Is there a way to get the actual HTTP request message NSURLConnection generates? I've used "tcpdump" (Unix util) to figure it out, but was wondering if there is a way to get it programmatically?
For example, the URL string http://www.example.com/somepath/resource?v=99 will apparently produce this if I use it in NSURLConnection:
GET /somepath/resource?v?99 HTTP/1.1
Host: www.example.com
User-Agent: {myprog}/1 CFNetwork/596.2.3 Darwin/12.2.0 (x86_64) (iMac11%2C1)
Accept: */*
Date: Wed, 19 Dec 2012 03:12:12 GMT+01:00
Accept-Language: sv-se
Accept-Encoding: gzip, deflate
Cookie: {long-string}
Connection: keep-alive
Some of these HTTP headers can be set to other values using setValue:forHTTPHeaderField: on the NSURLRequest (e.g. "Host" and "User-Agent") but some can't (like "Connection").
[request allHTTPHeaderFields] sends an dictionary with keys and values only which yo have set ....
If you want to see the entire request , you can use the following tool...
http://blog.jerodsanto.net/2009/06/sniff-your-iphones-network-traffic/
I shows the request and response ...
Related
I have a WCF service which I make API requests to.
This API call returns a JSON response object and also is able to return it in GZIP compression as well when "gzip" value is used in "Accept-Encoding" header.
The problem is when I try to get the response in GZIP, Postman shows "Could not get any response" although I see response and response's content are OK (200 status code) in Fiddler and can easily decompress the response content in my C# client.
I took a look in Postman Console but all I see is "Error: incorrect header check".
I hardly tried to find any documentation regarding this header check but couldn't find any.
These are the request headers:
POST /correction/v1/document?lang=US HTTP/1.1
Content-Type: text/plain
Accept-Encoding: gzip
User-Agent: PostmanRuntime/7.6.0
Accept: */*
content-length: 630
Connection: close
These are the response headers:
HTTP/1.1 200 OK
Content-Length: 512
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip
Server: Microsoft-HTTPAPI/2.0
Date: Sun, 24 Feb 2019 14:05:50 GMT
Connection: close
The only thing I suspect is wrong is this message from Fiddler:
I integrated this code into mine in order to use GZIP in WCF.
https://github.com/carlosfigueira/WCFSamples/tree/master/MessageEncoder/GZipEncoderAndAutoFormatSelection
Basically, it captures the response before returning to client and use GZipStream for compression.
I got the same issue, I added the following header to fix this issue.
Accept-Encoding : *
I was able to solve a similar issue by using the header Accept-Encoding: */* or if you want to be specific do Accept-Encoding: */* that way the HTTP client will be able to process the response based on the type of encoding received, in the case of a gzip, it will decode the response and show it as normal text.
For me, I removed 'Accept-Encoding' in the request header.
I got this issue when the REST service was returning a zip content (aka. WinZip format). I solved the error by compressing the data using 7zip to produce true gzip format.
Hi I'm trying to do a SQL injection in a login form.
With BurpSuite I intercept the request:
POST /xxxx/web/Login HTTP/1.1
Host: 10.0.0.70:42020
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: application/json, text/plain, */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
Referer: http://xxxxxx.com/xxxxxx/
Content-Length: 44
origin: http://xxxxx.com
Connection: close
{"username”:"user",”password”:"pass"}
using:
sqlmap -u requestFile
(where requestFile is the content of the request intercepted with Burp)
sqlmap can't find the injectable field that is password.
I'm sure that's it's injectable cause if as password I input:
' OR 1=1; -- -
I can login with every username I insert
Tried also with:
{"username”:*,”password”:*}
but no luck.
What I'm doing wrong?
Example:
POST / HTTP/1.1
Host: www.example.com
{"username":"*", "password":"*"}
Saved as sqlrequest.txt
Can then initiate a test using this command:
py sqlmap.py -r sqlrequest.txt --level=5 risk=3 --force-ssl
You should then receive a prompt that a custom injection marker is found and that JSON data found in POST body. Process both and then you are good to go.
Sources:
https://security.stackexchange.com/a/150506/67046
https://security.stackexchange.com/a/51862/67046
sqlmap -u URL
sqlmap -r requestFile
Tutorial on how to use request
check this video
I am intercepting HTTP request/response from an Adobe Shockwave-based web music player application using Chrome Dev tools. When I click the Play button on music player, HTTP request headers like following are raised:
POST /some_url HTTP/1.1
Host: something.com
Connection: keep-alive
Content-Length: 103
Origin: http://something.com
X-Requested-With: ShockwaveFlash/22
User-Agent: Mozilla
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://something.com/player.swf
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
And Form data looks like following:
param1=561a0d9452069h76fhg46h67a599e8gy34nlj=
param2=something
Now, is there any way to know from where this param1=561a0d9452069h76fhg46h67a599e8gy34nlj= form data came from and how it is generated? If it's some kind of encrypted string or a token, how this is done?
Thank you for your answers
The HTTP request would have come from a URLRequest in ActionScript, which passes the data in key/value pairs. You could have a look at using SWFWire Inspector to decompile the code.
The first request (or batch of requests) I send from a WCF-Custom adapter using the wsHttpBinding (also tried basicHttp) does not include the Authorization Header.
Request 1 Headers
POST https://axis2service.com/HttpSoap12Endpoint/ HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
Host: axis2service.com
Content-Length: 556
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
The service returns a 401 to which I respond with the below.
Request 2 Headers
POST https://axis2service.com/HttpSoap12Endpoint/ HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
Authorization: Basic XXXXXX
Host: axis2service.com
Content-Length: 556
Expect: 100-continue
Accept-Encoding: gzip, deflate
To which the axis2 on apache service responds with a 504 and Connection: close
This seems to be a known issue, how can I make request 1 include the Authorization header every time?
Note: The request 1 headers only get sent on the first request after a Host Instance restart. All subsequent requests from the adapter use the request 2 headers therefore bypassing the handshake stage.
I'm currently trying to connect to a webservice placed on https://xxx.xxx.xx/myapp
It has anonymous access and SSL enabled for testing purposes atm.
While trying to connect from the 3G network, i get Status 403: Access denied. You do not have permission to view this directory or page using the credentials that you supplied.
I get these headers while trying to connect to the webservice locally:
Headers
Request URL:https://xxx.xxx.xx/myapp
Request Method:GET
Status Code:200 OK
Request Headers
GET /myapp/ HTTP/1.1
Host: xxx.xxx.xxx
Connection: keep-alive
Authorization: Basic amViZTAyOlE3ZSVNNHNB
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response Headers
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 16 Feb 2012 12:26:13 GMT
Content-Length: 622
But when accessing outside the local area, we get the big ol 403. Which in turn wants credentials to grant the user access to the webservice.
However, i've tried using the ASIHTTPRequest library without success, and that project has been abandoned. And they suggest going back to NSURLConnection.
And i have no clue where to start, not even which direction to take.
-connection:(connection *)connection didRecieveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
The above delegate method of NSURLConnection doesnt even trigger. So i have no idea what so ever how to authenticate myself.
All i get is the parsed results of the xml elements of the 403-page.
I needs dem seriouz helps! plx.
This was all just a major f-up.
The site had ssl required and enabled, and setting ssl required for the virtual directories does some kind of superduper meta-blocking.
So, by disabling ssl required for the virtual directories, it runs over ssl and is not blocking 3G access..