Attempt to read property "POST /padcenter/store HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-
Attempt to read property "POST /padcenter/store HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-
Related
I want to send a request look like this:
POST /accounts/211242/followers HTTP/1.1
Host: website.com
User-Agent: <user-agent>
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://website.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 0
Connection: close
Cookie: <user-cookie>
But I don't know much about Javascript. I have tried a lot but everything I got just an error. Can anyone create a code for me?
Here what I have tried:
<html>
<head>
<title>CSRF Demo</title>
</head>
<body>
<script>
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", "https://website.com/accounts/211242/followers");
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xmlhttp.withCredentials = true;
xmlhttp.send(null);
</script>
</body>
</html>
And after run that code, the browser sends a request:
POST /accounts/211242/followers HTTP/1.1
Host: website.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: null
Connection: close
Cache-Control: max-age=0
Content-Length: 0
Cookie: <user-cookie>
Which don't have 'X-Requested-With: XMLHttpRequest' so the server sends back 400 Bad Request
According to the docs, you should add xmlhttp.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
after opening and before sending the request, to append the desired header.
I want process a POST request with axios in a vuejs project, but axios never send correct csrf cookie. My vuejs project run in dev mode on port 8080, my server (Spring Boot) on port 9090. I set correct CORS filter for localhost:8080 and 127.0.0.1:8080, OPTIONS is accepted, but I get a 403 error on my POST.
Here my code :
axios.post("http://127.0.0.1:9090/api/security/authenticate",
this.form,
{
withCredentials: true,
xsrfCookieName: 'XSRF-TOKEN',
xsrfHeaderName: 'X-XSRF-TOKEN'
}
).then((response) => {
console.log("Data: " + response.data);
}).catch((error) => {
console.log("post error: " + error);
});
And here the result of my OPTIONS request on chromium :
GENERAL:
Request URL: http://127.0.0.1:9090/api/security/authenticate
Request Method: OPTIONS
Status Code: 200
Remote Address: 127.0.0.1:9090
Referrer Policy: no-referrer-when-downgrade
RESPONSE HEADERS :
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Methods: POST
Access-Control-Allow-Origin: http://127.0.0.1:8080
Content-Length: 0
Date: Wed, 11 Dec 2019 21:44:07 GMT
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
REQUEST HEADERS :
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: 127.0.0.1:9090
Origin: http://127.0.0.1:8080
Referer: http://127.0.0.1:8080/login
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) snap Chromium/78.0.3904.108 Chrome/78.0.3904.108 Safari/537.36
And my POST :
GENERAL:
Request URL: http://127.0.0.1:9090/api/security/authenticate
Request Method: POST
Status Code: 403
Remote Address: 127.0.0.1:9090
Referrer Policy: no-referrer-when-downgrade
RESPONSE HEADERS :
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://127.0.0.1:8080
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json;charset=UTF-8
Date: Wed, 11 Dec 2019 21:44:07 GMT
Expires: 0
Pragma: no-cache
Transfer-Encoding: chunked
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
REQUEST HEADERS :
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Content-Length: 56
Content-Type: application/json;charset=UTF-8
Cookie: XSRF-TOKEN=428229a0-b2b1-4473-ab3a-557e4dbac1b1
Host: 127.0.0.1:9090
Origin: http://127.0.0.1:8080
Referer: http://127.0.0.1:8080/login
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) snap Chromium/78.0.3904.108 Chrome/78.0.3904.108 Safari/537.36
REQUEST PAYLOAD :
{login: "xxx", password: "xxx", rememberme: false}
login: "xxx"
password: "xxx"
rememberme: false
The CSRF cookie sent (428229a0...) is not correct. Previously in a GET request, I obtained an other CSRF token (70705d00...). Why wrong csrf cookie was sent ?
To be sure that is not the result of dev mode from vuejs, I build my project and deploy it on nginx server, but I got same result. I try also on firefox, get same error.
In package.json, axios is in version "^0.19.0", vuejs "^2.6.10".
What is wrong in my code ? Or is about configuration of my server ?
Thanks for your help!
I want to log in a site using a simple code of vb.net
using httpwebrequest ,
i have create a simple code but already he give me login failed but the information are tru !!
Using req As New HttpRequest
req.UserAgent = Http.ChromeUserAgent
req.Cookies = New CookieDictionary(False)
req.Proxy = Nothing
req.IgnoreProtocolErrors = True
req.AddParam("username", tmail.Text)
req.AddParam("password", Tpass.Text)
Dim respo As String = req.Post("https://picsart.com/sign-in").ToString
If respo.Contains("Logout") Then
MsgBox("Login Done!", MsgBoxStyle.Information)
Else
MsgBox("Login Or Password Incorrect", MsgBoxStyle.Critical)
End If
End Using
and below the http record using live http header firefox addon
https://picsart.com/sign-in
POST /sign-in HTTP/1.1
Host: picsart.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:56.0) Gecko/20100101
Firefox/56.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://picsart.com/
Content-Length: 106
Cookie: sid=
DNT: 1
Connection: keep-alive
username=myemail&password=mypass&nextUrl=https%3A%2F%2Fpicsart.com%2F%23
HTTP/2.0 200 OK
I am working on an ASP.NET Core 2.2 API using the Microsoft.AspNetCore.OData NuGet v7.1.0 and I am trying to test OData batch using Postman v7.0.5.
The problem I am having is that it always fails to see the data in the last POST request in my batch. In the response, I get "201 Created" for every post except the last on, which returns "400 Bad Request" because it is not picking up the data in the last request body.
Here is the relevant section of my Startup.cs where I enable OData Batch handling;
app.UseODataBatching();
app.UseMvc(routeBuilder =>
{
routeBuilder
.MapODataServiceRoute("ODataRoutes", "api/v1",
modelBuilder.GetEdmModel(app.ApplicationServices),
new DefaultODataBatchHandler());
});
In Postman, I have a POST request to
{{url}}/api/v1/$batch
and in the Request -->Headers section, I have a Content-Type header set to
multipart/mixed; boundary=batch_abbe2e6f-e45b-4458-9555-5fc70e3aebe0
The Body of the request is set to "Raw" and "Text"
Below is the request body;
--batch_abbe2e6f-e45b-4458-9555-5fc70e3aebe0
Content-Type: application/http
Content-Transfer-Encoding: binary
POST /api/v1/AddressComplianceCode HTTP/1.1
OData-Version: 4.0
Content-Type: application/json
Accept: application/json;odata.metadata=minimal
{
"Code": "Z1",
"Description": "Test Batch Z1",
"Active": true
}
--batch_abbe2e6f-e45b-4458-9555-5fc70e3aebe0
Content-Type: application/http
Content-Transfer-Encoding: binary
POST /api/v1/AddressComplianceCode HTTP/1.1
OData-Version: 4.0
Content-Type: application/json
Accept: application/json;odata.metadata=minimal
{
"Code": "Z2",
"Description": "Test Batch Z2",
"Active": true
}
--batch_abbe2e6f-e45b-4458-9555-5fc70e3aebe0
Content-Type: application/http
Content-Transfer-Encoding: binary
POST /api/v1/AddressComplianceCode HTTP/1.1
OData-Version: 4.0
Content-Type: application/json
Accept: application/json;odata.metadata=minimal
{
"Code": "Z3",
"Description": "Test Batch Z3",
"Active": true
}
--batch_abbe2e6f-e45b-4458-9555-5fc70e3aebe0
Content-Type: application/http
Content-Transfer-Encoding: binary
POST /api/v1/AddressComplianceCode HTTP/1.1
OData-Version: 4.0
Content-Type: application/json
Accept: application/json;odata.metadata=minimal
{
"Code": "Z4",
"Description": "Test Batch Z4",
"Active": true
}
--batch_abbe2e6f-e45b-4458-9555-5fc70e3aebe0--
And here is the response;
--batchresponse_f2c84aaf-dc39-4f20-8da0-881f402436fa
Content-Type: application/http
Content-Transfer-Encoding: binary
HTTP/1.1 201 Created
Location: https://localhost:44331/api/v1/AddressComplianceCode('Z1')
Content-Type: application/json; odata.metadata=minimal; odata.streaming=true; charset=utf-8
OData-Version: 4.0
{"#odata.context":"https://localhost:44331/api/v1/$metadata#AddressComplianceCode/$entity","Code":"Z1","Description":"Test Batch Z1","MarkedForRetirement":false,"RetirementDate":null,"LastModifiedDate":"2019-03-12T10:19:20.9434728-04:00","LastModifiedBy":null,"CreatedDate":"2019-03-12T10:19:20.9434728-04:00","CreatedBy":null,"Delete":false,"Active":true}
--batchresponse_f2c84aaf-dc39-4f20-8da0-881f402436fa
Content-Type: application/http
Content-Transfer-Encoding: binary
HTTP/1.1 201 Created
Location: https://localhost:44331/api/v1/AddressComplianceCode('Z2')
Content-Type: application/json; odata.metadata=minimal; odata.streaming=true; charset=utf-8
OData-Version: 4.0
{"#odata.context":"https://localhost:44331/api/v1/$metadata#AddressComplianceCode/$entity","Code":"Z2","Description":"Test Batch Z2","MarkedForRetirement":false,"RetirementDate":null,"LastModifiedDate":"2019-03-12T10:19:21.2241031-04:00","LastModifiedBy":null,"CreatedDate":"2019-03-12T10:19:21.2241031-04:00","CreatedBy":null,"Delete":false,"Active":true}
--batchresponse_f2c84aaf-dc39-4f20-8da0-881f402436fa
Content-Type: application/http
Content-Transfer-Encoding: binary
HTTP/1.1 201 Created
Location: https://localhost:44331/api/v1/AddressComplianceCode('Z3')
Content-Type: application/json; odata.metadata=minimal; odata.streaming=true; charset=utf-8
OData-Version: 4.0
{"#odata.context":"https://localhost:44331/api/v1/$metadata#AddressComplianceCode/$entity","Code":"Z3","Description":"Test Batch Z3","MarkedForRetirement":false,"RetirementDate":null,"LastModifiedDate":"2019-03-12T10:19:21.5068813-04:00","LastModifiedBy":null,"CreatedDate":"2019-03-12T10:19:21.5068813-04:00","CreatedBy":null,"Delete":false,"Active":true}
--batchresponse_f2c84aaf-dc39-4f20-8da0-881f402436fa
Content-Type: application/http
Content-Transfer-Encoding: binary
HTTP/1.1 400 Bad Request
Content-Type: application/json; odata.metadata=minimal; odata.streaming=true; charset=utf-8
OData-Version: 4.0
{"error":{"code":"","message":"The input was not valid.","details":[{"code":"","message":"The input was not valid."}]}}
--batchresponse_f2c84aaf-dc39-4f20-8da0-881f402436fa--
No matter how many POST sections I add to the request ( I have tested 2, 3 and 4), the last request always fails to pass the request body values.
I have reviewed the Batch advanced tutorial at www.odata.org site, as well as all of the relevant SO posts I could find. I also tried the Github issues pages using the filter;
is:issue is:open batch
All with no luck so far.
What am I missing here?
Based upon my own experiences, I'd guess it's because you're sending LFs with Postman, rather than CRLFs.
Postman will send whatever newline you've entered (perhaps pasted in from something that prefers LF) , but multipart/mixed data requires CRLF. Sending just the LF confuses the ODataMultipartMixedBatchReader about whether a boundary line is an end-boundary or not, and causes the end-boundary marker to be added to the request. This in turn confuses the model binder on the ASP.NET Core side of things, which can't deserialize the request body.
I tried to copy a file on OneDrive:
Request:
POST https://api.onedrive.com/v1.0/drive/root:/onedrive_test/foo/bar/a.txt:/action.copy
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/json
Content-Length: 84
Accept: */*
Authorization: Bearer Ew...
Prefer: respond-async
User-Agent: python-requests/2.7.0 CPython/3.4.4 Windows/7
b'{"parentReference": {"path": "/drive/root:/onedrive_test/foo/bar"}, "name": "b.txt"}'
Response: 202 Accepted
Request:
GET https://api.onedrive.com/v1.0/monitor/4sT2gLAWdXVK7EdkDM7k24ObcUFTzScBof3T80HbmKfVHPnUCDK4fWe01ttH9...
Accept-Encoding: gzip, deflate
Connection: keep-alive
Accept: */*
Authorization: Bearer Ew...
User-Agent: python-requests/2.7.0 CPython/3.4.4 Windows/7
None
Response: 500 Internal server error if copying to the same folder where source file is.
If I use
b'{"parentReference": {"path": "/drive/root:/onedrive_test/foo/bar2"}, "name": "b.txt"}'
or
b'{"parentReference": {"path": "/drive/root:/onedrive_test/foo"}, "name": "b.txt"}'
everything works fine.
This is an ongoing issue with OneDrive Consumer - I'll respond to this answer with a comment once it is resolved.