Develop Reference

How to Capture the API's ?if API's have no end points and just showing baseUrls

I need help or any suggestion. I have no idea how to do it?
Request URL: https://www.vizofly.com/NTU/Stress/StreamingAssets/Schools.json
Request Method: GET
Status Code: 200 (from disk cache)
Remote Address: 172.66.43.59:443
Referrer Policy: strict-origin-when-cross-origin
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
cf-cache-status: DYNAMIC
cf-ray: 6d4c32aacdb1926d-FRA
content-encoding: br
content-type: application/json
date: Fri, 28 Jan 2022 18:14:00 GMT
etag: W/"1261-61f2caaf-3e2d8e;;;"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
last-modified: Thu, 27 Jan 2022 16:39:11 GMT
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
report-to: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v3?s=aVZAHndifoZtrY0MH3O1WlauF71saxbdUuS7eBS0tReoUi5fGDG3zSlxFCTvbIwJxvGeVeiQyjT%2FVIUWKfUpxNbRT1jUi%2F9VEOvJnaBBRtJKapsW8RBKeLUxqP%2FusLzYEHQ%3D"}],"group":"cf-nel","max_age":604800}
server: cloudflare
x-content-type-options: nosniff
x-frame-options: ALLOW-FROM https://www.ntu.edu.sg

If you're asking about how to configure JMeter to send the request:
Add Thread Group to your Test plan
Add HTTP Request sampler and set it up like:
You may also want to add HTTP Cache Manager to represent browser cache, HTTP Cookie Manager to automatically handle cookies and so on in order to configure JMeter to behave more like a real browser

Cannot bypass Dynamic status cache for my APIs in Cloudflare

After defining the following configuration to avoid dynamic caching for an API : Cloudflare for your API
My calls are still in a Dynamic cache status. You can see the received reponse headers :
access-control-allow-methods: GET,OPTIONS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
cache-control: no-cache, no-store, max-age=0, must-revalidate
cf-cache-status: DYNAMIC
cf-ray: 698eeac5ae5640cf-CDG
client-control: max-age=43200, s-max-age=43200
content-encoding: br
content-type: application/json
date: Mon, 04 Oct 2021 13:57:03 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
expires: 0
pragma: no-cache
server: cloudflare
strict-transport-security: max-age=31536000; includeSubDomains; preload
vary: Origin,Access-Control-Request-Method,Access-Control-Request-Headers, Accept-Encoding
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
Here's the configuration i've done
Do you find a way to get a 'BYPASS' cache Clouflare Status Headers

If your goal is to avoid having your API calls cached, then the above page rule looks correct. You are using a Cache Level directive to Bypass the caching logic.
This means that all the calls matching the URL pattern will always be pulled from your origin server. This is confirmed by the cf-cache-status response header valued with DYNAMIC
From the documentation
DYNAMIC: Cloudflare does not consider the asset eligible to cache and your Cloudflare settings do not explicitly instruct Cloudflare to cache the asset. Instead, the asset was requested from the origin web server.
The response header cf-cache-status can also have a value of BYPASS, but this happens in other scenarios (also described in the documentation)

Slack's files.delete API always returns cant_delete_file error

I am trying to write a script to delete old files from my Slack workspace.
Following the Slack API docs, I created an app, gave it the channels:join, channels:manage, channels:read, files:read, and files:write scopes, and installed it in the target workspace.
My app can list channels, join a channel, and list files in that channel, but whenever I try to delete a file, I get a response that looks like this:
DELETE https://slack.com/api/files.delete?token=xoxb-xxxxxxxxxxxx-xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxx&file=Fxxxxxxxxxx
User-Agent: PostmanRuntime/7.24.1
Accept: */*
Cache-Control: no-cache
Postman-Token: 8f6854b4-794c-4685-892c-c9fafc03827e
Host: slack.com
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
HTTP/1.1 200 OK
date: Sat, 09 Jan 2021 19:23:28 GMT
server: Apache
x-xss-protection: 0
pragma: no-cache
cache-control: private, no-cache, no-store, must-revalidate
access-control-allow-origin: *
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-slack-req-id: 227ef4f9bb4c85c42d6f1c7fb33ddac0
x-content-type-options: nosniff
referrer-policy: no-referrer
access-control-expose-headers: x-slack-req-id, retry-after
x-slack-backend: r
x-oauth-scopes: files:read,files:write,users:read,channels:read,channels:join,channels:manage,remote_files:write
x-accepted-oauth-scopes: files:write
expires: Mon, 26 Jul 1997 05:00:00 GMT
access-control-allow-headers: slack-route, x-slack-version-ts, x-b3-traceid, x-b3-spanid, x-b3-parentspanid, x-b3-sampled, x-b3-flags
vary: Accept-Encoding
content-encoding: gzip
content-length: 59
content-type: application/json; charset=utf-8
x-envoy-upstream-service-time: 26
x-backend: files_normal files_canary_with_overflow files_control_with_overflow
x-server: 10.128.70.109:80
x-via: envoy-www-iad-kyvf, haproxy-edge-iad-2ql3
x-slack-shared-secret-outcome: shared-secret
via: envoy-www-iad-kyvf
{
"ok": false,
"error": "cant_delete_file"
}
According to the API docs for the files.delete endpoint, cant_delete_file means:
Authenticated user does not have permission to delete this file.
I can only assume that this is because my user is a bot, and is not the user who originally uploaded the file.
Because I am the workspace admin, I expect that I would be able to list and delete all files if I were to authenticate with my user credentials, but the Basic App Setup docs don't say how to authenticate with user credentials, even though they contain language suggesting that some actions may require a User Token:
If you need to act as a specific user (for example, posting messages on behalf of a user, or setting a user's status), you'll need a User Token.
Is anybody aware of how to either:
Delete a file when authenticated with an App Token; or
Obtain a User Token from within an app?

Although it isn't clearly documented, App Tokens are not allowed to delete files that were uploaded by other users.
In order to do this, the App needs to be installed into the workspace via OAuth, granting the app a User Token that inherits the permissions of the user who installed it.
If that user is the workspace administrator, the app will be able to delete any file, regardless of who uploaded it. See https://api.slack.com/legacy/oauth for details

Disable caching of content in firefox offline mode

I am working on a web application which has user management in place. I find a concerning issue in firefox related to Work Offline. Following are the steps describing the scenario:
User logs in to the application
User performs some action and logs out of the application
If the user now enables Work Offline mode in firefox, he/she can use browser back to access the last page. However, this page is supposed to be secure.
In my opinion this is a data security issue as any other user can apply this technique to fetch valuable information of the last user.
I have used cache control headers to communicate to the browser that HTML content should not be cached. Following are the response headers used:
HTTP/1.1 200 OK
Date: Tue, 05 May 2015 10:39:30 GMT
Server: Apache/2.4.9 (Unix) OpenSSL/0.9.8za
Cache-Control: no-cache, no-store
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Content-Encoding: gzip
X-Frame-Options: SAMEORIGIN
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
I have used
Cache-Control: no-cache, no-store
Expires: Wed, 31 Dec 1969 23:59:59 GMT
I have noted this vulnerability in applications like Facebook. Is this resolvable? Thank you.

Shopify JSONP issue in ajaxAPI

I'm getting some odd response back from shopify ajaxapi for jsonp.
If you cURL a Shopify ajax api location
http://storename.domain.com/cart.json?callback=handler
you will get a jsonp response. But something is breaking the same request in browsers.
It appears to be related to compression? Here are some responses from each browser when attempting to call the jsonp as documented.
Firefox: The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.
Internet Explorer: Internet Explorer cannot display the webpage
Chrome/Safari/Webkit: Cannot decode raw data, or failed (chrome)
Attempted use via jquery:
$.getJSON('http://storename.domain.com/cart.json?callback=?', function(data) { ... });
// Results in a failed request, viewable network request panels of dev tools
Here is some output from cURL including response headers:
$ curl -i http://storename.domain.com/cart.json?callback=CALLBACK_FUNC
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 18 Dec 2012 13:48:29 GMT
Content-Type: application/javascript; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Status: 200 OK
ETag: cachable:864076445587123764313132415008994143575
Cache-Control: max-age=0, private, must-revalidate
X-Alternate-Cache-Key: cachable:11795444887523410552615529412743919200
X-Cache: hit, server
X-Request-Id: a0c33a55230fe42bce79b462f6fe450d
X-UA-Compatible: IE=Edge,chrome=1
Set-Cookie: _session_id=b6ace1d7b0dbedd37f7787d10e173131; path=/; HttpOnly
X-Runtime: 0.033811
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
CALLBACK_FUNC({"token":null,"note":null,"attributes":{},"total_price":0,...})
Also related unanswered here:
https://stackoverflow.com/questions/13750841/shopify-ajax-api-jsonp-supported
Thanks