I recently noticed that I've been getting some strange looking requests which after decoding look like
target_url?id=17 [PLM=0][N] GET target_url?id=17 [0,14770,13801] -> [N] POST target_url?id=17 [R=302][8880,0,522]
I know there is an older question concerning that subject, but there is no actual answer so I posted my own, in case there may be some newer member who knows what's going on.
The requests I mentioned do not seem to have any effect as they cause the error page to be displayed. I am however curious to know what they might have been capable of.
target_url only refers to pages where someone posts to the forum. The website uses ASP.NET. The numbers contained in brackets (0,14770,13801 etc) seem to be the same in every request made so far.
Any ideas?
I see things more or less similar on sereval websites and I think it is a code for passing by your captcha in the form you have on the page id=17. My guess would be that :
GET target_url?id=17 [0,14770,13801] = Get the captcha at the position [0,14770,13801] on the page, where the captcha image or computation or else has been detected ;
POST target_url?id=17 [R=302][8880,0,522] = still on the same page, put it back in the field at the position [8880,0,522]. [R=302] is possibly an error redirect management in case it is wrong.
Related
I have this project where I need to know if a visitor legitimately arrived from a QR code. Document.referrer value from a QR code shows blank. I have looked at some answers suggesting to put parameter in the query string (e.g. ?source=qr), but anyone could easily add the parameter into the URL and my code would believe it is from a QR code (e.g. www.project.com/check.page?source=qr) . I have thought of adding codes to make sure it is from a mobile phone / tablet as secondary way to authenticate but many browsers have add-ons to fool websites.
Any suggestions would be greatly appreciated.
Thanks in advance.
I think the best solution for you is creating your regional QR Codes pointing to:
Region 1) http://example.com/?qr=f61060194c9c6763bb63385782aa216f
Region 2) http://example.com/?qr=731417b947aa548528344fab8e0f29b6
Region 3) http://example.com/?qr=df189e7f7c8b89edd05ccc6aec36c36d
if the value of the parameter qr is anything other than f61060194c9c6763bb63385782aa216f, 731417b947aa548528344fab8e0f29b6 or df189e7f7c8b89edd05ccc6aec36c36d, then you can ignore it and assume the user didn't come from any QR Code.
Of course, any user can remove the source parameter. But at least he can't add a valid one, unless he really had access to the code.
...but anyone could easily add the parameter into the URL and my code would believe it is from a QR code
Well, anyone could also scan the QR code, view the link, and remove the source=qr from it.
Data collection is never 100% reliable. Users can change their browser's user agent, inject cookies with some strange values, open your page through a proxy server, and so on.
You could create your own device or App for scanning the QR-code. If you read the post I've linked, you will see that this is a waste of time and resources.
So, what is left is to make a solution which will work for most of the users. Appending a source=qr parameter to your URL seems to be the simplest solution. You could also link to an entirely different domain and redirect the request, so it would be more fraud-safe. But it will never be 100% accurate.
Looking for help from a Linkedin SlideShare engineer on the SlideShare API here. Very frustrated that I was told to use StackExchange after being kicked all over the place by them and now I can't post enough detail (personal account info would be needed and StackExchange is limiting me to 2 links in this message).
Anyhow, I’m trying to install the SlideShare-Marketo Connector (http://launchpoint.marketo.com/assets/Uploads/SlideShare-MarketoConnector-Guide.pdf) on to an ancillary server. I’ve uploaded the PHP files just fine.
The expected output from my page should be “X leads synced from SlideShare.” (where “X” is a number), but instead I get a blank page. I added some echos to see if I could figure out the last spot the code was executing to. I found that it’s getting hung up in SSUtil.php at this line in the function “get_userLeads”:
$data=$this->LeadXMLtoArray($this->get_data("get_user_leads","&username=$user&password=$pass&begin=$begin"));
From what I can tell though the issue isn’t really with this line but when the get_data function tries to get the data at this line:
$res=file_get_contents($this->apiurl.$call."?api_key=$this->key&ts=$ts&hash=$hash".$params);
I echoed the URL to the browser see what it was looking for:
http://www.slideshare.net/api/2/get_user_leads?api_key=XXXXXXXX&ts=XXXXXXXX&hash=XXXXXXXX&username=XXXXXXXX&password=XXXXXXXX&begin=201603311600
Obviously I can't make this link clickable here without give away a bunch of account information but when I click on a real version of the link I get a 500 Internal Server Error.
I used apiexplorer.slideshare.net (but now it seems SlideShare has taken this down in the last day) and the URL it’s using looks the same as what I’ve got above but has a slightly different result: 410 Gone Error. Any idea what’s going wrong?
When I got on this page (same with lots of articles on this website) : http://thereasonmag.com/9231-2/
I get an error HTTP 500 (see in the Chrome Dev Tools) AND the article.
Well, I'm a bit lost with this. Do you know why it is designed like this ?
That's a problem for my crawler which is designed to avoid processing HTTP 5xx error responses.
I would say that this is hardly can be called "designed" and possible when somebody has an error in backend code/logic. Actually this is the first time I see anything like this, but I can think only of workaround for you in this case.
Because this response has 500 error AND correct HTTP body with html, you can avoid in your code processing 5xx error WITHOUT body with correct html.. How to determine if this html is correct? This is pretty risky to guess.. You can research their html and find some global variables or some comment tags/classes in html which won't be returned if real error page is returned.
Important: I understand (and sure you too) that my suggestion is absolutely crazy workaround just to make your code work. What I would do in your place, I would write those guys and ask them to fix their backend. Seems like this is the only place with some email at the bottom..
Try to write them, otherwise you will definitely face a case, where you will fail to meet the criteria of if (res.errorCode === 500 && res.body.anyPossiblePredicateYouMayThinkToCheckRightHTMLBody) {// show the post on your page }
1) Looks it is an expected behavior since PHP version 5.2.4.
2) The above url is using X-Powered-By: PHP/5.4.45 (wordpress app)
3) root cause could be,one of the wordpress plugin in the above site is having
wrong string thatt ph eval() could not parse it.
4) more info look at the link a) wordpress discussion
5) from ph forum
Finally, i don't think so you can do anything here.
I have solved a problem with a solution I found here on SO, but I am curious about if another idea I had is as bad as I think it might be.
I am debugging a custom security Attribute we have on/in several of our controllers. The Attribute currently redirects unauthorized users using a RedirectResult. This works fine except when calling the methods with Ajax. In those cases, the error returned to our JS consists of a text string of all the HTML of our error page (the one we redirect to) as well as the HTTP code and text 200/OK. I have solved this issue using the "IsAjaxRequest" method described in the answer to this question. Now I am perfectly able to respond differently to Ajax calls.
Out of curiosity, however, I would like to know what pitfalls might exist if I were to instead have solved the issue by doing the following. To me it seems like a bad idea, but I can't quite figure out why...
The ActionExecutingContext ("filterContext") has an HttpContext, which has a Request, which in turn has an AcceptTypes string collection. I notice that on my Ajax calls, which expect JSON, the value of filterContext.HttpContext.Request.AcceptTypes[0] is "application/json." I am wondering what might go wrong if I were to check this string against one or more expected content types and respond to them accordingly. Would this work, or is it asking for disaster?
I would say it works perfect, and I have been using that for years.
The whole point use request headers is to be able to tell the server what the client accept and expect.
I suggest you read more here about Web API and how it uses exactly that technique.
I am in the process of writing a small WordPress data sync plugin that is intended to sync some records between two sites. When a new data item is entered on one site, a JSON-encoded version of that data item is posted to a URL on the other site which then digests it and saves it to a local database.
I'm finding it really hard to work out what URL I should be posting the JSON data to so that it gets into the plugin on the other end. Or whether I should be reusing admin_ajax, even though this is server-to-server not browser-to-server.
Happy to assume that both sites are running WordPress 3.3/3.4.
I've spent quite some considerable time googling without results, which may simply be that I'm looking for the wrong terminology.
For instance, I might get the sending copy of the plugin to post to a URL such as http://www.example.com/wp-content/plugins/datasyncer/incoming.php - but a shorter URL or a smarter way to do it would be great. While I could make this URL work pretty easily by including ../../../wp-load.php I'm reluctant to do that as that will break on some sites, and is considered Bad Practice in a plugin.
I'm using wp_remote_post() to do the post to URL part, the problem is which URL to post to, not how to post.
I'll edit this and correct terminology if anyone has any ideas that help! Thanks in advance!
You can post anywhere you want (in front side, and not on admin side, of course). You can even post to the home page. Just make sure that you don't post any data which conflicts with wordpress core. For example: name, post, p are all reserved.
Add a prefix to all your post variables "myplugin_name" is ok, "name" is not.
Then in your plugin code add a condition to check if something was posted:
if(isset($_POST["myplugin_remote_data"])) {
// check if data was indeed sent by your server. use some api key etc
// save the data
// echo some response telling if data was posted or not. anything you want.
die(); // no need to show the page
}