I want to automate requests to Apache tomcat's manager GUI for the purposes of developing a pentest related application. I captured the packet to upload a .war file to the server and this was the first part of the response:
POST /manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=0DCEAA88E8C558E6F3352C52B4BBCD4B HTTP/1.1
From this I can see that there's some kind of nonce preventing cross site request forgery. The problem is that I want to automate sending these packets to the server, so I'm going to need to generate a valid nonce whenever I do that. Is there a way I can grab the current nonce so I can use it in my script?
Related
I understand that the server send website components to the client after http request, HTML, CSS, Js and other static files that are necessary to build the website in the client browser.
I want to understand what the server actually do to generate the response since it should handle many requests not just one request??
I assume that the server create an instance from the files and send it to the client via http response?? is this right, wrong,inaccurate or incomplete or are there other processes that happen on the server to make it work??
These "website components" (code for the browser) can be created by the server however it wants. There are two typical patterns. Static and dynamic.
Static resources are created ahead of time. These cannot be customised by the server at the time of the request.
Dynamic resources will be generated when the request is received. For example, a HTML asset may be generated to include a particular user's username as found in a cookie sent with the request. This is typically done from templates like jinja2 for Python.
Nowadays serving these resources statically and using a client side JavaScript application with a separate data API to customise content is the most popular way to build interactive websites (web apps)
on my JSF page I have a primefaces poll (<p:poll>) which checks if a backend is still running every second. The problem now is that the HTTP POST method, which checks the backend, is writting a logging entry into the Tomcat log every second. This will likely produce a lot of logging data which may lead to some problems with the server.
My question is now how I can prevent this POST method from writting into the tomcat log file?
I've got a problem trying to run a test plan in JMeter which contains a
multipart/form-data POST. For some reason the web server does not respond
with the expected response when JMeter does the POST (which was recorded
with the proxy).
Please tell me the exact configuration to handle it(if any).
As per Upload and Download Scenarios with Apache JMeter guide
Check that “Use multipart/form data for POST” is ticked
Check that files for upload actually exist in their relative location or use the full paths
Provide the correct MIME Type
The combination of above should do the trick for you.
If your file upload assumes authenticated user, make sure that you have HTTP Cookie Manager is present and enabled and in case of any dynamic parameters, like viewstate input value or JSESSIONID cookie you pass them properly. Use a sniffer tool like WireShark to ensure that your request is an exact replica of browser request.
I want to send a bunch of XML files from my client (iPad) to my application server(Web)..Is there any way I can pass them to server using HTTP POST? I assume HTTP POST only allows embedding strings not attaching as files..We don't want to use FTP due to securuty reasons. We even thought of web service, but not sure whether attachments are possible..Pleas advise if you know any ways of transferring files from client to server.
The maximum length of a POST variable is massive - so no worries there, you can send XML fine. POST can send any type of data, just make sure you set the Content-Type header correctly or you may get unexpected results.
It is no less / more secure than FTP however.
Following is our environment setup:
IIS 7 receives Http (.jsp) request from client (browser).
It blindly redirects it to JBoss using ISAPI_Redirect.dll.
Now we are trying to modify this setup in such a way that before IIS7/ISAPI_redirect sends it to JBoss, we need to modify posted form data using Http module. This http module is normal .net http module.
We are able to intercept the request # BeginRequest event of http module and when we send it to JBoss, it gives us "Read client failed (400)" error.
Any idea how to achieve this task or fix the problem at hand?
We were not able to fix our problem in its original form. What we did is we removed ISAPI_REDIRECT/JBoss from our original pipeline.
We now take the request directly to our http module by setting up another virtual directory where ISAPI_Redirect is not configured, we do our modification (earlier we intended to do this after JBoss has received the request) and then send it to another virtual directory (URL) where ISAPI_REDIRECT is configured. Now ISAPI_Redirect captures the request, maps it to JBoss format and sends it to JBoss.
Basically we switched the place of our customer processing and things seem to falling in place.