how to see httpS request & headers on win? - rest

I'm working on developing some tests that will work with rest api.
I have restClient in Firefox and my eclipse where I run requests through HttpsURLConnection.
My problem is that sometimes when i send Exactly Same requests through restClient and java - i get different responses. I’ve been having that problem forever..
Usually I’d find the way around after sometime. It would be super helpful If I could see requests that were sent and compare it...
I don't have adminRights on my Pc, so i was looking into some portable apps. I also have wireShark but it wouldn't help.

try that tool, it is called burpsuite. You can install cert to your burpsuite and then once it is all set you will be able to read all requests.
http://portswigger.net/burp/
Hope that helps.

If you have the SSL private key, then you can decrypt the HTTPS packet using the Wireshark.
http://wiki.wireshark.org/SSL
If not, it is difficult.

You can see http headers of any website on any browser like this:
javascript:var req = new XMLHttpRequest();req.open('GET', document.location, false);req.send(null);var headers = req.getAllResponseHeaders().toLowerCase();alert(headers);
Paste above code to address bar of browser and hit enter.

Related

PHPStorm REST Client - Basic Authentication

I have written my own API which requires basic authentication, such as:
user:james
pass:1111
I can call resources using urls such as:
http://api.james.com/myapi/orders/get
I wish to be able to use the REST client in PHPStorm but I cannot work out how to send my authentication details. Does anyone know how to do this? Do you have to setup a Proxy server, or can you pass the authentication somehow in the URI above?
Any help would be appreciated.
Regards
James
For usage Basic Auth you will need send header 'Authorization', for example:
Authorization: Basic amFuc29uQG1haWwucnU6MTIzNDU2
Value of this header you can get from debug console of your browser (firebug in FireFox or developer tools in Chrome). Start GET request from your browser, when you will need authorize - do it. Than open debug console 'network' tab and try this request one more time.
Now you will find in headers new one 'Authorization', that formed by browser when you was authorized.
Just copy content of this header and use it in PhpStorm REST-client.

Flickr API request over HTTPS, is it possible?

After migration to https we had a problem with the flickr-api. Cannot find whether the Flickr supports rest over https?
We expect to make this kind of request which works fine over http and no way over https.
https://api.flickr.com/services/rest/?format=json&sort=interestingness-desc&method=flickr.photos.search&tags=Italy&tag_mode=all&api_key=<key>
Any help please or advise?
You can simply replace: http://api.flickr.com/services
with: https://secure.flickr.com/services
Taken from Here
**** Update ****
As Michael pointed out, the URL has changes and it's now - https://api.flickr.com/services
After some hours of searching and posting at yws-flickr. We've seen for two workarounds:
proxying flickr request through your server via https (more load and
some security issues may come out)
pereodically update database of
links via cron service (implement this one)

Fiddler2 - How do I URlDecode the Request body for Viewing?

I'm using Fiddler to debug some particularly painful AJAX code, and in the POST requests that are being sent across to the server the Request BODY is UrlEncoded. This leads to me having to cut and paste the text into an online app to UrlDecode the text into the JSON object for the request. There has to be a better way to do this.
Does anyone know how I can make fiddler automatically URLDecode the body of the POST Request?
Well, you can simply press CTRL+E to decode locally. But depending on the format, you may also be able to use the WebForms Inspector.
Fiddler can manipulate the HTTP request and response in any way you like:
https://stackoverflow.com/a/23615119/264181

How to implement NTLM Authentication for UIWebView?

I have a use case where a UIWebView may need to connect with a web server secured with NTLM. I also have a use case where I already have the credentials to be passed. So instead of forcing the user to enter them, how do I perform the handshake with the UIWebView?
UPDATE:
Using this method here works well enough when you are doing simple GET requests, but utterly fails when doing POSTs, for the mere fact that it is doing a GET after it is posted.
The ASIHttpRequest and ASIWebPageRequest have the same problem. GET requests work wonders, but any POSTs just don't work. If only the world worked on just GET requests.
I have been able to use this method of including the username and password in the HTTP request string, but that is so grossly insecure as to defy reason for using it. Using a sniffer I am able to see the three-way handshake occur without any problems on both GET and POST requests.
You can set the default credential:
NSURLProtectionSpace *protectionSpace = [[NSURLProtectionSpace alloc]
initWithHost: _host
port: 80
protocol: #"http"
realm: _host
authenticationMethod:NSURLAuthenticationMethodNTLM];
[[NSURLCredentialStorage sharedCredentialStorage] setDefaultCredential:[NSURLCredential credentialWithUser:_username password:_password persistence:NSURLCredentialPersistenceForSession] forProtectionSpace:protectionSpace];
Now you can let your webviews do the request, and when it encounters your protenctionSpace it logs in using the given credentials
As of iOS 3.2 and 4.1, there is no public delegate for intercepting the NTLM challenge. There is, however, a private API that can be overriden to give proper support for this. Since this would put your application in danger of being rejected, I will forgo posting the code because it is of no worth for App Store development at the present time.
If you're willing to try some experimental code, you could use ASIWebPageRequest.
It would be a bit hacky, as you'd have to download the page content with ASIWebPageRequest, load it into a UIWebView, then capture any link clicks in the web view and repeat the process again (if the content at the URL requires authentication). Also, I think you'd have to manage your own history stack.
I don't think it would be easy, but it does seem doable, and it seems like it should work as long as the ASIWebPageRequest code isn't too buggy or limited.
UIWebView doesn't support authentication at all. Up to iPhone OS 3.1, you could add credentials to the central credential storage and UIWebView would at least work with basic authentication. But starting with iOS 4.0, I don't see any way to use authentication (except cookie or URL based forms authentication).

Why does Fiddler break my site's redirects?

Why does using Fiddler break my site sometimes on page transitions.
After a server side redirect -- in the http response (as found in Fiddler) I get this:
Object moved
Object moved to here.
The site is an ASP.NET 1.1 / VB.NET 1.1 [sic] site.
Why doesnt Fiddler just go there for me? i dont get it.
I'm fine with this issue when developing but I'm worried that other proxy servers might cause this issue for 'real customers'. Im not even clear exactly what is going on.
That's actually what Response.Redirect does. It sends a 302 - Object moved response to the user-agent. The user-agent then automatically goes to the URL specified in the 302 response. If you need a real server-side redirect without round-tripping to the client, try Server.Transfer.
If you merely constructed the request using the request builder, you're not going to see Fiddler automatically follow the returned redirect.
In contrast, if you are using IE or another browser, it will generally check the redirect header and follow it.
For IE specifically, I believe there's a timing corner case where the browser will fail to follow the redirect in obscure situations. You can often fix this by clicking Tools / Fiddler Options, and enabling both the "Server" and "Client" socket reuse settings.
Thanks user15310, it works with Server.Transfer
Server.Transfer("newpage.aspx", true);
Firstly, transferring to another page using Server.Transfer conserves server resources. Instead of telling the browser to redirect, it simply changes the "focus" on the Web server and transfers the request. This means you don't get quite as many HTTP requests coming through, which therefore eases the pressure on your Web server and makes your applications run faster.
But watch out: because the "transfer" process can work on only those sites running on the server, you can't use Server.Transfer to send the user to an external site. Only Response.Redirect can do that.
Secondly, Server.Transfer maintains the original URL in the browser. This can really help streamline data entry techniques, although it may make for confusion when debugging.
That's not all: The Server.Transfer method also has a second parameter—"preserveForm". If you set this to True, using a statement such as Server.Transfer("WebForm2.aspx", True), the existing query string and any form variables will still be available to the page you are transferring to.
Read more here:
http://www.developer.com/net/asp/article.php/3299641/ServerTransfer-Vs-ResponseRedirect.htm