fiddler redirect https to localhost - redirect

I have an iPhone app that connects to an HTTPS service in Azure. I want to redirect the iPhone calls via Fiddler to http://localhost:19703 where I am running the same service on my local machine for debugging purposes. I am able to redirect the HTTPS service to another HTTPS service using the following Fiddler script. However, if I use the same script to redirect to localhost:19703, it does not work. Any ideas?
if (oSession.HTTPMethodIs("CONNECT") && (oSession.PathAndQuery == "XXXX.azurewebsites.net:443"))
{
oSession["OriginalHostname"] = oSession.hostname;
oSession.PathAndQuery = "YYYY.azurewebsites.net:443";
}
// If it's an HTTPS tunnel, override the certificate
if (oSession.HTTPMethodIs("CONNECT") && (null != oSession["OriginalHostname"]))
{
oSession["x-overrideCertCN"] = oSession["OriginalHostname"];
oSession["X-IgnoreCertCNMismatch"] = "Server's hostname may not match what we're expecting...";
}
oSession.bypassGateway = true;

Try using this approach:
static function OnBeforeRequest(oSession:Fiddler.Session) {
...
if (oSession.HostnameIs("YYYY.azurewebsites.net")) {
oSession.host = "127.0.0.1:19703";
}
...
}
Complete description of the issue is here.

Related

How to redirect requests to another host using ZAP?

I'm new to ZAP and I don't know much about it's js/ecma scripting.
Basically, I was trying to redirect request to another host.
Say an application that is connected to the ZAP proxy makes a request in a URL:
http://www.somesite.com/path/to/a/file
but I want to change the hostname in the URL to:
another.site.com
so it will actually request to: http://www.anothersite.com/path/to/a/file
Here's the code that I was trying to work but the URL remains unchanged in the request.
function proxyRequest(msg) {
// Debugging can be done using println like this
var uri = msg.getRequestHeader().getURI().toString()
var host = msg.getRequestHeader().getURI().getHost().toString()
print('proxyResponse called for url=' + uri)
if (host == 'download.qt.io') {
uri = uri.replace('download.qt.io/online/', 'mirrors.ocf.berkeley.edu/qt/online/')
msg.getRequestHeader().setHeader('Location', uri)
print('proxyRequest changed to url=' + uri)
}
if (host == 'ftp.jaist.ac.jp') {
uri = uri.replace('ftp.jaist.ac.jp/pub/qtproject/online/', 'mirrors.ocf.berkeley.edu/qt/online/')
msg.getRequestHeader().setHeader('Location', uri)
print('proxyRequest changed to url=' + uri)
}
if (host == 'qtproject.mirror.liquidtelecom.com') {
uri = uri.replace('qtproject.mirror.liquidtelecom.com/online/', 'mirrors.ocf.berkeley.edu/qt/online/')
msg.getRequestHeader().setHeader('Location', uri)
print('proxyRequest changed to url=' + uri)
}
return true
}
Option 1: Replacer Rule
Install the Replacer addon, from the marketplace:
Goto the Tools menu and select 'Replacer Options'.
Setup a rule as shown in the following screenshot.
Save/Okay as appropriate.
Now when your browse etc all your traffic will be redirected/rewritten.
Option 2: HttpSender Script
Create a new HttpSender script, similar to the following example:
function sendingRequest(msg, initiator, helper) {
var host = msg.getRequestHeader().getURI().getHost();
if (host.equals("www.somesite.com")) {
uri = msg.getRequestHeader().getURI();
uri.setEscapedAuthority("www.anothersite.com");
msg.getRequestHeader().setURI(uri);
}
return msg;
}
function responseReceived(msg, initiator, helper) {}
Option 3: Hosts File Entry
Goto a command prompt and nslookup www.somesite.com, note the IP address (w.x.y.z).
In your hosts file, add an entry associating the noted IP (w.x.y.z) with www.anothersite.com.
(You may need to restart ZAP/browsers for this change to take effect. On linux you'll likely need to sudo to edit the file, on Windows you'll need to edit it as an admin user.)
(Further details WRT editing your hosts file: https://www.howtogeek.com/howto/27350/beginner-geek-how-to-edit-your-hosts-file/)

Is it possible to secure a ColdFusion 11 REST Service with HTTP BASIC Authentication?

I am setting up a simple REST Service in ColdFusion 11. The web server is IIS 8.5 on Windows Server 2012R2.
This REST Service needs to be secured to prevent unauthorized users from accessing/writing data. For the time being, there will be only one authorized user, so I want to keep authentication/authorization as simple as possible. My initial thought is to use HTTP BASIC Authentication.
Here's the setup for the REST Service:
Source Directory: C:\web\site1\remoteapi\
REST path: inventory
To implement this, I configured the source directory of the REST Service in IIS to authorize only one user, disable Anonymous authentication, and enable Basic authentication.
When I call the source directory directly in a browser (i.e. http://site1/remoteapi/inventory.cfc?method=read), I am presented with the Basic authentication dialog.
However, when I attempt to request the REST path (http://site1/rest/inventory/), I am not challenged at all.
How can I implement HTTP BASIC authentication on the REST path?
So, due to the need to get this done without much delay, I went ahead and using some principles from Ben Nadel's website, I wrote my own authentication into the onRequestStart() method of the REST Service's Application.cfc. Here is the basic code, though it uses hard-coded values in the VARIABLES scope to validate the username and password and also does not include any actual "authorization" setting:
public boolean function onRequestStart(required string targetPage) {
LOCAL.Response = SUPER.onRequestStart(ARGUMENTS.targetpage);
if (!StructKeyExists(GetHTTPRequestData().Headers, "Authorization")) {
cfheader(
name="WWW-Authenticate",
value="Basic realm=""REST API Access"""
);
LOCAL.RESTResponse = {
status = 401,
content = {Message = "Unauthorized"}
};
restSetResponse(LOCAL.RESTResponse);
}
else {
LOCAL.IsAuthenticated = true;
LOCAL.EncodedCredentials =
GetToken( GetHTTPRequestData().Headers.Authorization, 2, " " );
// Credential string is not Base64
if ( !ArrayLen(
REMatch(
"^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)$",
LOCAL.EncodedCredentials
)
)
) {
LOCAL.IsAuthenticated = false;
}
else {
// Convert Base64 to String
LOCAL.Credentials =
ToString(ToBinary( LOCAL.EncodedCredentials ));
LOCAL.Username = GetToken( LOCAL.Credentials, 1, ":" );
LOCAL.Password = GetToken( LOCAL.Credentials, 2, ":" );
if ( LOCAL.Username != VARIABLES.CREDENTIALS.Username
|| LOCAL.Password != VARIABLES.CREDENTIALS.Password
) {
LOCAL.IsAuthenticated = false;
}
}
if (!LOCAL.IsAuthenticated) {
LOCAL.Response = {
status = 403,
content = {Message = "Forbidden"}
};
restSetResponse(LOCAL.Response);
}
}
return LOCAL.Response;
}

Lighttpd SSL Redirect - windows

I have a home server that I want to only serve pages via https but I have run into some issues. I have been serving non secure pages OK and could access the pages both on the local network and on the web (I'm using ddns.net and have all the port forwarding covered).
I have test certificates properly installed and at the moment the redirects work fantastically on the local network but NOT from the web. Below are the two redirects I have tested - both work locally but both failed to serve secure pages from the web.
NOTE: I use a non-standard port, i.e port 1080, however as mentioned above, non-secure access is all OK so the port forwarding from my gateway router to the server is (at least I think!) fine. Also, I can only browse to the server when I concatenate the port number to the IP / name, i.e localhost:1080 or 192.168.1.1:1080 (which is fine by me) and thus the redirect filters.
In this instance, I can access the pages bot securely and insecurely from the local network but can NOT access securely from the web.
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ "^(.*):1080" {
url.redirect = (".*" => "https://%1$0")
}
}
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = Var.Doo + "/server.pem"
ssl.ca-file = Var.Doo + "/ca.pem"
setenv.add-environment = ( "HTTPS" => "on" )
}
After some web research, I added a condition to the redirects to be able to handle the non-port concatenated URL, however I can neither access the pages securely nor insecurely from the web (locally still works though).
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ "^(.*):1080" {
url.redirect = (".*" => "https://%1$0")
}
else $HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = Var.Doo + "/server.pem"
ssl.ca-file = Var.Doo + "/ca.pem"
setenv.add-environment = ( "HTTPS" => "on" )
}
EDIT: OK, 20 views & counting and no suggestion of an answer yet ...
I know I stated above that I believe the port forwarding is all good, but now I am having second thoughts on that. Any pointers either way?
OK, I spent some more time looking at this and managed to resolve the issue, which was two-fold.
As latterly suspected, my initial assumption that the port forwarding was OK turned out to be incorrect as I had not forwarded the secure port (which lighttpd forcefully defaults to), i.e port 443. Thus the first part of the solution was completing the port forwarding on my gateway router to include that route.
The second part of the solution is a textually minor change to the redirect code in the configuration file to filter on the ports rather than the protocol (the former code may also work but have not tested it). Here's the changed and tested code:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = Var.Doo + "/server.pem"
ssl.ca-file = Var.Doo + "/ca.pem"
setenv.add-environment = ( "HTTPS" => "on" )
}
else $SERVER["socket"] == ":1080" {
$HTTP["host"] =~ "([^:/]+)" {
url.redirect = ( "^/(.*)" => "https://%1:443/$1" )
}
}

SMTP settings work from localhost but on server it doesn't with PHPMailer

This is the issue what i am facing
Localhost
Test mail with SMTP settings work
New user creation mail using the above smtp settings work
Server
Test mail with SMTP settings work
New user creation mail using the above smtp settings doesn't work
I echoed the mail smtp settings in both the cases and they are exactly same. The error i am getting is
SMTP -> ERROR: Failed to connect to server: php_network_getaddresses:
getaddrinfo failed: Name or service not known (0)SMTP Connect()
failed.
Any suggestions would be helpful.
I further debug it. The behavior turns out to be wierd
if (isset($_POST['User']))
{
if (UserUtil::validateAndSaveUserData($model, $_POST))
{
$mailer = new UiMailer();
$mailer->setFrom('fromAddress', 'fromName');
$mailer->setTo('toaddress');
$mailer->setSubject('Test subject');
$mailer->setBody('Test Body');
$mailer->Mailer = 'smtp';
$mailer->Username = 'username';
$mailer->Password = 'password';
$mailer->Host = 'host';
$mailer->Port = 25;
$mailer->SMTPAuth = true;
$status = $mailer->send() ? true : false;
if($status == true)
{
print "Sucess";
}
else
{
print $mailer->ErrorInfo . "</br>";
print "Failuere";
}
exit;
}
}
If i comment the call if (UserUtil::validateAndSaveUserData($model, $_POST)), it works fine. In the function i am validating and saving models using Yii framework. I further debug the function. I have the following relation in the system
User has one person
User has one address
So in the above call, if i comment the address part which $model->address->attributes or $model->address->validate or $model->address->save(), it works fine. The save functionality for address works fine. There are no issues related to it.

how to send a 302 redirect in a request handler of a nginx module?

I am appreciate any help I can get on the following issues.
I am trying to setup a cookie mapping server using nginx module.
In this case, I get a request like 'http://cms.mydomain.com/pixel.gif', and do the following
generate cookie id of mydomain
send a 302 redirect to browser like 'cms.otherdomain.com/pixel.gif?cookie_id=xxxx'
then other domain's cms redirect this request back, i'll get both cookie id and record the mapping.
and now I wonder what to do to send a 302 redirect back to browser, in a nginx request handle, deal with a ngx_http_request_t *r ?
You have to build your url into a variable rs, then set it into nginx r->headers_out.location likes this:
r->headers_out.location = ngx_list_push(&r->headers_out.headers);
if (r->headers_out.location == NULL) {
ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
}
r->headers_out.location->hash = 1;
r->headers_out.location->key.len = sizeof("Location") - 1;
r->headers_out.location->key.data = (u_char *) "Location";
r->headers_out.location->value.len = r->uri.len + r->args.len + 2;
r->headers_out.location->value.data = (u_char *) rs;
return NGX_HTTP_MOVED_TEMPORARILY;