Ignoring 301/2 in Server Replay - mitmproxy

I'm recording a flow that triggers a SSO (SAML) on initial page load
When I do the server playback I don't want this part ignored so that all I see is the status of the ui in the browser after the SSO callback has redirected to the UI
It doesn't appear to be a way to filter this out. I tried ignoring the host but then it just triggers a live request and this host is not accessible.
Is there somehow a way to ignore the recording in a flow of particular redirects as in this case?

Reading through the docs. the best option I came up with is to remove the flows from the recorded session altogether using a filter e.g.
# normal capture
./mitmdump -w outfile
# after session transform capture with a filter
# match all non redirect requests on the particular domain
./mitmdump -nr ./outfile -w outfile2 "!(~c 301 | ~c 302) & ~u ^https://mytest-app.io.*$"

Related

How to capture redirect response header

I am trying to record a simple login and logout flow for a .Net application. After I submit the login credentials the welcome page's URL has a large alpha numeric number. This number is required to continue to the next steps.
On Fiddler I have noticed that the login credential submission request results in a 302 response and this response contain an a=129characterstring that i need in my subsequent requests.
On JMeter I have added a recording controller and on the HTTP(S) Test Script Recorder I have Follow Redirects and Use KeepAlive checked (See below screenshot)
I have also recorded with Follow Redirects unchecked and different options for Grouping and HTTP Sampler Settings.
But with none of them I am able to record/capture the 302 response that i see on fiddler. Instead the login credential submission request always returns a 200 response, even if the login fails.
It is not as if that JMeter is not recording redirect requests, further down the scenario flow I have another redirect request which is captured.
I can't be the only one who is/has faced this problem. Does anyone have any suggestions on what I should be doing differently to get the 302 response?
To do this:
Record with default options, the redirect Http Request triggered by 302 will be disabled by default.
Then you will need after this to uncheck "Follow Redirect" in the first one, and add a Regular Expression Post Processor to extract the data you want.
Then enable the commented second request and inject the extracted variable.

Redirect or forward

Looking through some legacy code I have in front of me using struts one, I see:
<global-forwards>
...
<forward name="accessDenied" path="/www/jsp/AccessDeniedForm.do" redirect="true" />
</global-forwards>
So it's just a global forward to send to a access denied page.
I am curious about the decision to redirect as opposed to forward. What are the advantages and disadvantages of using it?
What are the pro's and con's of using it?
Before discussing pro's and con's of using that forward element with redirect set to true, let's understand what is actually going on with that configuration. When redirect is set to true in the forward element, a redirect instruction should be issued to the user-agent so that a new request is issued for this forward's resource. This link will probably provide detail information that you need.
The default value for redirect is to false, essentially when the forward element is called, it forward to that path specified and that's it. If you are setting redirect to true, take for example, the browser will make another request. So I think with these said, you probably know or have an idea the pro and con if you really want to use it.
In redirect, the control can be directed to different servers or even another domain name.The redirect takes a round trip.When a redirect is issued , it is sent back to the client , and redirected URL information is in the header instructing the browser to move to the next URL. This will act as a new request and all the request and response data is lost.
In forward , the forwarding is done from server side , the client browser URL do not change.the data is also not lost.It is just like a browser page refresh. Whatever data posted in the first submit is resubmitted again.So use it with caution.
Both forward and redirect are used in different scenarios ,the global forward should be redirect because it is an error situation.
Redirect is slower as it needs a roundtrip.Forwards are faster.
If you specify
redirect="true", Struts uses a client-side redirect
[response.sendRedirect()]
. The JSP will be invoked by a new browser request, and any data stored in the old request will be lost.

Using IIRF to redirect to a PDF

I'm using IIRF to redirect certain URLs to specific PDF files. For instance, for the URL /newsletter/2010/02 I'd like it to redirect to /pdf/newsletters/Feb2010.pdf. I'm not too hot at regular expressions, but I created the following rule:
RedirectRule ^/newsletter/2010/01 /pdf/newsletters/Newsletter012010.pdf [I,R=301]
and it does redirect, but the address bar doesn't change, and when trying to save the file it wants to save as 01 instead of Feb2010.pdf. I don't presume my users will be savvy enough to enter a PDF extension before saving, and they shouldn't have to. Is there anything I can do about this?
Two suggestions:
clear your browser cache
Redirect to a full URL. instead of /pdf/newsletters/Foo.pdf, redirect to http://server/pdf/foo.pdf
It's strange that it wants to use 01 as the file. Surprising. Are you sure the browser is sending a new request? Use Fiddler to verify. A redirect should result in the browser address bar getting updated, ALWAYS. If you get a 301 you will see it very clearly in the Fiddler trace.
If you don't see the expected 301, Is it possible that you previously used a RewriteRule in the ini file, and the browser cached the result, and now when you ask for /newsletter/2010/01 , you are getting the cached result, rather than the redirected URL from IIRF? Clear your browser cache and request it again, to test this.
I guess it would be easy to just clear the browser cache and re-try it, without even checking Fiddler.

IIS6 - How do I redirect users to another site for every page with a few exceptions?

I have a website setup in IIS 6, let's say it's called http://www.this.com.
I have setup a redirection for this website to http://www.that.com which maintains the directory structure and query parameters as follows:
http://www.that.com$S$Q - using the option "The exact URL entered above"
This works great, whenever someone requests, for example:
http://www.this.com/subfolder/page.aspx?Id=1
then they end up at:
http://www.that.com/subfolder/page.aspx?Id=1
Now, I have one page, actually a handler, http://www.this.com/image.axd, which I do not want to redirect.
What is the syntax for that? I've read the Redirection Using Wildcards section here, but I can't work out how to do what seems to be something straight forward.
Note that image.axd is a handler so I can't just "right click" on it and set the redirection properties as it doesn't physically exist.
I also have a couple of other pages in subfolders which I do not want to redirect, for example:
http://www.this.com/subfolder/donotredirectthispage.aspx
Any help would be appreciated.
Edit: A couple of people have mentioned using ISAPI_Rewrite, for which I'm grateful, but I really don't want to introduce another complexity into the website configuration. IIS seems to imply I can acheive what I want using the ! and 0 through 9 variables.
Is it really not possible to do this using IIS?
My current workaround is to set the redirection properties on ALL folders and pages that I want to redirect except those I do not, but this is a management nightmare.
You could implement a custom error page for the page not found error (404) that does the redirection for you. You'd turn off the redirection in IIS. Build the logic for the redirection in your custom error page. Then configure your web site so that 404 errors redirect to your error page.
If you can install software on your IIS server, I'd recommend using a tool to rewrite your request URLs.
For IIS 6.0 I've used ISAPI_Rewrite and it works really well. It's lightweight and very configurable. There's a "Lite" version available for free and will support your requirements.
You configure the program using a text file containing rules that match HTTP requests and then write actions to perform once a rule is matched. Your instance would probably require a general redirect rule (similar to the one in IIS) and rules for your exceptions.
You should look into the possibility of using a header rewrite module, for example ISAPI_rewrite. There is a free "lite" version available that is enough for your needs.
What this can do for you is the following: Before actual pages are executed on the server, the Request headers are rewritten (or HTTP 301/302 redirects are issued) based on a configurable set of rules. The underlying server sees the remaining requests as if the client really made them in that fashion.
The following rules would leave image.axd requests alone, while redirecting everything else.
# image.axd stays unchanged ("L" is the "last rule" flag)
RewriteCond Host: www.\this\.com
RewriteRule ^.*?\bimage\.axd\b.* $0 [L]
# all requests that have not been stopped by an earlier rule
# end up here ("RP" is the "permanent redirect" flag)
RewriteCond Host: www.\this\.com
RewriteRule .* http://www.that.com$0 [RP,L]

Sending Messages to Squid Proxy Users

Is it possible to send custom HTML messages to users when they first start a
session through a squid proxy server?
I want to be able to redirect a users first request to the "message of the
Day".... then the rest of their browsing requests for the remainder of the
session go without being redirected.....
Detailed Steps:
User opens browser. (Browser is configured to use the Squid Proxy)
User opens http://google.com (or other url of their choice)
Instead of getting Google.com they are redirected to http://somewhere.else.com/MOD.html
User reads the MOD
User types http://google.com again (or other url of their choice) This time
the browser goes to the correct destination with no redirection.
Would I have to develop or locate a Squid Proxy Server Plug-in to perform this
kind of action or is this something the SQUID server can do with a little custom
code?? (Perl etc)
There's a line in the squid conf you can add like redirect_script. Write a Perl program that takes input - one URL per line. It outputs the url you are going to redirect the user to. The UpsideDownTernet script is an example.
Now change the script to output your MOTD the first time, and every other time just echo the URL back.
The problem is, how do you tell user requests apart? Well at this point you need to use a redirect_program line instead of redirect_script...
Squid will pass in several arguments to the program:
URL ip-address/fqdn ident method
URL is the URL requested
ip-address/fqdn is the IP address or fully qualified domain name of the client (web browser) which requested the page.
ident is the identity of the user running the web browser. Unless you configure squid to do ident lookups, this will be "-".
method is the request method: "GET", "POST", "HEAD"
Reference: http://taz.net.au/block/
At that point you can modify your script to determine the "timeout" each user gets between seeing the MOTD (e.g. if he doesn't visit a website for 12 hours, he gets the message) or whatever.
I came across a good book on Squid titled Squid Proxy Server 3.1: Beginner's Guide by Packt. You can read more about it here https://www.packtpub.com/squid-proxy-server-31-beginners-guide/book. Maybe it will come in handy