is there any way to monitor the traffic of the integrated WebLogic server in Jdeveloper. I know that must be at least possible via a network sniffer, though I haven't succeed that way ether. But isn't there a way via the IDE?
Thank you very much in advance,
Angelo Hannes
Here is a demo that shows you how to setup the HTTP Analyzer in JDeveloper to monitor your HTTP traffic between the client and WebLogic:
https://blogs.oracle.com/shay/entry/monitoring_adf_pages_round_trips
Go to Tools->Http Analyzer. Then on your browser, you need to setup the Proxy Server to that of the Http Analyzer. To see the port, go to Tools->Preferences->Http Analyser.
If you just want to see the HTTP requests and responses, it might be easier to just use Firebug or Chrome's Developer Tools.
A more detailed and illustrated instruction can be found here: http://nickaiva.blogspot.com/2010/10/jdeveloper-11g-making-use-of-http.html
Related
I scaned my site with Burp Suite Proffessional.
It said a vulnerability called "HTTP Request Smuggling" has been detected.
This vulnerability was detected in the August 7, 2019 Burp Suite Professional ver2.1.03.
My server environment is as follows.
CentOS 7
Apache 2.4
PHP 7.3
PortSwigger says how to resolve this problem.
That is by changing the network protocol of the web server from "HTTP/1.1" to "HTTP/2".
https://portswigger.net/web-security/request-smuggling#how-to-prevent-http-request-smuggling-vulnerabilities
So I changed my site with SSL support and then HTTP/2 support as well.
And I scaned again, the "HTTP Request Smuggling" vulnerability was detected AGAIN.
HOW TO FIX THIS?????????
I am NOT interested in what is this problem details or how it works at all.
What I want to know is how to stop detecting this problem.
If you have encountered a similar event, tell me the solution. please?
If possible, I wish what you did something to this, wrote in httpd.conf or php.ini, etc.
I found that need to improve version of tomcat but I haven't tried yet
Article about solution
If you are using end-to-end HTTP/2 communication then that should eliminate the vulnerability. What I mean by this is that HTTP/2 is the only HTTP version used in all HTTP traffic.
Many web architectures has a load balancer or proxy in front of the web server which accepts HTTP/2 traffic. However, many frontend servers rewrite the incoming HTTP/2 traffic into HTTP/1 when it forwards the traffic to the backend server/ web server. When the traffic gets rewritten to HTTP/1 then HTTP request smuggling is possible. More info here: https://www.youtube.com/watch?v=rHxVVeM9R-M
I'm posting this quote from James Kettle, a researcher from Portswigger: "you can resolve all variants of this vulnerability by configuring the front-end server to exclusively use HTTP/2 to communicate to back-end systems, or by disabling back-end connection reuse entirely. "
source: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
I want to implement a restund server for WebRTC audio on my website. I wish to have one user be able to talk to all the other users on the platform (if anyone knows an easier way to do this than implementing a restund WebRTC server, please let me know, would help me out a lot).
But before I go and try to get restund working, I was wondering if it could be installed to work alongside my Apache HTTP dedicated server I use to host my website.
Well, STUN/TURN services are running on ports 3478 and 5349 by default. That should not conflict with those required for HTTP operations (e.g. 80, 443, 8080). So yes, this should be possible.
I'm interested in using Fiddler to inspect HTTP(S) API traffic on my home network. I want two networks/routers; "Normal" and "Fiddler". I want the devices to easily connect to either network. I do not want to manually configure/unconfigure proxy settings when moving devices between normal and Fiddler proxy network. I just want to select a new access point and have the device work. How can this be done? Will some kind of port-forwarding on the "fiddler" router suffice?
After several weeks of experimentation and discussion, my conclusion is that neither Fiddler nor Charles Proxy support transparent proxy which is key to making a simple router setup work. OTOH, mitmproxy does work well. mitmproxy runs on OS/X and Linux. For Windows there are two options, mitmdump is a UI-less version of mitmproxy, and mitmweb (available but not presently released) has a very promising UI.
Indeed you easily configure a router to gateway to a mitm system. From there mitm will show http requests and responses. If you want to see HTTPS, you'll simply need to have the device accept an mitm certificate. Do so by visiting the special domain name http://mitm.it and follow instructions.
For a more detailed discussion see Best Way to Inspect HTTP(S) APIs of Many Devices
I wrote up the procedure for configuring a router to proxy client traffic to a transparent proxy. Works great with MitmProxy. The beauty of this approach is that you can simply connect a client device, wired or wireless, to the router and HTTP(S) traffic will be displayed by MitmProxy. No need to fiddle with each device's proxy settings. You simply choose the router's network, when done you flip back to the usual router.
Best Way to Inspect HTTP(S) API Traffic in a Multi-Platform Multi-Device Environment
http://fiddlerbook.com/fiddler/help/hookup.asp --- have you checked this? I think this helps.
Doesn't have to be Apache, but that's just the only HTTP server I know of (Actually could you guys recommend alternatives that I could look into as well?)
Anyways, so I have been messing around with Amazon Web Services and I created an EC2 server instance with an Amazon Linux Image. On that, (Following guides and examples) I installed Apache and now when I make a GET request to my public IP, it returns to me the HTML files I created on my server.
My question is, what if I never installed Apache, and then made an HTTP request to my public IP? For no reason really, the question just came up in my head and I'm curious. I'd rather not figure out how to uninstall Apache or create a new instance to figure it out, so I was wondering if somebody could weigh in as well as tell me a little more about what it is exactly apache does on a server. My understanding is that it is a layer you can install on your server OS that will create a socket listener to port 80 (HTTP), and when a request is made on that port, Apache will return web pages? Also I think I read somewhere you could configure Apache to forward a port to something like a python server script?
Thanks in advance for your time!
could you guys recommend alternatives that I could look into as well?)
nginx is a popular alternative to apache. It's much more efficient.
what if I never installed Apache, and then made an HTTP request to my public IP?
Your browser would get a "connection reset" because there is nothing on port 80. Your browser would display a message (Chrome says "This webpage is not available"). You would NOT get a "404" because that requires an HTTP server to send HTTP codes.
If your server was firewalled instead, you'd bet a busy wait for a while, then a message about the server not responding.
Also I think I read somewhere you could configure Apache to forward a port to something like a python server script?
Yes, that is called "reverse proxy" mode. It's essential to any application website if you want to scale. The web server(s) can distribute traffic to one or more backends running the application. The web server is useful for filtering bad requests (since your backend in Ruby/Python will be 1000's of times slower than the reverse proxy.)
Well, if you want to test what will happen if Apache isn't installed, you can always just stop the Apache service by typing:
sudo service apache2 stop
or
sudo service httpd stop
depending on your version. Then if you visit your site's webpage you'll get a 404 error or something similar.
There are ways to use python scripts to run simple servers, but in general it's easier to just let Apache handle that and use a framework like Ruby on Rails or Django to control the display and creation of content for your server.
I want to make an app that displays new data whenever they arrive inside a folder via xml. I want to use html5 web sockets but I am confused on how it should be done. I am using xaamp on my machine for development. Do I have to install another server to use websockets? Is apache as it is compatible and if yes how do I make the connection with the client. Thank you in advance..
Your options are:
Use something like mod_websocket, as pointed out by Phillip Kovalev. Or pywebsocket. You could also try PHP WebSocket.
Use a dedicated self-hosted realtime web technology for realtime communication between server and client. If you do this you'll also need to define a way of application to realtime web server communications - normally achieved through message queues.
Use a hosted realtime web solution and offload the realtime push aspect of your application.
There are concerns about using Apache with this type of technology since this technology maintains long-running persistent connections between the server and client and Apache isn't know to be too great at this. So, the best solution may be to:
Go with a 2nd dedicated realtime web server in conjunction with using Apache as your application server
Use a self-hosted realtime web server that has the ability to handle many concurrent connections
Use a hosted service along with your Apache application server.
If you don't expect many concurrent connections or if you are just trying out the technology then it's possible that Apache alone will be all you need.
Look at mod_websocket. It supports latest and commonly implemented by browsers vendors protocol version.