I already had handled a scenario of URL tampering where I have filter with regex that compare the query strings and if there are any esacpe or special characters in it that it returns a customized message of "Invalid Parameters" which is shown on the screen.
Now this was working fine till we were using JBOSS 6.4.10 but after upgrading it to JBOSS 6.4.20, it is not even hitting the filter, somewhere JBOSS 6.4.20 is validating the request URI having escape characters/curly braces in my case and throws a 400 bad request error.
Please avoid providing solutions like upgrade to JBOSS 7 or etc. I am aware that JBOSS 7 has a flag "ALLOW_UNESCAPED_CHARACTERS_IN_URL" that resolved this issue but I cannot use JBOSS 7.
As far as I know, this behavior is related with the following security vulnerability: CVE-2016-6816 .
Try the tomcat.util.http.parser.HttpParser.requestTargetAllow sytem property. Any characters listed in the value of this property will be allowed again. Another alternative is to downgrade to JBoss EAP 6.4.12 or earlier.
Add the following in argument Standalone.conf file
JAVA_OPTS="$JAVA_OPTS -Dtomcat.util.http.parser.HttpParser.requestTargetAllow='{|}'"
I am deploying the sailsjs code to a production environment where the username has a special character. For example, user#sitename
As of Sails v1 onwards, the mysql connection is based on a URL string format.
mysql://user#site1:myPassWord#localhost:3306/awesomedbname
If we have "#" for the username, the site1 becomes the host.
Anyone knows how to fix this?
I'va noticed that if the requests send via REST consumer return an error (invalid scheme, connection refused, error 400, etc.) the REST consumer doesn't work anymore. To get it back, I had to reload the definition file.
I think that this may be a bug.
Moreover, during these tests, I've also noticed that not all the URL were accepted. For example, by omitting the "http://" Proton returns "invalid scheme" error. Whereas, URL with "-" isn't parsed correctly and the "connection refused" error is returned.
It'd very helpful to have a list of prohibited characters.
Thanks.
In using a browser to test our website, I enter a purposefully incorrect username/password, and get an html page back from the application telling me the login has failed and to "Please check my username & password, then try again". Viewing the source for this page, I can't find a "401" embedded anywhere.
But mimicking the above using wget:
wget http://servername:8011/ui/login.do --post-data="loginId=NotAUser&password=NotAPassword" -U Mozilla -o log.txt
the output file contains "401 Unauthorized", but none of the html mentioned above.
Is there a way to get the html page I was expecting, and just check for the 401 return code with a "$?" test?
The "401 Unauthorised" you're getting is in the headers of the response from the server. A 401 response doesn't have an HTML - it's just an error code.
The page that you describe in the browser is actually generated by the browser, not sent back from the server. Browser vendors generate meaningful error pages rather than just displaying "401 Unauthorized" or "404 Page Not Found" to the user. There's no way to get the HTML code you're seeing using wget because it's not part of the HTTP conversation.
wget used to stop on a non-200 response code and not retrieve the body of the reply. It has been updated to correct this behaviour and versions 1.14-1 and later should work as expected:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=247985
If you're stuck with an older version or can't get it to work, why not try curl instead?
https://superuser.com/questions/253826/how-to-use-wget-to-download-http-error-pages
I'm trying to generate a Perl library to connect to a WebService. This webservice is in an HTTPS server and my user has access to it.
I've executed wsdl2perl.pl several times, with different options, and it always fails with the message: Unauthorized at /usr/lib/perl5/site_perl/5.8.8/SOAP/WSDL/Expat/Base.pm line 73.
The thing is, when I don't give my user/pass as arguments, it doesn't even asks for them.
I've read [SOAP::WSDL::Manual::Cookbook] (http://search.cpan.org/~mkutter/SOAP-WSDL-2.00.10/lib/SOAP/WSDL/Manual/Cookbook.pod) and done what it says about HTTPS: Crypt::SSLeay is instaleld, and both SOAP::WSDL::Transport::HTTP and SOAP::Transport::HTTP are modified.
Can you give any hint about what may be going wrong?
Can you freely access the WSDL file from your web browser?
Can someone else in your network access it without any problems?
Maybe the web server hosting the WSDL file requires Basic or some other kind of Authentication...
If not necessary ,I don't recommend you to use perl as a web service client .As you know ,perl is a open-source language,although it do support soap protocol,but its support do not seem very standard.At first,its document is not very clear.And also ,its support sometimes is limited.At last,bug always exists here and there.
So ,if you have to use wsdl2perl,you can use komodo to step into the code to find out what happened.This is just what I used to do when using perl as a web service client.You know ,in the back of https is SSL,so ,if your SSL is based on certificate-authorized,you have to set up your cert path and the list of trusted server cert.You'd better use linux-based firefox to have a test.As I know ,you can set up firefox's cert path and firefox's trusted cert list.If firefox can communicated with your web service server succefully,then,it's time to debug your perl client.
To debug situations with Perl and SOAP, interpose a web proxy so you can see exactly what data is being passed and what response comes back from the server. You were getting a 401 Not authorized, I expect, but there may be more detail in the server response.
Both Fiddler http://docs.telerik.com/fiddler and Charles proxy https://www.charlesproxy.com/ can do this.
The error message you quote seems to be from this line :
die $response->message() if $response->code() ne '200';
and in HTTP world, Unauthorized is clearly error code 401, which means your website asks for a username and password (most probably, some website may "hijack" this error code to cater for other conditions like a filter on the source IP).
Do you have them?
If so, you can
after wdsl2perl has run, find in the created files where set_proxy() is called and change the URL in there to include the username and password like that : ...->set_proxy('http://USERNAME:PASSWORD#www.example.com/...')
or your in code, after instantiating the SOAP::WSDL object, call service(SERVICENAME) on it (for each service you have defined in your WSDL file), which gives you a new object, on which you call transport() to access the underlying transport object on which you can call proxy() with the URL as formatted above (yes it is proxy() here and set_proxy() above); or you call credentials() instead of proxy() and you pass 4 strings:
'HOSTNAME:PORT'
the realm, as given by the webserver but I think you can put anything
the username
the password