I am using OWASP ZAP for security testing. I tried to do Ajax spider attack on my admin dashboard page. But in the message, out of scope is shown and browser is also not opening. What shall I do to fix this and open browser and to perform this test?
By default ZAP will only follow URLs that are in the same domain, otherwise it could end up trying to spider the whole internet :)
Look at the URLs it is reporting - 'http://detectportal.firefox.com/success.txt' - these are not in the same domain as your app, and are almost certainly not part of it.
So thats not the problem. Which browser and version are you using? Have you checked that ZAP is up to date?
You'll probably get more (and faster) help on the ZAP User Group :) https://groups.google.com/group/zaproxy-users
I tried again by re-installing ZAP. then it worked fine as shown in screenshot. also the webpage is opened in the browser.
Related
.
In Chrome's developer tools, under the "Network" tab, I can see redirect paths and HTTP status code if I check "Preserve log". See image above, where you can see the domain ap.no redirect to
www.aftenposten.no and returning a status code 301.
My problem is that it doesn't work for all sites. Are there situations where Chrome will not be able to know that a redirect has happened?
One example is amazon.com, which redirects to www.amazon.com, but I cannot see the redirect in Chrome's developer tools.
Is there another way to see the redirect info in these cases where Chrome doesn't seem to pick it up?
Try these methods to get around the issue (in order of complexity):
Use an incognito window when you load the page.
Use the extension "Cache Killer" to disable caching of data.
If all else fails, clear all browsing data from Chrome.
In this instance, only clearing browsing data helped, but I regularly use Cache Killer and incognito window when I am testing my own websites.
I'm sharing content from a website and every time I paste the link into Facebook it says 'page not found'.
Sometimes it works when I manually add the 'www.' in front of the URL in the address bar.
EXAMPLE
Shows page not found:
http://roundreviews.co.uk/reviews/speakers/native-union-monocle-speaker/
Works when you manually place www. in front:
www.roundreviews.co.uk/reviews/speakers/native-union-monocle-speaker/
I honestly have no I idea why it's doing this, any thoughts on how it can be fixed on the web side?
Also...
I have tried with the link below with both the www. and without yet it doesn't work with either of them, this is all very strange. This is the only link I have tried and it doesn't work with both:
www.roundreviews.co.uk/microphones/spark-digital-microphone/
Any help is much appreciated, thanks.
For me what it worked was to access the Facebook Debugger, as Goose said.
I saw that the scrape was about 12 hours ago, looks like it fetches the first time and saves it as caché or whatsoever...
What it worked for me is to debug the url, then click "fetch new scrape information" after the previous information has been shown.
Hope it works!
For those running across this today, you might find that you also need to verify your domain and link it to your page.
To do this you need to
Set up a Facebook Business Account
Add your page to the business account
Verify your domain (using DNS TXT or adding a page facebook gives you)
Under domains, connect your page as an asset of that domain
I've been trying to get to bottom of this problem for a few hours but I can't seem to fix it, I've seen other questions similar to this and tried to use those to implement a fix for my problem but to no avail.
I've built a facebook contest canvas app which displays fine independantely but when I link it to a facebook page (as a link to a new contest) chrome no longer displays is and gives the following warning:
The page at 'https://www.facebook.com/contest/app_xxxxxxxx' was loaded over HTTPS, but ran insecure content from 'http://mydomain.com/': this content should also be loaded over HTTPS.
I've learned partly by trawling this site that the chrome security is fussier, and the app loads correctly, without errors in FireFox and IE but I can't find any resources that are loaded from a non https source.
I have been through with firebug checking in the net tab and checked that all of the loaded resources are using https (the png images, the jpg images, the css files and the jquery js files which are all hosted on the same server that has the certificate), I have even tried hosting the transitional dtd doc itself but nothing seems to make the warning go away and the app display correctly.
In the other similar questions it seems that there are either resources sourced from non-https sources or there are ssl switches used in the javascript library for facebook passed before the fb init.
The problem is that I am using only the php sdk not the js one (although I am using version 1.9 of jquery, hosted on my server) and I could find no similar ssl specific settings there.
If someone could give me a tip about how I could investigate further, what I might be missing or is familiar with this issue I'd be interested to hear about it.
Thanks a lot.
David
Facebook requires the app to come from https:// you need an ssl certificate on your server and to enable ssl. in the Facebook app settings change secure url to https://mydomain.com url
I did have a similar issue recently (but it only caused issues on IE10) and I resolved that by adding P3P header
header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT');
Found the solution!
In the facebook app settings, if the page tab url is specific to a page e.g. https://www.mydomain.com/index.php, chrome doesn't complain with the insecure content message but if you reference a directory the error is propogated. I found this confusing since the 'canvas' urls need to be directories.
I hope this answer will save someone a few hours! :)
I'm implementing the facebook Comments plugin on my site. Users get the warning "Show all content" in IE9
This other publisher using the same plugin and it does not bring up the warning.
Can some please help me with this?
Asking users to turn of the mixed content warning in their IE9 is not an option.
We were just looking at this today and our workaround for now was to include the Facebook Library over https (even when the page itself is viewed over http). Although not ideal it gets rid of the mixed content warnings in IE9 until they have fixed their bug.
That seems to be how it was accomplished at www.vg.no linked in the original question, the library is linked via https.
From their code:
<script src="https://connect.facebook.net/nb_NO/all.js"></script>
I have the same problem:
I have a page that's 100% http. But, the facebook javascript (which I call over http), is returning assets (.js, images) over https, which is generating security warnings for IE(9) users.
I have figured out it's the comment widget from Facebook (
Here's an example of a live page on http: with the error:
http://app.gophoto.com/p?id=10173&rkey=CD01891B287792415384&s=1&a=6940
Here's one of the assets that Facebook returns over HTTPS
https://s-static.ak.facebook.com/rsrc.php/v1/y8/r/7Htnnss1mJY.js
(I'm unable to comment (for some reason?) on Joel's answer. But, his suggestion to fetch the initial all.js over https on http sites does not actually work. I've tried it, and it also inherently looks incorrect since even the initial js fetch violates the mixing up of http & https content.)
I administer a site, hosted on Yahoo! hosting, which has recently shown a strange behavior: when you visit in IE8, the page loads and is rendered normally, then as soon as it finishes rendering, the browser switches to show its local/internal 404 page. The address bar still shows the site URL.
When I view the site in (as far as I can tell) the same state on my local Apache server, it doesn't do this. This leads me to suspect it may have something to do with server configuration and response headers, but I don't know what that might be.
Is anyone familiar with this behavior?
I experienced this behavior when using a .htc hack to provide artificial CSS border-radius support.
I'm not sure what is causing that issue specifically, but you could use a packet capture utility like Wireshark or Fiddler2 to investigate the issue further. Otherwise, it would be helpful if you were to post a link to the site.
Your page contains JavaScript code which modifies the DOM while the page is still loading.
See other SO questions, such as here and here.
Solution: place your DOM manipulation code into < body onload> or jquery.ready() to execute after page loading is complete.