.
In Chrome's developer tools, under the "Network" tab, I can see redirect paths and HTTP status code if I check "Preserve log". See image above, where you can see the domain ap.no redirect to
www.aftenposten.no and returning a status code 301.
My problem is that it doesn't work for all sites. Are there situations where Chrome will not be able to know that a redirect has happened?
One example is amazon.com, which redirects to www.amazon.com, but I cannot see the redirect in Chrome's developer tools.
Is there another way to see the redirect info in these cases where Chrome doesn't seem to pick it up?
Try these methods to get around the issue (in order of complexity):
Use an incognito window when you load the page.
Use the extension "Cache Killer" to disable caching of data.
If all else fails, clear all browsing data from Chrome.
In this instance, only clearing browsing data helped, but I regularly use Cache Killer and incognito window when I am testing my own websites.
Related
I am using OWASP ZAP for security testing. I tried to do Ajax spider attack on my admin dashboard page. But in the message, out of scope is shown and browser is also not opening. What shall I do to fix this and open browser and to perform this test?
By default ZAP will only follow URLs that are in the same domain, otherwise it could end up trying to spider the whole internet :)
Look at the URLs it is reporting - 'http://detectportal.firefox.com/success.txt' - these are not in the same domain as your app, and are almost certainly not part of it.
So thats not the problem. Which browser and version are you using? Have you checked that ZAP is up to date?
You'll probably get more (and faster) help on the ZAP User Group :) https://groups.google.com/group/zaproxy-users
I tried again by re-installing ZAP. then it worked fine as shown in screenshot. also the webpage is opened in the browser.
I am trying to debug a webpage with chrome developer tools and the page redirects to a pdf file after it loads. I checked JavaScript files and there is not any place that we redirect the page. I cannot find any related message in developer tool console or network tab.
I activated event Listener Breakpoints -> beforeunload but it stops at an external js file (Placeholders.js) which is not related to redirecting.
Also, preserving Logs in network tab does not help me on finding root cause of redirect.
I am wondering how can I find the source of this redirect?
UPDATE: There is not any "refresh" meta tag in the html code.
There are a couple of things you can do. You can use the Event Listener Breakpoint -> Load - unload and then when it breaks in the 3rd party library, right click and select Blackbox Script. The next time you play through the code, it should only break in your own code (assuming there are no other 3rd party libraries to blackbox).
Another option is to go to the Network tab and check the Preserve Log checkbox. This will persist all requests between page loads/navigation, so that you will be able to find the network request that returned the PDF response.
We are developing an app that makes posts on behalf of our users to Facebook. Within those posts, we want to put links to external (non-Facebook) websites.
Looking at the links in the status bar of the browser (usually Chrome), the correct URL is displayed. However, Facebook seems to wrap the actually-clicked link into some extra bells-and-whistles. Usually, this works correctly.
Sometimes, however, this URL wrapping ends up sending the click to a URL like:
http: //spywaresite.info/0/go.php?sid=2
(added space to make it non-browsable!) which generates Chromes severe warning message:
This happens very occasionally on Chrome, but very much more often in the iOS browser on the iPhone.
Does anyone have any pointers as to how to deal with this?
EDIT
For example, the URLs we put in the link is
http://www.example.com/some/full/path/somewhere
but the URL that actually gets clicked is:
http://platform.ak.fbcdn.net/www/app_full_proxy.php?app=374274329267054&v=1&size=z&cksum=fc1c17ed464a92bc53caae79e5413481&src=http%3A%2F%2Fwww.example.com%2Fsome%2Ffull%2Fpath%2Fsomewhere
There seems to be some JavaScript goodness in the page that unscrambles that and usually redirects correctly.
EDIT2
The links above are put on the image and the blue text to the right of the image in the screenshot below.
Mousing over the links (or the image) in the browser shows the correct link. Right-clicking on the link and selecting "Copy Link Address" gets the fbcdn.net link above (or one like it). Actually clicking on the link seems to set off some JavaScript processing of the fbcdn.net link into the right one... but sometimes that processing fails.
I'm not 100% sure what you're asking here, but i'll tell you what I know:- are you referring to this screen on Facebook?
(or rather, the variation of that screen which doesn't allow clickthrough?)
If you manually send a user to facebook.com/l.php?u=something they'll always see that message - it's a measure to prevent an open redirector
if your users are submitting such links, including the l.php link, you'll need to extract the destination URL (in the 'u' parameter)
If you're seeing the l.php URLs come back from the API this is probably a bug.
If links clicked on facebook.com end up on the screen it's because facebook have detected the link as suspicious (e.g. for URL redirector sites - the screen will allow clickthrough but warn the user first) or malicious/spammy (will not allow clickthrough)
In your app you won't be able to post links to the latter (an error will come back saying the URL is blocked), and the former may throw a captcha sometimes (if you're using the Feed dialog, this should be transparent to the app code, the user will enter the captcha and the dialog will return as normal)
If this isn't exactly what you were asking about please clarify and i'll update my answer
Rather than add to the question, I thought I'd put more details here.
It looks like the Facebook mention in the original title was mis-directed, so I've removed it.
We still haven't got to the bottom of the issue.
However, we used both Wireshark and Fiddler to look at the HTTP traffic between the Chrome browser (on the PC) and Facebook. Both showed that Facebook was returning the correct URL refresh.
Here's what Wireshark showed:
What we saw on Fiddler was that our server is issuing a redirect to the spywaresite.info site:
We are working with our ISP to figure out what is happening here.
Problem
I have an application driving a tab on a client's page. The application works correctly if the user has not enabled FB's "secure browsing" feature. If attempting to view over HTTPS, the iframe doesn't even appear (no errors, no mixed-content warnings). When correctly loading over HTTP, the div with the id "pagelet_app_runner" has an iframe inserted into it and the application content is loaded inside there. Over HTTPS, this div remains empty and the iframe is not inserted into the page. There are no Javascript errors appearing in Firebug or Chrome's equivalent console.
Why I'm Asking Here
The host has a valid SSL certificate and there is no 'mixed content' at the URL in question. I can successfully view the content over HTTP or HTTPS by visiting the URL directly, and I can do the same by visiting apps.facebook.com/canvasURL/tabURL. It is only when attempting to view within a Page Tab that the HTTPS load fails as described above. My application is configured with both regular and secure canvas and tab URLs.
Attempted Debugging
I've recorded some sessions with Charles but since the iframe isn't being inserted into the page, I think I'm coming at the problem after it's already occured. I'm no Charles expert so happy to be corrected here.
Apache isn't seeing any request (in either regular or ssl logs) for the affected loads. non-SSL loads come through as expected in access_log.
Plea for Help
I'm out of ideas for debugging this. Does anybody have any suggestions? What really obvious and stupid mistake might I have made? :)
edit: nicer formatting
Your app canvas URL is https://skinnycomp.nextstudio.com.au/skinnycowcomps/ , which send 404 error to Facebook proxy (request is going through proxy when viewing app via tab), also when viewing your app via apps (https://apps.facebook.com/122381834451561/), again 404... maybe Facebook proxy is ignoring 404 and posting blank...
Try changing canvas URL to https://skinnycomp.nextstudio.com.au/skinnycowcomps/tab, also you can check if your app is accessed via page tab, in signed_request there should be page_id...
23:51:15.379[549ms][total 1667ms] Status: 404[Not Found]
GET https://skinnycomp.nextstudio.com.au/skinnycowcomps/
This is a real longshot since I'm sure you've triple checked all the settings, but the blank page can happen if an invalid url is specified in the Page Tab URL field in the app settings. Since it only happens on https, it would imply something specifically with the Secure Page Tab URL entry. It might be worth checking that again, and maybe even re-saving it or changing it to something else to see if it helps.
I was using relative URLs for the regular and secure tab URL fields. From memory relative URLs here were mandatory at some point in the past. It appears now that a relative URL will still work for HTTP but not for HTTPs. Fix: absolute URLs. Hopefully FB update their field validation to match what's required too.
When i run my scripts as Junit test case, the browser opens up and also tries to open the provided URL. But, only the header and footer of the website is opened with the message "Cookies and Javascript Required
In order to correctly view this website, you will need Cookies and Javascript enabled on your browser. To set your browser to support these requirements, please visit your browser's help menu for the appropriate instructions."
This makes the entire script to fail as the Web elements are not displayed.
You need to provide some more information:
Does this behavior happen when you access the site normally i.e. without Selenium RC involved?
Which browser are you using?
Have you tried another browser? You can do that by changing the parameters in this line:
seleniumId = new DefaultSelenium( "localhost", 4444, "*iexplore", "http://URL");
(A useful trick is to put garbage in the browser parameter and when you run it, the error message shows all the allowable browser strings.)
Have you tried to enable cookies and Javascript? What happens then?
If you don't want cookies and Javascript enabled normally and you are using FireFox, you can set Selenium RC up to use a special proxy that does allow this (but only for Selenium tests). See here