So I'm trying to automate the script that sending curl requests to MISP API (misp-project.org).
The problem is that there is an API KEY which should be in every request and you can get it only by mannually copy-pasting it into your script from web-interface (https://misp_url/events/automation).
However, in this way script becomes hardwired to a sertain MISP server and a user.
Is there another way to get this API KEY?
You can grab your user account details including your API keys via /users/view/me
Related
First off, I apologize if I use any incorrect terminology. I'm familiar with calling internal apis, but this a side project and new territory for me.
I've been using chrome debugger and powershell to write some scripts against the api of a public site. I was able to retrieve the JWT token, however after a few minutes my calls will start to fail with a 403 error. To get around this I've been exporting all the request headers from chrome and storing those locally for my script to pass whenever my call to the api fails. I narrowed it down to 4 headers that must be present, the one that is most suspect seems to be "cookie".
I then removed all key value pairs in the cookie header until I found the one that makes it fail. It's named "__cf_bm". A quick google says it's some kind of cloudflare bot management data. I don't see any of the data present in the __cf_bm cookie being sent in a response during authentication, I only see it in request headers. Is it not possible to construct this value? Does this essentially prevent me from interacting with the site's api?
I have recorded a login flow of an application and found some URIs like below:
/api/oauth2/initiate GET
/oauth2/authorize GET
/api/v1/oauth2/authorize GET
/api/v1/oauth2/authenticate POST
{"username":"${Username}","password":"${Password}","client_id":"${client_Id}","response_type":"code","redirect_uri":"${scheme}://${host}/api/oauth2/callback","server_id":"${server_Id}"}
When I am hitting above in sequence via JMeter I am getting 200 response. Just like JMeter I tried recording in Postman and it worked same, but instead of JSON it gave response in XML format.
It doesn't generate a access_token, it works via session cookies.
My question is - Do I really have API access or it is just browser record n play? If Yes, Does this mean I can get access to any API, if I am a registered user of that application? For ex: Facebook, YouTube or any startup website.
JMeter works on the protocol level. This means that whatever request you are generating. Say a simple browser request or an API call, you can do that easily.
Now the thing is replicating requests. You don't need to record the requests necessarily using the browser. You need to analyze the few things that are required. Say Postman is generating a request. You specify the things you want to send and you use the API Token there. The same things can be specified there as well. It all depends on how you are understanding the concept of request generation.
You simply need to replicate the samplers and the parameters. And the request headers in postman can be replicated here in the same way.
For each HTTP Request Sampler make sure you add a corresponding child HTTP Header Manager config element.
Headers basically tell the server that what client we are using and in what form data is being sent and then server responds accordingly with the information.
What you're recorded is OAuth2 flow and you won't be able to replay it without correlating the dynamic values.
You can have access to Google API or Facebook Graph API given you have proper access_token but I don't think you should be testing them directly, you should focus on solely your application.
I am trying to connect to Google Cloud from an embedded device so I have no access to OAuth authentication. The documents show that I can use simple API key for connecting. I have created a simple API key but I am having problems using it.
I can test the API functions successfully on https://developers.google.com/apis-explorer/?hl=en_US#p/pubsub/v1/ but on this developer's site I don't enter my API key (maybe one is generated automatically in the background).
When I try the same command using curl I get a 401 error:
"Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.", "status": "UNAUTHENTICATED"
But I am copying the GET or POST command directly from the online API tester and adding my key at the end:
curl -X POST -d '{"policy":{"bindings":[{"role":"roles/editor","members":["serviceAccount:charge...."]}]}}' https://pubsub.googleapis.com/v1/projects/pl..../subscriptions/arriveHomeSub:setIamPolicy?key=AIz....
What am I missing?
With the limited information you have provided, it is tough to identify the root cause but these are some of the possible ones:
You have not used quotes for the URL argument to curl. This could lead to some characters which are part of the URL to be interpreted by your shell in a different manner. Characters like & are usual culprits although they don't seem to be part of the URL you pasted.
curl -X POST -d '{"policy":{"bindings":[{"role":"roles/editor","members":["serviceAccount:charge...."]}]}}' 'https://pubsub.googleapis.com/v1/projects/pl..../subscriptions/arriveHomeSub:setIamPolicy?key=AIz'
You have not described how you're generating your API key and hence I feel that could be one of the possible issues.
You can go over the steps for using Google OAuth 2.0 from Google, it covers a lot about client secrets, access tokens and refresh tokens.
As long as you have your client ID and secret, you can call Google OAuth APIs to generate an access token.
You pass in the current access token as the key argument to your REST API.
Access tokens have very limited lifetime and might need refreshing periodically. If your application needs to periodically refresh access tokens, consider storing the refresh token in your application in a secure manner.
I want to know how to use photobucket api. I successfully created a login in photobucket.
I am following the guidelines given http://api-portal.anypoint.mulesoft.com/photobucket/api/photobucket-api/docs/getting-started
The first step i am failing is that http://developer.photobucket.com is redirecting to different page.
As it is written
Go to the Photobucket developer web site at developer.photobucket.com, agree to the terms of service, sign up, and get the API key.
I am not able to open developer.photobucket.com.
I also see a redirect from developer.photobucket.com to photobucket.com. It seems that they incorrectly configured the redirect. The information about using Photobucket API required link was found in the support section:
Our engineers are working on a new API, with lots of changes, however,
this won't be available to users for a couple more months. Here is the
documentation on the current API.
If you'd rather not wait for this updated API, and would like the
current iteration now, please send an email to our API request email
address with the following information:
Your Photobucket username (This is the username for the account that
you have already created on Photobucket): Your application name
(whatever you would like): Do you require the key for commercial or
non-commercial purposes:
All three of these answers are required!
Send the API request to: pbdl-api#photobucket.com
The subject for the email should be: API Request
Recently I started coding a Google Maps service integration. I went ahead and generated an API Key associated with my business email account on bronze level. When I use the service sans API Key everything works swimmingly.
If I use the API Key parameter, with my API key generated in my developer console I get the error message:
This API project is not authorized to use this API.
The URL used to access maps is below:
https://maps.googleapis.com/maps/api/distancematrix/xml?origins={origin_address}&destinations={destination_addresses}&mode=driving&language=en-US&sensor=false&key={APIKey}
How does one get the API Key to be authorized for v3 Maps JavaScript API. I am making the call as a raw post in the ASPX code behind to that address. It seems to me this used to work fine when I first started all this, now today all of the sudden I'm getting this error.
I need this to work since I will also be using places and that service seems to only work with the API Key. I would like to be able to have the key configured once and be done with it.
You'll need to enable each API you want to use.
The maps-javascript-API is one API, the DistanceMatrix-API(Webservice) another.
Go to the developer-console->API's and enable the Distance Matrix API
Note: this is only related to the DistanceMatrix-Webservice, when you use the DistanceMatrix-Service of the Javascript-API you don't need to enable this service.