I am new to wsdl. I have 2 url for 2 wsdl (e.g.htp://something/1?WSDL and htp://something/2?WSDL ) The wsdl contain soap.
I know the 1?WSDL part is working fine on the web site but the problem is I need to call out another element from 2?WSDL...
1?WSDL is user information
2?WSDL is something about the user, all I need to call out from here is the total online time (example)
So after the user login, the page will look like below
User name | Registered date | total post count | total online time
y7775 | 11-05-2013 | 368 | 5hrs 36mins
Is this doable?
if so then can some one point me a direction?
or should I just put 2 wsdl into 1?
Related
Is that possible to testing rest-api via OWASP ZAP ?
Url to attack worked just for GET requests.
For example, my api controllers work with only token. I have TokenController and this controller require POST data via JSON data include password and login. Can I someway testing this controller via OWASP ?
The short answer is yes. The long answer - it's complicated :)
Testing REST API is a bit harder than testing web API - you'll have to give Zap information about your API - which endpoints it has, parameters, etc. Can you share more about you're API? Does it have OpenAPI/Swagger document? Do you have existing tests? You can use either one of those for this task.
I gave a talk about how this can be achieved - you can find the recording here.
It possible to automate API testint with OWASP ZAP, but to perform the tests, I see two options: Offer some usage pattern, for example OpenAPI for ZAP consider extracting the information. And a second option would be to run an automated test to capture ZAP as passive scan information, and after that you can test the session information.
We recommend using the OpenAPI documentation.
The cucumber test would look like this:
Feature: Security
This feature is to test pokemon service security
Scenario: Validate passive and active scan
Given I import context from open API specification "/v2/api-docs"
And I remove alerts
| url |
| http://.*/v2/api-docs* |
And I import scan policy "javaclean" from file "javaclean.policy"
When I run active scan
And I generate security test HTML report with name "java-clean-security-report"
Then the number of risks per category should not be greater than
| low | medium | high | informational |
| 0 | 0 | 0 | 0 |
I am develop step for ZAP, view in the GitHub: https://github.com/osvaldjr/easy-cucumber/wiki/Security-steps
Example step for import OpenAPI docs:
#Given("^I import context from open API specification \"([^\"]*)\"$")
public void iImportContextFromOpenAPISpecification(String path)
throws ClientApiException, InterruptedException {
String url = getTargetUrl() + path;
log.info("Import Open API from url: " + url);
zapProxyApi.openapi.importUrl(url, null);
waitPassiveScanRunning();
verifyThatTheProxyHasCapturedHostInformation();
}
View others steps in: https://github.com/osvaldjr/easy-cucumber/blob/master/src/main/java/io/github/osvaldjr/stepdefinitions/steps/SecuritySteps.java
Is there a way to have a parameter at the end of the URL for a Rest request?
This is the URL:
http://localhost:8000/my_user/1000
I've tried to use a parameter for the 1000, like so:
http://localhost:8000/my_user/${#Project#id_test}
This doesn't render 1000 at the end.
Is there a way to do this?
There are REST resource parameter types.
In your case, style should be Template. That should resolve the issue.
To give an example:
While adding a new REST Resource from API use below url instead of plain text value.
In the request you would see as below:
Now, in your test cases, you can use the property expression (the one you were using in the question) i.e., ${#Project#id_test} for value field/column as underline in the above image.
You may also go thru documentation if needed.
What you're trying to achieve is possible, though I'm not sure about the value you have supplied.
When you set up a RESTful Test Project is SoapUI, you define the root/base url under test.
When you set up the service call in SoapUI, you define the GET, POST settings. In the same place, you can add parameters. Click on the Request tab and you should see an empty table with headings, Name, Value, Style, Level.
You can add your parameter here.
E.g.
Name | Value | Style | Level
id | Smith | QUERY | RESOURCE
When you run the service call and you not sure your request is correct, click on the Raw tab and that will show what SoapUI is actually sending to your service.
I'm getting this warning from Brakeman. As they say,redirects which rely on user-supplied values can be used to “spoof” websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
| Confidence | Class | Method | Warning Type | Message
| High | DocumentsController | download | Redirect | Possible unprotected redirect near line 46: redirect_to(+Document.find(params[:id]).f
In my controller I created a method download that takes the file URL (file stored on Amazon S3 and the URL in my database thanks to Paperclip) and creates a URL (ie. document_url) that will last 3 seconds (for the user to download) thanks to .expiring_url(3)
def download
#document = Document.find(params[:id])
document_url = #document.file.expiring_url(3)
if URI.parse(document_url).host.include? "domain.com"
redirect_to document_url, only_path: true
else
document_url = nil
end
end
I have been trying pass Brakeman's validation without success. As you can see above, I tried to check if the my domain is present in the URL but it did not change the report on Brakeman.
Any idea how to proceed?
I have the similar problem. I passed the warning by utilizing strong parameters like below, though I'm not sure why it works.
redirect_to referer_param
def referer_param
params.require(:referer)
end
I am trying to test an app with RESTful services via Postman (awaiting the front-end to be implemented).
The GET/POST and DELETE requests work as expected, but when it comes to PUT and PATCH I'm completely stuck.
I have a simple form with several inputs and files (pdf & image). With the POST request I simply use the "form-data" body to add all needed parameters. But when I try to test the PUT one, "form-data" detects nothing - with or without a "Content-Type" = "multipart/form-data" set in the header.
The PUT only works with the "x-www-form-urlencoded" option for the body, but then I cannot or don't know how to add both files, as I don't have the ability to choose from "Text/File" anymore via Postman's dropdown. Again, adding Content-Type doesn't help a bit.
I tried simulating POST with a "_method"="PUT" both as a URL parameter and as a form input, but it just creates new item instead of updating existing one (with correct route applied).
# Updated with the routes (standard Laravel routes for RESTful services)
GET | api/v1/Collection | api.v1.collection.index
POST | api/v1/collection | api.v1.collection.store
GET | api/v1/collection/create | api.v1.collection.create
GET | api/v1/collection/{item} | api.v1.collection.show
PUT | api/v1/collection/{item} | api.v1.collection.update
DELETE | api/v1/collection/{item} | api.v1.collection.destroy
GET | api/v1/collection/{item}/edit | api.v1.collection.edit
I realize I have to use a hidden input with _method/PUT as key-value, but I have no idea where to add it in Postman. I can only see two options: text input or file.
What am I missing?
I can provide screenshots upon request. Thanks.
Question: Is there a way (api call) to get the first product id in a magento install via the soap api.
I'm attempting to download all the products from a magento system and insert them into a different database (I do the conversion myself so that's not a bother) What is hard to understand though is how do I get a list of the product id's without getting all of them, if all I know is that the site is up.
Here's the info I have.
soap end point
soap username
soap apikey (aka password)
Here's what I don't know.
the id of any of the products
the date any of the products were created on or last edited.
For my initial load, I have to do a where product id in, because I expect 20 to 40k product lists won't come back in one soap call.
So I call
where id in (1 -> 100) Nope
where id in (101-> 200) Nope..
Now as you can imagine that code smells something fierce. It works, but I have to think there is a better way..
To expand my question: Is there a better way?
I can post the XML that I'm sending if that helps. The language I'm using to create the soap(xml) is vim, so I don't have code I can paste.
Try This
$client = new SoapClient('http://localhost/magento8/index.php/api/soap/?wsdl');
$session = $client->login('soap username', 'soap apikey');
$filters=array('entity_id'=>array(array('lt'=>'1','gt'=>'100')));//get fist 100 result
$result = $client->call($session, 'catalog_product.list',array($filters));
var_dump($result);
for more attributes check this
http://www.magentocommerce.com/wiki/1_-_installation_and_configuration/using_collections_in_magento