I'm trying to send request to this website https://game.elemon.io/02.17/ to simulate login action, I found request login but the Request Payload seems to be application/octet-stream content type, I can't read it so I don't know which key and value I should use to implement this login action (I have session). Please help me (please look at picture below for more detail)
P/s : this is a gamefi web, so I manually login by metamask wallet
Related
Sorry for my English)
I have an account on https://naurok.com.ua (login: kuz.code.official#gmail.com, password: 2455s1). I log in, then follow the link /test/test-po-filosofii-541029/flashcard.
After I followed the link, it loads the cards through a request /api/test/documents/541029/flashcard.
I need to send it successfully:
I test request by Postman api/test/documents/541029/flashcard. Request sends with captured Cookies, but it says I need to log in ("Необходимо авторизоваться").
Why query work on website but doesn`t in Postman?
you need add the most important thing which is to add the cookie PHPSESSID you can find it on your browser when inspecting the request on network tab
like this
click on "cookies" on postman
to have it like this
or click on "code" on postman
I noticed also you need referer header otherwise it won't work
when i add profile of supplier on localhost working fine. and API POSt method is working fine.
but after publish of project on server getting 400 error when i add profile of supplier.
and in response getting this.
The requested resource does not support http method 'GET'.
with 400 status
i have attached images of errors.
Project url is :
https://localefood.maqssoft.com
test-user : supplier#gmail.com
password: a#123456A
This link has the same issue that i am looking for but not give the solution of problem.
https://forums.asp.net/t/2129791.aspx
enter image description here
Make a POST request with POSTMAN.
List item Use the same URL as you did for the GET request steps above, but now choose POST to be the selected HTTP method.
Click the Body tab just under the URL, then choose the raw radio
button and JSON (application/json) from the type dropdown menu:
You may note that a new Header gets automatically added to the
request. Requests that send data need a header telling the API what
kind of data is being sent. Click the Headers tab to see the
Content-Type: application/json header:
Click Send.
If you have recently submitted a request you may not be asked to
authenticate again. If you get an Unauthorized error, request a new
access token and click Send again.
Im wondering if I can detect whether some webpage was reached by a link (button, link, redirect, ...) or by typping in the URL bar.
Im using Clojure for web programming, and I wish I could block the access to some page when the request came from a "typed url".
Right now I am encoding the urls so the user can't have access to the "real" url.
Thanks in advance.
Short answer is no. Your aproach is correct.
And with a bit of skills one can also send arbitrary HTTP requests, GET or POST, modifying cookies, headers and the body of the request, so if this is about security, your approach to use encrypted data seems the only one possible to ensure that the URL is not tampered or manually typed.
The HTTP Referer header can be also faked, the same as a url parameter. There is no more security on using a http header or a url encoded parameter.
Courtesy of Wikipedia:
The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header field that identifies the address of the webpage (i.e. the URI or IRI) that linked to the resource being requested. By checking the referrer, the new webpage can see where the request originated.
I assume you can access the HTTP header fields. If the user were to type in the URL into the address bar, there would be no HTTP referer.
When I ask user for HTTP Basic Auth at some URL, browser sends Authorization header only for this and some other URLs.
Testcase script written in PHP:
http://testauth.veadev.tk/
There are three URLs to ask for credentials (you can use any random).
Logout link (drops current credential after pressing "Cancel" button in browser auth form, not working in IE).
Links to root URL and some test deeper URLs.
Questions:
Why browser not sending Authorization header at / URL if HTTP/1.0 401 Unauthorized was sent at /system/dev?
To repeat: open clean http://testauth.veadev.tk/, click Auth2, enter any credentials, you'll be forwarded to / after that. You'll see Auth: null which means no credentials header was sent by browser.
Why does browser send Authorization header at / if HTTP/1.0 401 Unauthorized was sent at /dev?
To repeat: open clean http://testauth.veadev.tk/, click Auth1, enter any credentials, you'll be forwarded to / after that. You'll see something like Auth: string 'Basic dHQ6dHQ=' (length=14) which means credentials header was sent by browser.
If you repeat first case and then click Auth1 you'll have credentials at Root and all other pages. Why?
If you click Auth3 (/some/deep/and/long/url) and you'll have credentials at Page3 (/some/deep/and/long/3) and nowhere else. Why?
To clear credential state between tests either restart your browser or click Logout, Cancel in Auth form and Root to return back (Firefox, Google Chrome).
What are the rules of sending Authorization header?
RFC 2617, section 2 states:
A client SHOULD assume that all paths at or deeper than the depth of
the last symbolic element in the path field of the Request-URI also
are within the protection space specified by the Basic realm value of
the current challenge. A client MAY preemptively send the
corresponding Authorization header with requests for resources in that
space without receipt of another challenge from the server.
If you are using Digest Challenge, section 3.2 states that you may specify a domain in the WWW-Authenticate header to indicate what the protection space will be. I would try setting that to something like domain=/. I am not sure if this will work with Basic authorization, but it wouldn't hurt to try it; if not, Digest authorization is not much more difficult to work with and is a bit more secure.
I am trying to login to a site, and then view user details.
The API documentation from the site is:
LogOn : All Calls with JSON and return JSON type
post - https://www.bit2c.co.il/Account/LogOn {UserName:'',Password:'',SecondFactor:[optional]}
return true if OK , error list of strings if not
Balance - GET https://www.bit2c.co.il/Account/Balance
return UserBalance as JSON
I've tried connecting to the site using
import requests
session=requests.session()
session.auth = ("username", "pass")
session.post("https//www.bit2c.co.il/Account/Balance")
but i am getting response 200 and the response content is "you must login".
What am I doing wrong ?
What kind of session? What is on server-side? Can you post the raw request/response pair(s)?
If PHP or ASP runs on server-side, you must capture the Set-Cookie header of the response to the login request, find the session cookie and in consequent requests you must set the Cookie header with the session cookie name and value captured previously.