While trying to debug my openid implementation with Google, which kept returning Apache 406 errors, I in the end discovered that my hosting company does not allow to pass a string containing "/id" as a GET parameter (something like "example.php?anyattribute=%2Fid" once URL encoded).
That's rather annoying as Google openid endpoint includes this death word "/id" (https://google.com/accounts/o8/id) so my app is returning 406 errors every time I log in with Google because of this. I contacted my hosting company who told me this has been deactivated for security purposes.
I could use POST instead, for sure. But has anyone got an idea why this could cause security problems ???
It can't, your host is being stupid. There's nothing magical about the string /id.
Sometimes people do stupid things with the string /id, like assuming no one is going to guess what follows, so that example.com/mysensitivedata/id/3/ shows my data because my user has id 3, and being the sneaky sort, I wonder what happens if I navigate to example.com/mysensitivedata/id/4/, and your site blindly lets me through to see someone else's stuff.
If that sort of attack breaks your site, no amount of mollycoddling by your host will help you anyway.
One reason a simple ID in the URL could be a security concern is that a user could see their ID and then type another one in, such as if its an integer they may select the next integer up, and potentially see another users info if it is not protected.
Related
I'm working on a Discord bot using Discord.Net 2.2.0 and written in VB.NET. One of the (overly-ambitious?) many features of my bot will be posting player data from the mobile game, Star Wars: Galaxy of Heroes into an embed. This includes certain character ability information in which I wish to include some emotes to make it a bit more aesthetically pleasing. Initially, I had uploaded the emotes to a server I was testing in and everything worked great:
However, I realized that, if my bot makes it out into the wild, I can't really be installing these emotes on every server out there. I'm still in the beginning stages of this project, and I foresee the need for several "custom" emotes for some of the embeds I'll be using. So, I decided to create a new Discord server (henceforth referred to as the bot's "home" server) in which to load these emotes for use in the "client" or "target" server.
Unfortunately, when I try to include emotes from the bot's home server in the embed, all I get are the emote names and no images:
After fighting with it a bit, I tried including emotes from both servers in the same embed and I get "mixed" results. Those emotes that I include which are loaded in the client/target server show up correctly, but those that are from the bot's home server only display the emote name:
The method is pretty long, so here's a very simplified example of the code I'm using to create the embeds:
Dim BotHomeServer As Discord.WebSocket.SocketGuild = BotClient.GetGuild(Convert.ToUInt64(HOME_SERVER_ID))
Dim TargetServer As Discord.WebSocket.SocketGuild = BotClient.GetGuild(Convert.ToUInt64(TARGET_SERVER_ID))
Dim PostingChannel As Discord.WebSocket.SocketTextChannel = TargetServer.GetTextChannel(Convert.ToUInt64(POST_CHANNEL_ID))
Dim HomeEmote As Discord.Emote = Await BotHomeServer.GetEmoteAsync(EMOTE_ID_FROM_HOME_SERVER)
Dim TargetEmote As Discord.Emote = Await TargetServer.GetEmoteAsync(EMOTE_ID_FROM_TARGET_SERVER)
Dim PostBuilder As New Discord.EmbedBuilder
'... other fields and properties of the embed
PostBuilder.AddField("Home Server Test", "Some Text Here <:" & HomeEmote.Name & ":" & HomeEmote.Id & ">", False)
PostBuilder.AddField("Target Server Test", "Some Text Here <:" & TargetEmote.Name & ":" & TargetEmote.Id & ">", False)
'... other fields and properties of the embed
Await PostingChannel.SendMessageAsync("This is a test", False, PostBuilder.Build)
I've also tried using the .ToString() method for adding the emotes to the embed instead of "manually" building them with the Name and Id properties, but I get the exact same results. I retrieved the emote ID's by typing \:emotename: in the home (and client/target) server. The emote names (i.e., :gohomega:) are correct, so I know that it's correctly finding the emote in the bot's home server. It's just not displaying them unless they're loaded in the client/target server.
I found a similar issue addressed in the question, Discord bot can't show emote “sometimes”. Although the issue reported there is definitely different, the end result - the emote names showing up instead of the actual image - is the same behavior I'm trying to troubleshoot. The fact that the issue in that question is sporadic (whereas my issue is consistent) and that the bot there is written in a different language (Node.js instead of a .NET language) and using different libraries (I assume) has me wondering if the issue may be on Discord's end rather than anything to do with my code.
I've triple- and quadruple-checked that the bot (and the role group it's in) have permission to use external emojis on the client/target server:
Initially, I had forgotten this bit and it didn't have the appropriate permissions. However, even after granting the necessary permissions, I still get the same results.
At this point, I'm not above admitting that I may just be overlooking/missing something, or simply being dense about what I'm looking at, but I'm wondering if anyone else has encountered (and hopefully resolved) this particular issue with a bot using emotes from a different server.
EDIT
Just to make certain, I stepped through the code in my IDE and checked the properties of one of the emotes at the time it's supposedly being added to the embed:
The emote's Id and Url properties appear to be correct, but I also went ahead and "validated" the Url property with my browser and verified that it does show the correct image for the emote.
Per the comments, the bot is a member of both servers:
I'm grasping at straws here, but perhaps it has something to do with the fact that the "home" server is so new (I just created it last night)? I mean, Discord's documentation says this should work, and the Discord.Net documentation basically says the same thing. According to the comments, it works for other people and my code looks "right", so it's really leading me to believe the entire issue is something on Discord's end.
I've also asked this question in both the Discord API server (#dotnet_discord-net) and the Discord Bots server (#development), so feel free to join me in one of those servers for an "extended conversation", if needed.
Okay, I finally found the cause of the issue, and I feel like a moron. I spent all my time looking at the bot's permissions and the group permissions at the server level, but I didn't even think about the actual channel permissions. The Use External Emoji permission for bot's group role in the channel was set to inherit:
I set it to allow and, voilà, the emotes came through just fine. I checked the permissions for the category that the text channel is in and found that the bot/group roles weren't even listed. I guess I had mistakenly assumed that the bot/group role permissions for the channel would get inherited from the server-level permissions I had set, even though the message at the top of the channel's permission screen explicitly states that the permissions are synced with the category.
The moral of the story? If it looks like a permission issue, don't forget to look at ALL of the permissions at every level.
Server
Category
Channel
I was creating an API for TD Ameritrade (my first time creating or dealing with APIs) and I needed to put in my own call back URL. I know that callback URL is where the API sends information to and i heard that I can just use my localhost API. I scoured the internet and I dont know how that would work and I was wondering if i can just use http://localhost?
Sorry if I seem like a noob because I am
In short, yes.
Follow the excellent directions at
https://www.reddit.com/r/algotrading/comments/c81vzq/td_ameritrade_api_access_2019_guide/. (Even with them, I spent excessive time on trial and error!)
Since stackoverflow has a limit of 8 links in a response, and the localhost text string looks like a link, I’m showing it with the colon replaced by a semicolon, i.e., http;//localhost to reduce the link count. Sorry.
I used the Chrome browser after first trying Brave, which did not work for, possibly because of my option selections.
Go to https://developer.tdameritrade.com/user/me/apps
Add a new app using http;//localhost (delete existing app if there is one).
Copy the resulting consumer key text string (AKA client_id or OAuth User ID).
Go to https://developer.tdameritrade.com/content/simple-auth-local-apps, follow instructions. Note: leading/trailing blanks were inserted by MSWord due to copy/paste of the auth code, which had to be manually deleted after wasting excessive time identifying the problem. The address string looks like:
https://auth.tdameritrade.com/auth?response_type=code&redirect_uri=http%3A%2F%2Flocalhost&client_id=ConsumerKeyTextString%40AMER.OAUTHAP
This returns a page stating the server refused to connect, but the address bar now contains a VeryLongStringOfCharacters in the address bar:
https;//localhost/?code= VeryLongStringOfCharacters
Copy the contents of the address bar, go to https://www.urldecoder.org/, decode the above, and extract the text after “code=”. This is your refresh_token
Go to: https://developer.tdameritrade.com/authentication/apis/post/token-0, fill out the fields with
grant_type=authorization_code
refresh_token=<<blank>>
access_type=offline
code=RefreshTokenTextString
client_id=ConsumerKeyTextString#AMER.OAUTHAP
redirect_uri=http://localhost
Press SEND.
If the resulting page starts with HTTP/1.1 200 OK, you have succeeded.
Try updating your redirect to:
redirect_uri=https://localhost
They may require https now and you need a colon instead of a semicolon. Everything looks correct. This process generally takes me more then one attempt, and 15 minutes to an hour to get my refresh token squared away every 90 days.
dont use #AMER.OAUTHAP in client_id
If you generate a new code and based on that try to get a new access token. it should work.
I would like to ask this question to developers who have a good sense of design. I see that whenever a website uses a popup box for their login page, they will always post and then redirect to the next page whether it be content or a dedicated login page for an invalid login error.
I have a client who has been asking to cut out as much page refreshing as possible, including the login function. They would like to see the login error appear on the login popup box without a page refresh.
I have not noticed a web based businesses do this, so I'm wondering if there's a valid reason to avoid this. I personally think that a page refreshing allows users to recognize their input has been registered and the next page appearing will be a solid response to their action either good or bad.
Having no refresh and expecting the user to notice that some error text has appeared seems like a bad idea?
Notes
The question is most likely more appropriate for https://ux.stackexchange.com .
You can find a lot of stuff by searching "ajax logins" in a search engine
There already is this question that might indeed be a duplicate of this one. Since I was not sure and I had already wrote most of this answer before finding that I post it nonetheless.
The title ought to be changed to a question (maybe something like "Is it a bad idea to use ajax to return login errors?").
Actual Answer
In my opinion ajax logins could indeed make less clear whether there really has been a successful interaction with the server or not.
Some ideas to improve it might be:
to include the time of the login request in the error message
to explicitly assure in the error message that the credentials have been received and checked
to be sure that this error does indeed only occur after the credentials have been determined to be not valid (and not because of problems with scripts or the network, for example).
A good way to ensure this might be to have the server always send the full text of the error, rather than a code that selects a message stored in the page source (and to be careful its caching).
This becomes relevant only after the user has been using the site for some time, of course (and has incurred in the error and verified that it was indeed due to a mistake on his part).
to use some animated feedback to highlight the dispatch and the reception of the reply to the user. As with the text you should ensure that the animations do not give (too) incorrect indications.
Basically these suggestions would be applicable to any ajax form entry, but they are more important for logins because:
in this context it's a lot easier to make typing mistakes (in the typing of the password)
and mistakes have a drastic, immediate annoying outcome: the inability to authenticate and the necessity to input again the entire password
And so uncertainties on whether the input has really been received and processed are a lot more bothering.
All in all anyhow it's pretty complex to do this well, with both an appealing appearance and a reassuring feedback.
The ones ajax logins that I've incurred into did not do a good job (I think I have indeed experienced false login errors with them).
You can find several ajax login frameworks/plugins by searching for "ajax logins". I have not looked into any of them.
Why (other than moral reasons) don't more people use the CAPTCHAs of other sites as their own while selling the solving of said CAPTCHAs?
To me, such a system seems like it would be simple to implement:
set up a script that does something on another website that requires a CAPTCHA to be completed through the use of a proxy service
when a user on your site performs a task that requires the completion of a CAPTCHA, simply serve them the CAPTCHA that the other
site asks you to solve
when the user solves the CAPTCHA, your script can perform the desired action on the other site that is the source of the CAPTCHA,
and the user on your site is also verified through this process
Is this commonplace? If not, why not? What, if anything, could be done to prevent this?
Fetching the captcha. Assuming one could easily fetch the exact visual of the captcha from the foreign host. To do this, you have to pass the referral check (most browsers (navigated by humans) allow to send the http_referer). You also would have to save the session_id and the secret from the hidden input.
Checking the result. The foreign host must link the saved variables with the ones associated with the session of your first request, which requires you to implement tricky cURL methods. You would have to handle multiple parallel requests, all from your single ip.
Your server will probably use more resources when hacking a captcha on a foreign host than if it generates a captcha on its own.
Prevents
http_referer check
limit requests for single IP to e.g. 5 / minute
good session handling and tricky cookies
it's not impossible to reverse engineer javascript, but the more complicated your javascript is, ...
you have to find a pattern that recognizes the result on the foreign host. the easiest signature may be the Location header field, leading either to /path/success.html or /path/tryagain.php
Challenge:
I took a moment to prepare an example: http://woisteinebank.de/test/
In this example, I attach keys to the session_id(); and save it in the database.
Through session_regenerate_id(); I have a fresh session on every request.
In check.php, I compare the database values to the $_GET values.
Try to find a way to get leech this captcha, I'll try to defend. Everytime you sucessfully use my captcha on your site, I try to defend it.
So my friend hosts a little get together every once in a while where space is limited to the first 14 people who RSVP. He emails the invite out to a list and then accepts the first people who respond. Tonight I barely got in because I can't always check my email, so I told him that I would write a program that would respond instantly to his request. This would not normally be a problem (autoresponder, easy) except he has recently created an online signup form. I think it would be funny for him to send out his next invite and get a sub-100ms response from me, so I would like to give this a try.
The problem is, I'm not quite sure how to go about it without going to to much expense. I have a personal site that can host some .NET backend code, but it's on a shared GoDaddy server so I don't really have a ton of access to the mailserver or anything. I was thinking that if I could get an email sent to a certain address that maybe it could trigger a webrequest that could pull down his page and then fill the (very simple, like 2 or 3 inputs) form out and submit it, but again, I'm not quite sure how.
Would anyone have an idea about how I could go about this? I would want for this to happen automatically without any sort of interaction from me, just basically as soon as I get an email from a certain email address, somehow my code is triggered and the form filled out and submitted.
This is just for fun, but the programmer in me is curious as to how I could actually get this to work.
Thanks!
The most affordable thing I know of would be through NearlyFreeSpeech.NET. If you set up an account there, you can configure a domain with email forwarding for 3 cents/day. They have an option to forward the email to a script, so you could write something that would look at the mail, pull down the form, and post to a server.
I'm not sure but I think the script has to be running on their servers, so you'll have to set up a website (another few cents per day) and write the script to run in a UNIX environment (PHP or Perl or such). If you insist on .NET, you could write a minimal PHP script to forward the data to your GoDaddy account.