I'm trying to record traffic off a website which uses HTTP Strict Transport Security (HSTS). As a result it is not possible to add an exception for the certificate. This means I cannot record a session.
Anyone know how I can handle this?
Websites using HSTS won't allow you to add exception for a server. What you can do is to tweek your browser to allow/bypass the HSTS policy. Here's what you can do in case of Firefox -
Type about:support in your browser to open up Troubleshooting Information page. (Alternatively, select 'Troubleshooting Information' from the Help Menu).
Navigate to the 'Profile Folder' row in the table shown on the page, and click the button 'Open Folder'
This would open up a new explorer window for the firefox profile directory. Keeping this explorer window open, close/quit Firefox.
Open the file SiteSecurityServiceState.txt and delete any rows containing your server name you need to access. Save this file.
After this, when you launch firefox, it would ignore HSTS restriction.
Source : Mozilla Support
An alternate solution is to use the JMeter Chrome Plugin - BlazeMeter
You have option of using HAR to jmeter :
https://blog.flood.io/convert-har-files-to-jmeter-test-plans/
But showing your error might help
Related
I'm trying to add support for Contextual Identities in a FireFox Add-on.
In my background page Im doing XMLHttpRequest calls. This is not using the cookieStoreId of the current tab.
Is there a way to set the contextualIdentitie and/or cookieStoreId of the browser to the one of the calling tab?
Got to a solution via this thread
https://discourse.mozilla.org/t/specify-context-container-ajax-or-fetch/29697/4
Thanks #mstanke
I am creating a Firefox screenshot plugin for which I need to open an html page rendering screen share in https ()
Locally using AddOn SDK, my url of opened html file is : resource://jid1-q3wuqdulcvnnrq-at-jetpack/toolbar_button/data/index.html
Now, on this link I get an error :
In about:config, please enable media.getusermedia.screensharing.enabled
and add this site's domain name to media.getusermedia.screensharing.allowed_domains in about:config
Is there some way to set tab.open(){} such that it is rendered in secure mode.
Ref. : This page
Clicking the Window button on above link redirects page to https mode for screen sharing.
Also in about:config => media.getusermedia.screensharing.allowed_domains => need to allow resource file domain.
Can someone please guide to enable getUserMedia on firefox.
I need a Portable web Browser, or any install-able (Windows) Browser, which will only load my URL.
Some thing Like I will have my Shortcut in the desktop, when User click, the Web browser with my URL loads.
Is it possible with portable Firefox to modify, I also need cookies to work along, thats the reason I need to find a custom Web browser.
I just found out a partial solution using
Mozilla Client Customization Kit , we can create a extension which allows to customize firefox upto certain limitations.
https://addons.mozilla.org/en-US/firefox/addon/cck/
We have an a HTTPS site that brings up a page from a different site of ours that’s HTTP.
In IE (9), we get the message at the bottom of the page:
“Only secure content is displayed. What’s the risk? [Show all content]”.
When the button is clicked, it closes the lightbox-ish control that's open and returns to the page it was overlaid on.
Does anyone know how to avoid this?
In the HTTP site’s page, one guy here had the idea to add, at the end of On_Load, the following to turn off cross-site scripting protection:
this.Response.Headers.Add("X-XSS-Protection", "0");
Both sites are C# / ASP.NET 4.0.
Thanks in advance!
Add the url to your trusted sites, it's the only way if you don't send all data through https.
Internet Options -> Security -> Trusted Sites -> Sites.
If this is something that needs to be company wide, I would recommend pushing out the rule via a group policy.
Alternatively, allow access the control using https on the other site (if you can) and reference that - the warning will disappear.
The real setting to enable here is to "Display mixed content" for the zone of the site you want. If the site is on your Intranet, you select Intranet zone in the Security settings, then Custom level. If it's an Internet site, you go there and go to Custom level.
There, you should see the "Display mixed content" setting, and simply select "Enable", then "OK" your way out of the dialogs.
Reference: https://www.mydigitallife.net/how-to-disable-only-secure-content-is-displayed-in-ie-always-show-all-mixed-content/
I have some pages that are sent via HTTPS. Internet Explorer sometimes complains about "This webpage contains content that will not be delivered using a secure HTTPS".
I looked in the html source to confirm all content calls (href, src, etc...) are sent via https. My CSS files use relative paths. But I'm still getting these warnings.
Is there an easy way to track down which items are not sent via HTTPS?
You could fire up Fiddler to see what exactly IE is requesting over regular HTTP.
In Fiddler's default configuration, HTTPS requests will show up with a lock and CONNECT as the host. HTTP requests will have a non-lock icon.
(source: josh3736.net)
I usually use Firefox + Firebug (the "Net" tab) to find the offending request. You could also use Fiddler for this. (with any browser)
I've used the following site before - I finding it easier than loading up firebug / fiddler.
http://www.whynopadlock.com/
You can use SslCheck
It's a free online tool that crawls a website recursively (following all internal links) and scans for unsecure content - images, scripts and CSS.
(disclaimer: I'm one of the developers)
In Google Chrome, similar to Firefox w/ FireBug, you can use the 'Network' tab of the Developer Tools console.
Open the Developers Tools console, go to the 'Network' tab, and reload the target page. Any warnings with the page, such as insecure content being loaded, will be indicated with the number of warning and an 'alert' icon in the bottom right corner (Chrome v23.x). Click on the icon and a list of the warnings, in this case, the resources being loaded insecurely, will be displayed.
Using following tools could help:
Firefox's FireBug . opening tab Network shows you connection details to multiple resource
Fiddler - acts as sniffer allows you explore details of connect.
using firefox - view generated source vs viewing source
there is probably a javascript file that is creating a div/iframe that is insecure