Zabbix web scenario authentication - authentication

So i'm trying to set up zabbix web scenario to monitor webpage up/down. Ive found a way googeling which should work for me, however there is an issue in the login page. I need to be able to press TAB 4 times and then end it with a space to reach the login information panel. But i can not figure out how to tell zabbix to insert TABs or Spaces on the page before it attempts to login.
by default SMART-ID is our main authentication, and the order can not be changed as it would interfere with our user welfare policies. So i need to make zabbix able to navigate to the "Parool" tab for login. Also using the tab key on the page visualy does nothing untill you press the space bar, only after space bar it actually shows you where you have navigated.
So far i have tried to simply add tab and space in the "post fields" section however this does not do anything and i have not managed to google the information i require.

That's not how Zabbix Scenarios works.
Zabbix uses libCurl to check web endpoints, not a browser: you can't render javascript nor post/click to forms (ie: like Python Splinter does).
You can post data to specific web endpoints, like http://somewhere/test.php?id=2345&userid={BLABLABLA} then grab the output and/or the resulting http return code.
Please refer to the documentation for a complete overview.

Related

Reason SPA pages are refreshing?

Just finished learning Vuejs and after visiting a few websites that use Vuejs like;
a) https://coderstape.com
b) https://www.thenetninja.co.uk
c) https://laracasts.com
I noticed that by navigating around the websites we by clicking on navbar links and some other links then the pages refresh and I haven't been able to find out the reason online. Could someone kindly explain what's happening in that? Doesn't it go against the purpose of SPA?
For example the last site you specified: https://laracasts.com.
On its main page there is a white button "BROWSE COURSES". If you open Chrome DevTools panel(look at the picture with explanations), go to tab "Networks" (1) and then click on this white button, you can see GET request to "series?curated" (2). If you open its details, you can see that as response, new page is received in the form of an HTML code (3), not JSON for example, as is usually the case in SPA.
Also, if you look at what programming language is used on this site, for example, using service https://whatcms.org/?s=laracasts.com, you can see that this is a PHP, namely Laravel.
From all this, I can make the assumption that they use Vue.js only partially, maybe in several components, but the site navigation itself is presented in the form of traditional static pages, which is why the page reloads.
Also, for example, if you take a look at this website https://www.spendesk.com/, you can see that they use Vue.js+Nuxt.js, as well as Node.js, as indicated by service whatcms.org, and if you try to navigate to various pages on this site, you will see no page loading. I can say that this site is a true SPA in the form in which you mean it.
I heard that you can do a SPA with a Laravel backend, but I think that's another story.

Showing file selection UI : Integrating Dropbox with OAuth 2

I am trying to create a web page which will allow my user to upload a file to my S3 storage. For choosing the file user can use Google Drive, Dropbox and also local system. Am facing issues while implementing the Dropbox part of this.
Am using this technique for integration(using core API and OAuth 2).
First when user chooses Dropbox i am opening an HTML page in an IFrame. Here I have an authorize button which will open the authorize endpoint mentioned in the above link. This link shows me X-FRAME-Options error inside the Iframe so i had to open this link as a popup to work.
Is there a way around this? I'd like the authorize URL to open in the same iframe by using location.href.
Also when i open it as a popup, after the user logs in successfully the redirect_uri which i pass i getting opened in the popup. I had to do some unconventional setInterval coding to go around this. Can someone suggest a solution for this as well?
I also tried using CSRF tokens as mentioned in Smarx's blog but this also gives me the same error.
EDIT :
#smarx i tried using dropbox.js and it works fine. Stuck at one place
I used the OAuth popup driver and have a button which says sign-in.
First on load i create the client and then the popup driver as below
client = new Dropbox.Client({ key: client_id });
client.authDriver(new Dropbox.AuthDriver.Popup({
receiverUrl: "http://localhost/uploadCare/dbcallback.html"
});
);
And in the call back html i am writing
Dropbox.AuthDriver.Popup.oauthReceiver()
as mentioned in the docs.
But this does not take me back to the original page and show me the list of files.
I particularly did not understand this part of the explanation
"To use the popup driver, create a page on your site that contains the receiver code, change the code to reflect the location of dropbox.js on your site, and point the Dropbox.AuthDriver.Popup constructor to it."
Could you please help me out here.
You definitely can't put dropbox.com into an iframe, for security reasons (e.g. clickjacking).
A few suggestions:
Can you just use the Chooser for your use case? That would certainly be easier for you and your users.
If you can't use the Chooser, is there a reason you're not using dropbox.js? It has a popup auth driver that will pretty much just take care of all this for you. The redirect will definitely happen in the same window as auth, so communication between the windows (usually via localStorage) is generally necessary. This is already done in dropbox.js.

Client-side Javascript: Showing the browser's address bar when a site hides it?

I'm trying to make a short client-side script that will run as UserJS in something like Greasemonkey. The script is to prevent sites from hiding the browser's navigation buttons. Topic info here.
I've come up with Window(location=yes, toolbar=yes, menubar=yes); This gives a "Read-Only" error though. All the info when I search is about web authors wanting to turn off the address bar (etc), not users wanting to turn it back on.
Click a product on this page to see the problem.

How to detect if user has switched Rails 3

A user logs into my application in a tab in a browser
They get an email and click a link which opens a new tab in the same browser and logs them in under a different email say.
If they go back to the first tab they are no longer the same user and I want the page to automatically detect this and then reload or redirect them if they are unauthorized to view the page.
Anyway to do this?
Or, if you really want to know when user is switched the tab, try this library:
visibility.js
As stated by #Hck:
add javascript code to reload page periodically (for example once per 30 seconds) – Hck
JavaScript is pretty much the only way to make pages do stuff after they're loaded. Note that in pretty much any user authentication system, a given browser will only be logged in as one user at a time, so as soon as the second tab opens, that browser will be acting as the second user - they can still see the current content of the first tab, but links (for instance) will no longer work unless the second user was also authorized to use them.
There are some JQuery plugins that do this sort of thing, like PeriodicalUpdater, or you can write your own (an example).

Is it a bad idea to have a login dialog inside an iframe?

We're creating a website where we will be giving out code snippets to our users which they can place on their own websites. These snippets contain a link a javascript include. When clicking the link, an iframe containing the login dialog to our site opens. The user then authenticates inside the iframe, does his work and when he leaves the iframe his session is closed. We've got it working allready and it's very slick.
Our main concern though is phishing. The user has absolutely now way of veryifying where the login page is really coming from. On the other hand, phising attacks are also succesfull even if the user can see the fake-url in the address bar.
Would you enter your (OpenId) credentials in an iframe? Does anyone know a pattern with which we could minimise the chances of a phishing attack?
The user has absolutely now way of veryifying where the login page is really coming from.
There are ways around that, by having the user choose a secret that the real login page can display back at them to identify itself. Usually this is done with easily-identifiable pictures.
However that is not the only issue. If you allow your login page to be framed (and the user comes to expect that), you also open yourself to clickjacking attacks. The third-party site can frame your login page, then position: absolute their own HTML elements on top of it. Elements like inputs directly on top of yours, sniffing each keypress to nab the password.
You can allow a simple “start login process” button to be framed, and maybe a username/identifier, but the form into which a password should be typed must open in its own browser window (either in the main window or in a popup) with its own address bar and SSL indicator.
Would you enter your (OpenId) credentials in an iframe?
Goodness no.
I would recommend not using an IFrame as they defeat accessibility, seo, and semantics unless you want those defeated. If you are asking people to login via an IFrame then you have a definite accessibility barrier that may be considered legally discriminatory in certain countries.