I'm trying to find a non-SSL resource that is being loaded on my site.
This happens occasional where one of us forgets to use the https version of a resource (like some js in a CDN).
My question is there any firebug-like tools to find these "Turds in the punch bowl"? I want my green padlock back :)
Besides Firebug, which you've mentioned, you can use the developer tools in Chrome:
Tools menu -> Developer Tools
Go through the list of loaded resources in the Network tab
Alternatively, the HttpFox extension for Firefox can also be useful. It will keep logging the traffic even when you change pages, which may be useful in some cases.
(This is very similar to Firebug.)
mitm-proxy is great for stuff like this - http://crypto.stanford.edu/ssl-mitm/
You run it on your local machine in a console window, set your browser to use it as a proxy, and you can watch /log everything that your browser requests. It's a little noisy since it shows SSL hand-shaking and file contents, but you can filter that down. When you need to debug SSL communications it's invaluable to see those details though..
mitm-proxy is based on http://grinder.sourceforge.net/g3/tcpproxy.html which has more in the way of scripting capabilities.
Related
Using MS Edge and apache w/ php, I just discovered via access.log that when I have the JavaScript debug panel (i.e. developer panel) open, it is making every http call twice. When I closed this panel, it has fixed the issue of all insert statements getting called twice.
Question: Does this doubling of http calls happen on every / most browsers that I need to look out for, or is this something special/unique with MS Edge?
I can't speak for all browsers and all developer tools. But, for IE and Edge the first time you open the tools and then open a JS file in the sources view it will try to request the file again. That request will be served from the local browser cache, sometimes not, depending on the cache settings for the file being requested.
The reason browser tools need to make this request is that browsers will often throw out the original source file as it doesn't need it to execute the page, as the source has been parsed it into something else that it can work with.
However, after you've opened the developer tools the browser will keep around sources in future navigations, either in the tools front end or elsewhere. Not keeping sources is an optimization for the first time use case, to save browsers keeping around source on the very low odds of the tool being used on any given navigation.
Of course some files are never cached by the browser and will need to be downloaded when requested by the tools, for example sourcemapped files.
In general any resources on your site that can be accessed by HTTP GET should be idempotent. That is, a GET shouldn't change the resource being requested (or generall the state of your site), so hopefully making additional requests shouldn't be an issue.
I would like to test https related application on my local machine before pushing it to staging and production.
If I try to test on local system, the page just showing (in chrome it gets to the "This webpage has a redirect loop" page).
If any information could be provided that would assist me in setting this up / getting it working and testing, I would be extremely grateful . Thanks
This problem can have two angles whether this could be related to your specific browser or with your ColdFusion application:
First and foremost can you check it on Firefox or IE just to isolate if this is specific to Chrome. (As I have seen this to come on Chrome more than often)
if it works on Other Browsers:
probably Chrome is at fault. Go to settings (Options -> Under the Hood -> Content Settings -> Cookies -> Show cookies and other site data)
Enter your problem URL in search bar and it would list all related cookies.
Select "Remove all"
if it FAILS on other browsers as well:
Can you check with perhaps another test application?
Please check with following article by Ben Nadal --
http://www.bennadel.com/blog/1666-Ask-Ben-Enforcing-An-SSL-HTTPS-Connection-Based-On-Request.htm
If this persists, please add some more information, on how this has been set up.
Cheers,
Anjaneai
If I understand your questions you should be able to use a self signed certificate on your local dev box. Once you set this up you should be able to test your site in SSL mode.
Here is one quick tutorial.
http://weblogs.asp.net/scottgu/archive/2007/04/06/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates.aspx
Background:
One of my clients' websites has become a malware infested hotbed.
Disposing of the malware has proven difficult and time consuming, and, in the meantime, we still have had to do work on the site.
For now, we went to some trouble to do our work - creating a disposable VM to just run a web browser, so we can see what the site looks like for the designers' work, for example.
I'm wondering if there's an easier (and faster) way to get an idea what the design of the site looks like. Not everyone on the project is tech savvy enough to be trusted with, for example, properly handling switching VMs.
Question:
Is there a method for safely seeing what a malware infested website looks like (for example, a service which will browse the site for me and send a screenshot), one which ideally is easy and simple enough to use that I can trust our non-tech-savvy designers to user?
You might take at look at Internet Archive: Wayback Machine to see if the site has been archived.
If a screenshot is all you need, there are several online browser simulators, such as Net Renderer (which will run any inputted web URL in a given version of Internet Explorer and then supply a screenshot). You might also try BrowserStack, which requires an account, and is not free, but does have a free trial period, and offers more than Internet Exploder.
You could also try running a browser in Sandboxie, which is simpler to set up and use than a VM (you just install it, and then use the windows right-click menu to launch any program in a sandbox of your choosing). However, it isn't free for commercial use.
I don't know if exist a standalone tool to parse a website for malwares, but I think this can help you, it's a google tool that you can you with a request and they will send you a response.
Follow the link:
http://support.google.com/webmasters/bin/answer.py?hl=en&answer=168328
Hope it helped.
I have found a strange issue which I do not completely understand. When I run the LoadRunner with just a single protocol, the browser (when recording starts) is ran but says "page not found" (as if the proxy was not set).
How come? The protocols specify what traffic will be captured but I assumed in just does not record the ones not specified. But why the browser could not find the page in single protocol and could in multiple?
I've found that the single protocol mode (I assume web here) is somewhat erratic and does not work all the time. The workaround is to use the multiple protocol mode, but select only Web (HTTP/HTML). This works much better.
The actual reasons for why this is the case are unknown, but at least give it a try!
As for other issues:
Check that your PROXY settings are correct when you invoke IE for recording. Your issue sounds a little like a proxy issue, but please post more details if none of the above works.
Over 90% of recording issues can be tracked to environment items, specifically do you have the right match up between version of LR and version/manufacturer of your browser plus are you signed in with the proper credentials plus do you have any conflicting software packages loaded, such as antivirus, which could be impacting the recordingf mechansim.
Where to start?
Makes sure you are signed in with Administrative credentials
Disable any antivirus running locally
Validate your browser manufacturer and version with the requirements for your version of LoadRunner
I'm wondering how I can find out where the culprit is, as to what is NOT being transmitted over SSL on my website. It's blowing my mind, because I use relative URLs or explicitly choose HTTPS:// for all links, images, etc...
Any ideas/tools to find out what the issue is?
Thanks.
If you mean that some resources are transferred over HTTP without encryption, you can check for this in Chrome's Developer tools in the tab Resources - that should tell you which parts come from where - look for those with address starting with http:// .
Alternately, use Fiddler: by default, it won't decrypt HTTPS connections, so you'll be seeing CONNECT requests for HTTPS, and GET/POST for HTTP - those are your culprits.
For those, like myself, who run into this issue i suggest a few tips while designing your website.
Always use relative paths when ever possible "images/someimage.png" instead of using domain paths like http://someDomainName/images/someimage.png so on. Any one of these and it will cause the browser to throw that warning at you.
When linking to external content, Google/other Ads, javascript sources(such as jquery, so on), or any other media... make sure you use a https:// link if they have one available. Myself, i had one tiny image for a link to an external site but they did not offer a https link to the image, so i simply downloaded it and put it in my images folder. Problem solved.
The Chrome resources list is a very helpful tool, not sure if Firefox has something similar in its tool box. Another method, if you have shell/command line access, is to use grep to search the files for "http:". This, most often, will show anything that is linking to non secure content.