I've encountered a problem during development.
When the adapter is tested from within Eclipse ("Invoke Worklight procedure"), it does its job perfectly.
On the contrary, when the adapter is called from the app, it doesn't work. I receive the following error:
Error 405 HTTP method POST is not supported by this URL
I've noticed a strange thing. When the adapter is called from the test procedure the URL seems correct (/apps/services/api/...) In the other case, Worklight puts a worklight prefix (/worklight/apps/services/api/...) when it makes the call. Hence the URL cannot be reached.
Here Worklight Studio - error http 405 when connecting to mobile URL provided by Console I found a partial solution but it does not work.
Additional info
WL version is 5.0.6.
Application server is Tomcat 7.
Based on my experiments I found the problem.
Each worklight project has an application-descriptor.xml. Within it there is a tag that indicates the WL server root URL.
Since I've taken the project from another source, I've simply noticed that it was configured as
<worklightServerRootURL>http://sampleDomain/worklight</worklightServerRootURL>
where sampleDomain is only a placeholder for the real one.
Now it is configured like
<worklightServerRootURL>http://${local.IPAddress}:8080</worklightServerRootURL>
to perform internal local tests.
Hope it helps.
Related
I am trying to understand/reproduce Log4shell vulnerability, using this poc and also information from Marshalsec.
To do that, I've downloaded Ghidra v10.0.4, which is said (on Ghidra download page) to be vulnerable to log4shell. Installed it on an ubuntu VM, along with java 1.8 (as stated in POC), and loaded the Poc + marshalsec snapshot.
Tried to start Ghidra, it said java 11 was needed, so although I've installed java 1.8 I still downloaded java 11 and, when you start ghidra, it says the installed version is not good enough and ask for the path to a java11 version; so I just gave him path to the jdk11 directory and it seems happy with it. Ghidra starts alright.
Then set up my listener and launched the poc, got the payload string to copy/paste in ghidra, and got a response in the ldap listener saying it'll send it to HTTP. But nothing more. The end.
Since the HTTP server is set up by the same POC, I thought maybe I just couldn't see the redirection, so I started the http server myself, started the ldap server myself with marshalsec, and retried (see pics below for exact commands/outputs).
Setting http server:
Set listener:
Setting LDAP server:
Send payload string in Ghidra (in the help/search part, as shown in kozmer POC); immediately got an answer:
I still receive a response on the LDAP listener (two, in fact, which seems weird), but nothing on the HTTP. The the Exploit class is never loaded in ghidra (it directly sends me a pop-up saying search not found, I think it is supposed to wait for the server answer to do that?), and I get nothing back in my listener.
Note that I don't really understand this Marshalsec/LDAP thing so I'm not sure what's happening here. If anyone have time to explain it will be nice. I've read lot of stuff about the vuln but it rarely goes deeply into details (most is like: the payload string send a request to LDAP server, which redirect to HTTP server, which will upload the Exploit class on the vulnerable app and gives you a shell).
Note: I've checked, the http server is up and accessible, the Exploit.class file is here and can be downloaded.
Solved it.
Turned out for log4shell to work you need a vulnerable app and a vulnerable version of Java; which I thought I had, but nope. I had Java 11.0.15, and needed Java 11 (Ghidra need Java 11 minimum, only vulnerable version of Java 11 is the first one).
Downloaded and installed Java 11, POC working perfectly.
after the fixpack in subject, i cannot manage to direct update my application.
It notify me that there is a new version available, but when i hit Update it keeps saying that the download failed (both on iOS and Android).
I attached my android to adb and i noticed those lines in the console:
Authentication error: Unable to respond to any of these challenges:
{wl-composite-challenge=WWW-Authenticate: WL-Composite-Challenge}
java.io.IOException: Error downloading update file The following
message has been received from the server instead of the expected
application update zip file: HTTP/1.1 401 Unauthorized
/-secure-{"challenges":{"wl_deviceNoProvisioningRealm":{"token":"1or0tj7gnoev1rn06s188j4u9h"},"wl_antiXSRFRealm":{"WL-Instance-Id":"np8c8o3c4dk1k7s79i2ikddfab"}}}/
at
com.worklight.androidgap.plugin.WebResourcesDownloaderPlugin$WebResourcesDownloader.downloadZipFile(WebResourcesDownloaderPlugin.java:364)
To complete the information I deployed the IBM_Worklight_Console with no security role in its web.xml and we have Worklight 6.1.0.1 installed on WAS Network Deployment 7.0.0.23 running AIX.
Before the fixpack, everything worked well.
Thank you
EDIT: here you can see my application-descriptor.xml and my server configuration:
I forgot about this stack, however I found the problem.
When I open my application, the WL Framework asks for new available update. In the same time, my application ask an adapter for some data, before the WL server can response about the Update. So if it arrives first the response of my adpater, then the Update response will contain a different requestID causing a 403 forbidden.
I don't know if I explained it clearly, however the temporary fix is to put updateSilently: true, not disturbing the direct update.
I am trying to run this sample code provided by IBM, but when I run it I get this error:
So I understand the HTTP 403, but where should I make neccesary changes to make this thing work? I saw this SO question: Jetty returning 403 Forbidden but no luck; I could not find that parameter anywhere in any file in my project.
Sometime earlier I got this error too Error 404: SRVE0190E: File not found: /
So lame, I had to deploy the adapter first then I deployed the native api, made neccessary changes voila I am good to go.
I'm looking for examples to control Worklight appclications via REST API for automation. What I need is a method to disable and enable specific application from command line.
I've found "HTTP Interface of the production server" on the IBM Worklight Information Center, but it doesn't work.
For exapmle, I sent a GET request to:
<WorklightServerURL>/worklight/console/api/getApplications
In return I got:
Error 404: Could not find resource for relative : /getApplications of
full path:
/worklight/console/api/getApplications".
Looking into the Worklight Console interactions using Chrome developer tool, disabling application request generates:
<WorklightServerURL>/worklight/console/api/applications/setAccessRule/17
Which is not consistent with the IBM Worklight Information Center...
This looks to be a documentation defect, where (in this specific case):
http://myhost:port/console/api/{Action}
Should be
http://myhost:port/console/api/applications/{Action}
For example:
http://myworklightserver:8080/console/api/applications/all
http://myworklightserver:8080/console/api/applications/get/testapp
I have opened a documentation defect to update the Console API Requests section. Thanks.
As for setAccessRule,
The API request structure is: http://myworklightserver:8080/console/api/applications/setAccessRule
The parameters are:
gadgetAppId (Required. You can find this in the database)
action (Required. delete | notify | block)
message (Required)
downloadLink (Optional)
Note that you are linking to the Worklight 5.0.5 Information Center; the fixes will appear in the Worklight 5.0.6 and 6.0 Information Center pages.
In Worklight 6.0 the port has changed to "10080", and a context root section exists before "/console".
http://myworklightserver:10080/mycontext/console/api/applications/all
I have created a sample project with an SQL adapter and a hybrid worklight application. The application is a simple login form that accept userid and password and validate them against the value stored in database using the SQL adapter.
Now when I tested this application on the default worklight server installed in eclispe plugin for worklight it is working fine.
But when I install the SQL adapter and worklight application on an enterprise worklight server and testing it, I am getting the following error:
NetworkError: 404 Not Found -
http://[localhost:9080]/apps/services/api/SampleHybrid/common/query
The above error I fetched through Firebug.
SampleHybrid is the name of the worklight hybrid application.
SampleHybridAdapter is the name of the SQL adapter.
The server’s response is:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>CWWKT0018E: The application or context root for this request has not been found: /apps/services/api/SampleHybrid/common/query</p><hr /><address>WebSphere Application Server at 127.0.0.1 port 9080</address></body></html>
You mentioned you have moved to running Worklight on an application server - this requires using a context root. I do not see a context root in the 404 error you have provided.
The request to the server was supposed to look like this: http://[localhost:9080]/yourContext/apps/services/api/SampleHybrid/common/query
Because the context root (in this case, "yourContext") is missing, you get a 404 error, since the application is trying to reach a location that does not exist.
The context root value is set in both application-descriptor.xml and worklight.properties.
yourProject\apps\yourApp\application-descriptor.xml
Change the value of the worklightServerRootURL property to include your context root. It should look like this http://your-host-name-here:port/yourContext
yourProject\apps\server\conf\worklight.properties
Set your context root as the value for the publicWorkLightContext property (also make sure to uncomment it)
After doing the above, you need to re-deploy the .war file to your application server. The .war file can be found in the bin folder of your Worklight project.