http://admin:123456#192.168.1.178/videostream.cgi
To access a url that doesn't require http authenticate it's quite easy:
telnet 192.168.1.178 80
Get /videostream.cgi HTTP/1.1
Accept: text/html;text/plain
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.13) Gecko/20100914 Firefox/3.5.13
Connection: close
But how to specify admin:123456?
See the RFC or This Wikipedia article.
It can be educational to use Wireshark, or some other LAN sniffer, to watch what a browser and server do when you access a URL with embedded credentials such as your http://admin:123456#192.168.1.178/videostream.cgi
For basic authentication, you specify the username and password as username:password, then Base64-encode it and use it as an argument to the Authentication header:
Authorization: Basic YXNkZjoxMjM0
YXNkZjoxMjM0 decodes to asdf:1234; I used curl -u adsf:1234 (specifying the username "asdf" and password "1234") to produce this result.
Related
We have a site using Windows authentication sitting behind a firewall that we are accessing through ProxyPass. We then need to access an API application on the same server, but are receiving a 401 unauthorized error when using rewrite_proxy rules when we try to access it. How can we pass the credentials for authentication?
To perform the initial redirect from the secure serve to the internal application server:
In the https.conf file
ProxyPass /blastdev/ http://10.0.212.198/blastdev/
This seems to be working correctly and is loading the content on the page until we reach the api calls:
in the .htaccess file
RewriteCond %{REQUEST_URI} ^/blastdev/blast(.*)
RewriteHeader X-Remote-User: .* %{REMOTE_USER}
RewriteHeader X-Logon-User: .* %{LOGON_USER}
RewriteHeader AUTH_TYPE: .* %{AUTH_TYPE}
RewriteProxy ^/blast/(.*)$ http://10.0.212.198/blast/$1 [NC, A, CR]
simply to try to show any user information. All fields are showing blank though.
Here are the headers we are currently sending:
Headers:
'Cache-Control'='no-cache'
'Pragma'='no-cache'
'Expires'='Sat, 01 Jan 2000 00:00:00 GMT'
'Accept'='application/json, text/plain, */*'
'Accept-Encoding'='gzip, deflate'
'Accept-Language'='en-US,en;q=0.9'
'Referer'='http://dev.*******.com/blastdev/'
'User-Agent'='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'
'X-REQUEST-URI'='/blastdev/blast/api/usermanager/'
'X-Rewrite-Url'='/blastdev/blast/api/usermanager/'
'X-Original-Url'='/blastdev/blast/api/usermanager/'
'X-logio_http_input_size'='0'
'X-logio_request_headers_size'='746'
'X-Remote-User'=''
'X-Logon-User'=''
'AUTH_TYPE'=''
'Max-Forwards'='10'
'X-Forwarded-Host'='dev.*******.com'
'X-Forwarded-For'='10.1.13.42'
'X-Forwarded-Server'='10.0.90.54'
We need to be able to access the current user if they are AD authenticated and see that they are anonymous if not.
Any additional assistance in tests we can run for further troubleshooting would also be appreciated.
I am switching over from Flash to HTML5, and I am having trouble connecting my socket over from the browser in HTML5 to Node.js.
For example, I get this error in the Firefox debugger:
The connection to ws://127.0.0.1:2500/ was interrupted while the page was loading.
Firefox can’t establish a connection to the server at ws://127.0.0.1:2500/.
In Haxe, I am using the import: flash.net.Socket;
It seems to attempt to connect to the Node.js server, however the data I am receiving is not what I want:
GET / HTTP/1.1
Host: 127.0.0.1:2500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Sec-WebSocket-Version: 13
The above is from the Node.js server.
Also, the event listener EVENT.Connect is not being called since no connection is happening.
Any suggestions? Is there a way to connect to a Node.js server in HTML5 with Haxe? I am using Haxe just for the sockets, I am not creating a server in Haxe.
I need to provide Facebook web access without using browser.
I'm using Play Framework for my needs, and send requests to FB API through web service.
I've checked request parameters for HTTP using firebug with disabled javascript, and handling all redirects to save cookies. But when I send filled form with all hidden parameters and cookies it sends redirect to login page, without token.
GET request with app_id and secret for registered web application:
https://www.facebook.com/dialog/oauth?client_id=xxxxxxxxxx&secret=yyyyyyyyyyyyyyyy&redirect_uri=https://myhost.com&response_type=token
It responds with redirect to https://www.facebook.com/login.php page with parameters:
skip_api_login=1
api_key=xxxx
signed_next=1
next=https%3A%2F%2Fwww.facebook.com%2Fv2.1%2Fdialog%2Foauth...
display=page
with reload parameter with same data and additional parameter: _fb_noscript=1
Further I'm retreiving data from login form and send it with POST request.
But it redirects me again to login page.
I'm filling my requests with same headers as Firefox do with updated mutable parameters from server response:
POST /login.php?login_attempt=1&next=https%3A%2F%2Fwww.facebook.com%2Fv2.1%2Fdialog%2Foauth%3Fredirect_uri%3Dhttps%253A%252F%252Flocalhost%253A9443%26response_type%3Dtoken%26client_id%3Dxxxxxxxxxxxx%26ret%3Dlogin HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.facebook.com/login.php?skip_api_login=1&api_key=xxxxxxxxxxxx&signed_next=1&next=https%3A%2F%2Fwww.facebook.com%2Fv2.1%2Fdialog%2Foauth%3Fredirect_uri%3Dhttps%253A%252F%252Flocalhost%253A9443%26response_type%3Dtoken%26client_id%3Dxxxxxxxxxxxx%26ret%3Dlogin&cancel_uri=https%3A%2F%2Flocalhost%3A9443%2F%3Ferror%3Daccess_denied%26error_code%3D200%26error_description%3DPermissions%2Berror%26error_reason%3Duser_denied%23_%3D_&display=page&_fb_noscript=1
Cookie: datr=MnsEVMW8ZS7nkPtR2E4HrKko; reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php%3Fskip_api_login%3D1%26api_key%3Dxxxxxxxxxxxx%26signed_next%3D1%26next%3Dhttps%253A%252F%252Fwww.facebook.com%252Fv2.1%252Fdialog%252Foauth%253Fredirect_uri%253Dhttps%25253A%25252F%25252Flocalhost%25253A9443%2526response_type%253Dtoken%2526client_id%253Dxxxxxxxxxxxx%2526ret%253Dlogin%26cancel_uri%3Dhttps%253A%252F%252Flocalhost%253A9443%252F%253Ferror%253Daccess_denied%2526error_code%253D200%2526error_description%253DPermissions%252Berror%2526error_reason%253Duser_denied%2523_%253D_%26display%3Dpage; reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php%3Fskip_api_login%3D1%26api_key%3Dxxxxxxxxxxxx%26signed_next%3D1%26next%3Dhttps%253A%252F%252Fwww.facebook.com%252Fv2.1%252Fdialog%252Foauth%253Fredirect_uri%253Dhttps%25253A%25252F%25252Flocalhost%25253A9443%2526response_type%253Dtoken%2526client_id%253Dxxxxxxxxxxxx%2526ret%253Dlogin%26cancel_uri%3Dhttps%253A%252F%252Flocalhost%253A9443%252F%253Ferror%253Daccess_denied%2526error_code%253D200%2526error_description%253DPermissions%252Berror%2526error_reason%253Duser_denied%2523_%253D_%26display%3Dpage; noscript=1
Connection: keep-alive
Is there any way to get Facebook access token dirrectly by POST/GET requests without browser?
I am new to REST so bear with me if I'm missing something obvious.
Any pointer would be much appreciated as I am a bit lost.
Scenario
I needed to post some data to the following REST service: https://api.dotmailer.com/ from my web application https://myapp.com/.
During testing, I was able to post the data from my local pc.
However, as soon as I published the updated application to https://myapp.com/ on a remote server, I was no longer able to post any data.
What I've tried so far
Added rule to the remote server firewall to allow outgoing traffic to use https. Didn't solve the problem.
Disabled the url rewriting rule that change http to https for myapp.com. Didn't solve the problem.
Pasted the URL I use to post my data (https://api.dotmailer.com/v2/address-books/12345/contacts) in a browser on the remote server, entered the correct credentials, but couldn't access it.
the error message said "Unable to open this internet site. The requested site is either unavailable or cannot be found." If I do the same on my local PC I can access the URL.
Monitored the two calls with Fiddler2.
I include the results of the monitoring process below:
CALLS MADE FROM REMOTE SERVER
----------
POST /bla.aspx HTTP/1.1
Host: myapp.com
Connection: keep-alive
Content-Length: 10660
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://myapp.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: https://myapp.com/bla.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,it;q=0.6
Cookie: ASP.NET_SessionId=xxx; Myapp=xxx; GUID=xxx
CALLS MADE FROM LOCAL PC
----------
POST /bla.aspx HTTP/1.1
Host: localhost:xxx
Connection: keep-alive
Content-Length: 10656
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:60675
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://localhost:xxx/bla.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,it;q=0.6
Cookie: __eqtUser=xxx; ASP.NET_SessionId=xxx; Myapp=xxx; GUID=xxx
Question
I believe point 3 shows that the cause is some setting on the remote server.
Does anyone know what it could be? Or am I completely off-track?
Update
I spoke with the developer on the receiving end of my calls who can monitor incoming traffic.
He could see my local calls but not the ones submitted from https://myapp.com.
In response to gmlime reply, I've added the following to myapp.com web.config file but didn't help.
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
Should I put it at a higher level in the hierarchy?
Make sure that this gets added to the response:
YourAddHeaderMethod("Access-Control-Allow-Origin", "*");
Many servers deny posting from other domains and can terminate the connection. You can learn more about it from the w3 docs for Access-Conrol-Allow-Origin and Mozzilla covers some scenarios. You may have to check with the server administrator to rule out cross domain problems also.
Code
function radiotest(host,port)
local rstr="Online"
local sock, err = socket.tcp()
if not sock then
return "Failed"
end
sock:settimeout(1)
local res, err = sock:connect(host, port)
if not res then
return "offline"
else
sock:settimeout(1)
sock:send("GET /index.html HTTP/1.0\r\n UserAgent: SHOUTcast Song Status \r\n Accept: */*\r\n\r\n")
sock:settimeout(3)
local data=sock:receive('*a')
sock:close()
print(data)
-- Further processing content here
end
end
print( radiotest( "10.*.*.*", 1234 ) )
The above socket connection returns me:
ICY 404 Resource Not Found
icy-notice1:<BR>SHOUTcast Distributed Network Audio Server/win32 v1.9.7<BR>
icy-notice2:The resource requested was not found<BR>
I think the problem is in my headers listing, but I'm unable to trace it.
The page opens fine in all browsers(Opera does need to be masked as another browser; otherwise it just keeps on downloading all songs).
I've tried using following strings inside sock:send()
GET /index.html HTTP/1.0\r\n UserAgent: SHOUTcast Song Status (Mozilla Compatible)\r\n\r\n
GET /index.html HTTP/1.0\r\n UserAgent: Opera/9.80 (Windows NT 6.1; Win64; x64) Presto/2.12.388 Version/12.12\r\n\r\n
GET /index.html HTTP/1.0\r\n UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17\r\n\r\n
I'm totally stuck at this part. How do I fetch the page using socket.tcp()?
After looking at your packet capture, it seems that what is actually getting sent over the wire is wrong. Your user-agent string isn't making it:
> GET /index.html HTTP/1.0
< ICY 404 Resource Not Found
< icy-notice1:<BR>SHOUTcast Distributed Network Audio Server/win32 v1.9.7<BR>
< icy-notice2:The resource requested was not found<BR>
If you don't specify a user-agent that contains Mozilla, you will be unable to access the admin interface, or any part of it. Go back and check your code again on what you're sending.
#Brad Thanks. Your help with Wireshark was indeed practicable. The User-Agent header was not being passed to the server because of an extra space I was providing in the request.
sock:send("GET /index.html HTTP/1.0\r\n UserAgent: SHOUTcast Song Status \r\n Accept: */*\r\n\r\n")
The \r\n UserAgent: SHOUTcast Song Status should instead be:
\r\nUser-Agent: SHOUTcast Song Status
And it is working fine now.
Thanks for the help. :D
The results from the function after filtering out the HTML is like:
Online(Tonic - If You Could Only See)
Online(Tonic - If You Could Only See) Stream is up at 256 kbps with 0 of 32 listeners (0 unique)