I'm using postman to make a GET request.
let's say my url is: https://mywebsite.com/api/records/count that is responding with a json array with the last date and the corresponding count of records:
{"date": "2022-11-11", "value": 123}
I find out that the first request is giving me a random number, then the following ones are giving me a fixed number with is the correct one (123). How is it possible? when I try to replicate this with Python, I always get random numbers (never get the 123)
I believe there is something to do with cookies, so I've tried to retrieve cookies and sent them back to the server, but doesn't work:
import requests
session = requests.Session()
session.get("https://mywebsite.com/")
cookies = sessions.get_cookies()
anything else I could try? Postman is getting the right number without any custom headers
Related
I have been given this challange, to "hack" a website to register in it, with some given hints. It includes 3 steps.
1.site_url/login - a POST request with login credentials (username, password - I have these) in the body of the request. After this it gives a JSON response that looks like this:
{
"token": "U2FsdGVkX18VaaqQc/R3Xi3jQtMMlPNku0YJzn0KNMYX0GY2ZELDfA5smRduUs5Cf519WmgaQnA+j6MpwCsvi/699R5oaUdXHCrgzrsZEKM="
}
Every time I send the request I get a different token from the previous one.
site_url/keys - a GET request with the token in the Authorization field of the header. It returns an array of 500 base64 strings that look like this:
[
"U2FsdGVkX19UgyaPxxLVM2J5LIzQPR+FDjjMWkSWcOseMSfGPWTrnC4EAIzB6EbmKS9jewVBq9BCf9FiHQDlxipYADA3A2i+jTYt0028sOrd/dkrAZCXVJBbNUDWYy6+",
"U2FsdGVkX1/9YThiCftxiLRK6GpEY6iouivp5eGCzCfv+HVoKeaS8z/Ut7BFWAm4yVTUasl87MM2pR47EIVJZ8A62sPmfTtGabz9PMlOKCnf1UKRAZFr69dZzQy71jc7",
......
"U2FsdGVkX1/yN0jrC5VPyzbiLZ5HAiPREyojo9sb+dUw+pYcGmIUocoh9m8SeQsItKFElyVz/7xhaGkrBmpvOsdFNLFsIcfObVqZ1H7T9ZAPXoZibg9+tVRDYV/3VQWm"
]
Every time I send this it gives me a different strings from the previous ones.
3.site_url/register - a POST request with the token in the Authorization field of the header (without it responds "unathorized") and one of the keys from the aray in the body JSON as such:
{
"key": "U2FsdGVkX18vwo3TVGLIwbxvkJ4NIf1GhBBIkNw9deRciB9O6/aC9KkFxVZ09WrxzB2YFncchsNY/hZYec/Hxvj1wlCK+7iZAyqNaW0hIBm17lZEloIwJVVfjX9wlkVr"
}
It returns:
{ error: 'Forbidden: Invalid registration key' }
I am assuming that I need to "bruteforce" those 500 keys and see which one works, but so far I couldn't do that as after few requests the website gives error 503 or 502. From my side it seems like the website is getting down (even when I check on my phone with mobile data). After couple of minutes it again starts working. I am using node.js and fetch API.
List of things I tried so far:
-changed referrer in the fetch options
-generated random IP adress for 'X-Forwarded-For' in the request header
-put these in the fetch options credentials: "omit", cache: "no-store"
-tried doing step 2 and changin the Authorization field in the header for every key in the array
List of things I want to try but don't know how:
-try decrypting those salted Base64 strings
-try somehow combining those strings in the array into a file
Hope the explanation was clear.
What can I try else or what am I doing wrong?
I'm trying to use delta query to get teams channel messages updates according this documentation: HERE
This is the request url:
https://graph.microsoft.com/beta/teams/<teamId>/channels/<channelId>/messages/delta
However, calling the returned nextLinks one after another never returns a deltaLink. There're too many pages of results and it causes my app to be throttled before ever getting a deltaLink from it.
In other delta query endpoints, $top is supported to limit the number of results returned. Usually I'm able to get a deltaLink after calling the nextLinks once or twice. But $top doesn't seem to have an effect in the channel messages endpoint.
So I tried appending another queryString ?odata.maxpagesize=10 to the request instead, and it seemed to work a week ago. I was able to get the deltaLink after 2 pages. But it looks like Microsoft might have changed the API and this workaround no longer works.
I also tried adding Prefer: odata.maxpagesize=10 in my request header according to this documentation: HERE
But the nextLink this generates is too long and it gives me this error instead:
HTTP Error 414. The request URL is too long.
Has anyone been able to use this delta for channel messages? Or have I done something wrong?
I need to reuse value which is generated for my previous request.
For example, at first request, I make a POST to the URL /api/products/{UUID} and get HTTP response with code 201 (Created) with an empty body.
And at second request I want to get that product by request GET /api/products/{UUID}, where UUID should be from the first request.
So, the question is how to store that UUID between requests and reuse it?
You can use the Request Sent Dynamic values https://paw.cloud/extensions?extension_type=dynamic_value&q=request+send these will get the value used last time you sent a requst for a given request.
In your case you will want to combine the URLSentValue with the RegExMatch (https://paw.cloud/extensions/RegExMatch) to first get the url as it was last sent for a request and then extract the UUID from the url.
e.g
REQUEST A)
REQUEST B)
The problem is in your first requests answer. Just dont return "[...] an empty body."
If you are talking about a REST design, you will return the UUID in the first request and the client will use it in his second call: GET /api/products/{UUID}
The basic idea behind REST is, that the server doesn't store any informations about previous requests and is "stateless".
I would also adjust your first query. In general the server should generate the UUID and return it (maybe you have reasons to break that, then please excuse me). Your server has (at least sometimes) a better random generator and you can avoid conflicts. So you would usually design it like this:
CLIENT: POST /api/products/ -> Server returns: 201 {product_id: UUID(1234...)}
Client: GET /api/products/{UUID} -> Server returns: 200 {product_detail1: ..., product_detail2: ...}
If your client "loses" the informations and you want him to be later able to get his products, you would usually implement an API endpoint like this:
Client: GET /api/products/ -> Server returns: 200 [{id:UUID(1234...), title:...}, {id:UUID(5678...),, title:...}]
Given something like this, presuming the {UUID} is your replacement "variable":
It is probably so simple it escaped you. All you need to do is create a text file, say UUID.txt:
(with sample data say "12345678U910" as text in the file)
Then all you need to do is replace the {UUID} in the URL with a dynamic token for a file. Delete the {UUID} portion, then right click in the URL line where it was and select
Add Dynamic Value -> File -> File Content :
You will get a drag-n-drop reception widget:
Either press the "Choose File..." or drop the file into the receiver widget:
Don't worry that the dynamic variable token (blue thing in URL) doesn't change yet... Then click elsewhere to let the drop receiver go away and you will have exactly what you want, a variable you can use across URLs or anywhere else for that matter (header fields, form fields, body, etc):
Paw is a great tool that goes asymptotic to awesome when you explore the dynamic value capability. The most powerful yet I have found is the regular expression parsing that can parse raw reply HTML and capture anything you want for the next request... For example, if you UUID came from some user input and was ingested into the server, then returned in a html reply, you could capture that from the reply HTML and re-inject it to the URL, or any field or even add it to the cookies using the Dynamic Value capabilities of Paw.
#chickahoona's answer touches on the more normal way of doing it, with the first request posting to an endpoint without a UUID and the server returning it. With that in place then you can use the RegExpMatch extension to extract the value from the servers's response and use it in subsequent requests.
Alternately, if you must generate the UUID on the client side, then again the RegExpMatch extension can help, simply choose the create request's url for the source and provide a regexp that will strip the UUID off the end of it, such as /([^/]+)$.
A third option I'll throw out to you, put the UUID in an environment variable and just have all of your requests reference it from there.
Hi I am attempting to initiate a query to my backend on Kinvey which is backed by a MongoDB. They require passing URL parameters as such:
?query={"firstName":"James"}
I have tried every imaginable way of setting up these parameters in PAW but either get a success response with no filtering of the data or an error message of URL not supported when I try using a Raw Query String.
I have ran the query using their (Kinvey) backend API interface and it works fine in filtering the results so the problem definitely lies within PAW. I am currently using version 3.0.9. Any suggestions or is this just a bug that needs to be fixed?
Thanks!
I've just tried this setup in Paw and I have a few recommendations:
Paw will URL-encode the chars { and " as you can see if you open the HTTP preview in the bottom panel
Trying to send a similar query via Chrome (to test with another app to make sure Paw behaves correctly), I see that the query is URL encoded (try this query https://echo.paw.cloud/?query={"firstName":"James"} you'll see that the browser actually URL-encodes the characters { and " when sending. So the behavior is the same with Paw.
I don't think these two chars ({ and ") are valid HTTP if they are not URL-encoded, so I'm sure your server is expecting them encoded anyway
Testing this exact query in Paw, works for me, so please try these exact steps: go to URL Params, in the first column enter query and {"firstName":"James"} in the second column. Then using the HTTP preview mentioned above, make sure Paw is sending the request you're expecting.
Lastly, it's more like a tip, but as your value is JSON, I recommend that you use the JSON dynamic value to generate the JSON. It will be visually better for you, and will make sure you send valid JSON. For that, right click on the value field, and select Values > JSON. Here's some example:
I am building an API where one can issue a POST to /users/1/suggestions/make in order to get a new suggestion. There are two cases:
the server can create a suggestion based on POSTed params, in which case a 200 status code is returned together with the created suggestion;
the server cannot create a suggestion based on POSTed params, in which case I am not sure what status code to return (200, since the request succeeded but nothing could be suggested, 404 because a suggestion could not be computed, or something else) and what content (nil, an empty response, something else).
If your POST is unsuccessful due to the parameters not passing validation, it is appropriate to return HTTP 400 Bad Request. The response body should consist of a list of the errors that caused the rejection.
This way it is clear to the API caller that no data has been modified.