatroom but failed to listen to presence channel using pusher. I previously tried Echo but I can't find a way to debug it.
Here is pusher:subscription_error from the console:
Pusher: JSON returned from webapp was invalid, yet status code was 200. Data was: <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
I have already added this line to my BroadcastServiceProvider.php
Broadcast::routes(['middleware' => ['auth:api']]);
require base_path('routes/channels.php');
I have already receive events from pusher debugger with public channel so I think I have set my credentials correctly.
This is the buttom part of my bootstrap.js.
const CSRF_TOKEN = $('meta[name="csrf-token"]').attr('content');
var pusher = new Pusher('61540f91921896045e25', {
cluster: "ap1",
forceTLS: true,
//authEndpoint: 'authchatuser'
authEndpoint: '/broadcasting/auth',
auth: {
headers: {
'X-CSRF-Token': CSRF_TOKEN
}
}
});
var channel = pusher.subscribe('presence-chatroom');
//var channel = pusher.subscribe('chatroom');
channel.bind('MessagePosted', function(data) {
console.loga(data);
});
channel.bind('pusher:subscription_error', function(data) {
console.log("Pusher: " + data);
});
From the network tab, I couldn't see request to my pusher authEndpoint broadcasting/auth, but instead I see GET request to my homepage which responded with 200 which I think is the reason why I receive html instead of json.
Please help me with this or do you have idea to bypass the endpoint and send json data for authentication (correct data expected by pusher) instead from my web.php? Thank you.
You should not need to bypass the endpoint, but instead you should amend your endpoint to return the correct data.
Your authentication endpoint should return a JSON body along with a HTTP code. The documentation states:
Successful responses from an authentication endpoint should carry a
200 OK HTTP status and a body of the form
{ "auth": $AUTHORIZATION_STRING }
This aligns with the error you are receiving which indicates that JSON is expected but HTML is received.
We're using invisible reCaptcha and, once in a while, Google's Javascript code makes a request to Google's servers receiving a response status 410, instead of 200.
We don't have control over it as the request is being made by Google's reCaptcha Javascript code.
If the challenge has been presented to the user, the following is an example of what the failing request looks like:
GET https://www.google.com/recaptcha/api2/payload?c=03AOPBWq_EYB...
And the response is:
HTTP/1.1 410 Gone
<HTML>
<HEAD>
<TITLE>Gone</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Gone</H1>
<H2>Error 410</H2>
</BODY>
</HTML>
It fails about 10% of the time. Below is a "history" of HTTP requests:
Request #1
POST https://www.google.com/recaptcha/api2/reload?k=6LcqZCEU...
v:r20170515161201
reason:fi
bcr:[1943341955,-150...
...
HTTP/1.1 200 OK
content-type: application/json
...
)]}'
["rresp","03AOPBWq_EYBOYkGkn-1S...",null,600,["pmeta",null,null,null,
null,[[["TileSelectionStreetSign",null,3,4,4,null,null,[]
]
,["dress",null,3,4,4,null,null,[]
]
]
,[]
]
]
,"multicaptcha",null,
["bgdata","Ly93d3cuWk5rOHFMZDlvNDZFa..."]
]
The above response looks like invalid JSON but is expected as detailed here
Request #2
GET https://www.google.com/recaptcha/api2/payload?c=03AOPBWq_EYBOYk...
...
HTTP/1.1 200 OK
content-type: image/jpeg
content-length: 50528
...
<JPEG>
Request #3
POST https://www.google.com/recaptcha/api2/replaceimage?k=6LcqZCEUAA...
v:r20170515161201
c:03AOPBWq_EYBOYkGkn-1SplFL...
ds:[[5,6,9,10,13,14]]
HTTP/1.1 200 OK
content-type: application/json
...
)]}'
["dresp","03AOPBWq-Iyck5GCpx86hk57XSxF-9b4GMaDeujP...",[]
,null,[]
]
Request #4 (the failing one)
GET https://www.google.com/recaptcha/api2/payload?c=03AOPBWq_EYBOYk...
...
HTTP/1.1 410 Gone
content-type: text/html
...
<HTML>
<HEAD>
<TITLE>Gone</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Gone</H1>
<H2>Error 410</H2>
</BODY>
</HTML>
This is basically because the session has expired. When ever you receive an error 410 (i.e. not successful and you still wish to upload the file), you must start a new session. Please have a look at the below link for details :
https://www.rfc-editor.org/rfc/rfc7231#section-6.5.9
Your call is GET. You need POST
Ref: https://www.google.com/recaptcha/api2/payload?c=03AOPBWq_EYB..
There seems to be a problem if you use the SDK login function to login while the user is connected to another network. All the API calls fail and there seems to be no way to get back to the home network to authenticate.
Here is the code required to test this problem:
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>Yammer Login</title>
<script type="text/javascript" data-app-id="{INSERT APP ID}" src="https://c64.assets-yammer.com/assets/platform_js_sdk.js"></script>
</head>
<body>
<div id="Envelope">
<div><span id="yammer-login"></span></div>
<div><input type="button" onclick="getUserInfo()" value="Get User Info"></div>
<script>
yam.connect.loginButton('#yammer-login',
function (resp) {
console.log(resp);
});
function getUserInfo() {
yam.platform.request({
url: 'users/current.json',
method: "GET",
success: function (r) { console.log("GOT RESPONSE"); console.log(r); },
error: function (r) { console.log(r.statusText) }
});
}
</script>
</div>
</body>
</html>
If the user is logged into their home network the login code works and you can press the button to get the users information (note javascript origins are correctly configured).
You you go into the yammer interface and select another network it not longer works.
Here is what the console output looks like:
GET https://www.yammer.com/platform/login_status.json?
client_id={Client ID} 403 (Forbidden)
platform_js_sdk.js:26 XHR finished loading: GET "https://www.yammer.com/platform/login_status.json?client_id={ClientID}".
test.php:18 Object {access_token: Object, success: true, status: "connected", authResponse: true}
api.yammer.com/api/v1/users/current.json:1 GET https://api.yammer.com/api/v1/users/current.json
test.php:1 XMLHttpRequest cannot load https://api.yammer.com/api/v1/users/current.json. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://webserver.com' is therefore not allowed access. The response had HTTP status code 401.
test.php:26 error
api.yammer.com/api/v1/users/current.json:1 GET https://api.yammer.com/api/v1/users/current.json
test.php:1 XMLHttpRequest cannot load https://api.yammer.com/api/v1/users/current.json. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://webserver.com' is therefore not allowed access. The response had HTTP status code 401.
test.php:26 error
It appears that the login token that is being uses belongs to the other network and therefore access is restricted.
Based on Yammer REST API: How to get access tokens for external networks?
you need to apply to deploy to the Global App Directory. Specify by e-mail to the Biz Dev rep that your app requires Global Access (even without being published in the App Directory). This resolves the issue.
see slide 5 of http://about.yammer.com/assets/yammer-apps-next-steps.ppt