We know that "Content-Disposition" http header will force client to download manually. But if any 3rd party download manager such as IDM was installed on the client it intercepts the web requests and disallows some cookies. Can I block these tools and force the browser's native download manager for a specific download?
Related
In internet explorer I open a website. Then click on a button on the web page which makes a secure call to an api located on a 3rd party server.
Is there any way to check what version of ssl/tls is used by internet explorer to make this api call?
I know that I can see IE file-> properties, but this gives me the current connections (web page's) ssl/tls version. Where as I want to see the ssl/tls version used to make the api request (on button click).
The TLS parameters are negotiated during the TLS handshake (when you initially connect to the site) and depend on the browser and server capabilities.
Therefor there is no way to check the capabilities of the browser regarding TLS only from within the browser itself. You need at least to make a https connection to some server which then echos the information from the successful handshake back to you.
For example, in .NET, you can view its version information through ServicePointManager.SecurityProtocol Property. Starting from .NET Framework 4.7, the default value of this property is SecurityProtocolType.SystemDefault. For more information, you can refer to this document.
I have a web application that I developed using Angular, Node.js/Express.js and MySQL. My app has some pages that display data after fetching it from another web app example: https://www.example.com. Since, this another app doesn't have any API from where I can fetch the data so, I am using web scraping with the help of Python Selenium and scraping the data from the site. I am calling my Python program in Node.js.
What I want to ask is that is the connection between a bot that sends a request to the target site secured or not? Does the selenium automated browser sends an encrypted connection to the site? Or, do I have to connect to a proxy to secure my connection. I don't want to expose my server's IP.
Any help would be appreciated. Thanks!
selenium communication is between client library and driver API.
selenium doesn't send anything to the target site but the browser
If you are running selenium from local system and start selenium/driver in localhost there is no issue of "man in the middle attack" as no one can eavesdrop you as the communication is within the localhost netwrok.
Other than the communication between your script and the call to selenium API there is no other communication happening. All other communication is happening from the target website as in normal user scenarios.
No it is not a secure connection cause Selenium internally makes an HTTP request for each Selenium command.
for each Selenium command, a HTTP request is created and sent to the browser driver
the browser driver uses a HTTP server for getting the HTTP requests
the HTTP server determines the steps needed for implementing the Selenium command
the implementation steps are executed on the browser
the execution status is sent back to the HTTP server
the HTTP server sends the status back to the automation script
Why HTTP is not secure
I am working on a web application that is hosted in the internet, but shall be able to use a REST API provided by a local HTTP-printserver.
The problem is, that when the application is accessed via HTTPS, all my XmlHttpRequest to the local HTTP-printserver are blocked (because of security mechanisms of the browser).
Therefore my "solution" is to use plain HTTP for the web application.
However, whenever I open the site in my browser - explicitly with http (e.g. http://mysite.de/app/index.html) the browser sends an "Upgrade-Insecure-Requests" which is accepted by the webserver and they switch over to HTTPS.
Is there a way how to deny/reject the upgrade to HTTPS?
Ideally by .htaccess
Ideally only for index.html in the app folder
I want to setup client authentication in a way that during TLS/SSL handshake when server asks the Browser for client certificate, the client certificate is retrieved from a remote Certificate Provider server application.
Is there any way to dictate the browser to use a program written in java/c++ for client certificate retrieval?
You can't dictate browser directly. What you can do is implement a module (you'll need separate modules - a CSP module for CryptoAPI-based browsers like IE and wrappers and for Mozilla which uses PKCS#11) which will obtain certificates from remote location. The idea is that once the browser requests a certificate or certificate list from such module, the module reads information from your server.
Both modules must be installed by the user (CSP is installed to Windows and PKCS#11 driver is copied on the disk and then the browser is configured to use it), i.e. this is not automatic and can't be done by your site without user support.
I have a Web application (.NET/SQL) that I'd like to change the authentication scheme from a local SQL-based username/password to a client/server certificate model.
Kicker is that the client devices are Blackberry Bolds (assuming the most recent) and I have no idea whether Blackberries support this method of authentication.
I should note that these devices are not managed by BES (or the organization for that matter): they will be using the native Blackberry browser to connect to a Web application on the public Internet over untrusted wifi and 3G networks.
Yes, the BlackBerry browser has supported this method of authentication since at least OS 4.6 (the first Bold). The issue is getting the appropriate certificate to the device in a way secure enough for your application without BES.