I have a problem I'm running an Apache Traffic Server but the problem is that amount and all well but to run a headline like this
GET /index/Page?aspxerrorpath=/aspa.aspx HTTP/1.1
Host: myhost.com
Executing this request to the server returns 404 not found me on accelerator (ATS)
But the strange thing is that there are proxies internet so that sending http request that I return a 200 response request Ok but my server is not.
Did you add a remap rule to your remap.config? It would look something in the line of
map http://myhost.com http://origin-for.myhost.com
Related
I am working on a RESTful web application using Go + gorilla/mux v1.4 framework. Some basic security testing after a release revealed an Open URL Redirection vulnerability in the app that allows user to submit a specially crafted request with an external URL that causes server to response with a 301 redirect.
I tested this using Burp Suite and found that any request that redirects to an external URL in the app seems to be responding with a 301 Moved Permanently. I've been looking at all possible ways to intercept these requests before the 301 is sent but this behavior seems to be baked into the net/http server implementation.
Here is the raw request sent to the server (myapp.mycompany.com:8000):
GET http://evilwebsite.com HTTP/1.1
Accept: */*
Cache-Control: no-cache
Host: myapp.mycompany.com:8000
Content-Length: 0
And the response any time is:
HTTP/1.1 301 Moved Permanently
Location: http://evilwebsite.com/
Date: Fri, 13 Mar 2020 08:55:24 GMT
Content-Length: 0
Despite putting in checks for the request.URL to prevent this type of redirect in the http.handler, I haven't had any luck getting the request to reach the handler. It appears that the base http webserver is performing the redirect without allowing it to reach my custom handler code as defined in the PathPrefix("/").Handler code.
My goal is to ensure the application returns a 404-Not Found or 400-Bad Request for such requests. Has anybody else faced this scenario with gorilla/mux. I tried the same with a Jetty web app and found it returned a perfectly valid 404. I've been at this for a couple of days now and could really use some ideas.
This is not the claimed Open URL redirect security issue. This request is invalid in that the path contains an absolute URL with a different domain than the Host header. No sane client (i.e. browser) can be lured into issuing such an invalid request in the first place and thus there is no actual attack vector.
Sure, a custom client could be created to submit such a request. But a custom client could also be made to interpret the servers response in a non-standard way or visit a malicious URL directly without even contacting your server. This means in this case the client itself would be the problem and not the servers response.
I am trying to write a simple function which would easily extract the contact information from a classified listing.
Background
The URL I'm looking at is
https://www.idealista.pt/imovel/27542922/
Looking through the developer tools in Chrome, I see that it makes a GET request to this URL. https://www.idealista.pt/pt/ajax/listingController/adContactInfoForListing.ajax?adId=27542922
If I make a GET request in Postman or just copy the second URL into Chrome I get a JSON containing various details.
My code
(Ruby)
uri = URI('https://www.idealista.pt/pt/ajax/listingController/adContactInfoForListing.ajax?adId=27542922')
foo = Net::HTTP.get(uri)
JSON.parse(foo)
The problem
The response is a 403 with a body saying that the system has detected that many requests have been made in a short period of time.
I can replicate this in Postman by doing seven or eight consecutive requests, but then if I wait a minute or two before trying again I get back to seeing the JSON.
Through Ruby it happens straight away.
What I've tried
I've tried copying some or all of the temporary headers created by Postman into my request in Ruby but I still get the same error or 404
User-Agent - PostmanRuntime/7.22.0
Accept - */*
Cache-Control - no-cache
Postman-Token - 6c68a9eb-83d5-4724-9f41-3fc51971db9f
Host - www.idealista.pt
Accept-Encoding - gzip, deflate, br
Cookie - userUUID=c017919a-6115-4905-95b3-5d949c6fb447; _pxhd=34ed938caca242bf6050147e1514cda07b704cc7681245a4beec5a64e0a5cf66:d4f21381-522a-11ea-a954-6f59910ff05b; SESSION=887b6dbc-78a4-4abd-9600-7ce401507331; WID=15a353ca7aab3446|XlEN6|XlEN4
Connection - keep-alive
you have to use a proxy, and chanfe the ip
I want to block some sites with my proxy by responding with 403. I succeeded with responding in such a way in an HTTP proxy, but when I get the CONNECT method, I respond with:
HTTP/1.1 403 Forbidden
Status: 403 Forbidden
Proxy-agent: smth
Connection: close
But users still get the ERR_TUNNEL_CONNECTION_FAILED. What can I do to provide users with a nice 403 error?
RFC 2817 does not disallow 4xx codes, and the Draft has the section "4. Extensibility" that states that
"The tunneling handshake is freely extensible using the HTTP/1.x headers;"
But it looks like all browsers decided to just ignore almost every non-2xx codes for security reasons.
Here are some bugs reports:
https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565641(v=vs.85)
Internet Explorer 8 has a feature that ensures that the secure connection is made all the way to the target server. If it isn't, then no page is displayed.
https://bugzilla.mozilla.org/show_bug.cgi?id=479880
I realize that I'm way late to the party here, but [...] this fix is terrible for proxy admins (myself included). Our proxy returns a 403 forbidden for filtered SSL content and an error page about why the content is blocked, and Firefox just drops all of it on the floor
https://bugs.chromium.org/p/chromium/issues/detail?id=7338
So that's the way it is.
We have a website, that is working with http, and we are trying to get https to work.
In the iis the certificate is installed and the Bindings are set.
According to the certificate vendor, everything is correct in iis (They have checked)
But when trying to connect from a browser i get "ERR_SSL_PROTOCOL_ERROR"
I did a networktrace on the server and i can see the browser making a SSLHandshake, thats semms OK
But the server answer says
Http: Response, HTTP/1.1
ProtocolVersion: HTTP/1.1
StatusCode: 400, Bad request
Reason: Bad Request
i can altso see in the hex details, Bad Request - Invalid Verb
Anyone have any idea what can be wrong?
Thanx Martin
OK, i did solve it
When adding the new portforwad rule for https i copied the http rule, but missed to change the port on the server side, so all communcation got port translated from 443 to port 80 on the server side
/Martin
I am debugging my website. When it has an error, the full text form of the HTTP request that caused the error is logged. I want to be able to replay these HTTP requests to help debugging the error.
For instance, I have this in my log now:
POST /ipn/handler.ashx?inst=272&msgType=result HTTP/1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: mysite.com
Content-Length: 28
User-Agent: AGENT/1.0 (UserAgent)
region=website&compName=ACTL
I want a way to make this exact request again on my local test machine (with changed Host attribute). What is the best way to do this?
You could use telnet to talk to your web server and type the exact requests.
You could also use libcurl (& curl) to make a program which is an HTTP client.
And many scripting languages (Python, Ruby, Perl, Ocaml, ...) also have HTTP client libraries (sometimes above Curl).