I have run into a very strange situation that I have never seen before and I could not find any relevant issues on the web into resolving my problem. The situation is the following:
When a user connected using a VPN connection to the local office network and tries to access a web application (apache tomcat / servlets / mySql) and on very specific requests the users receive an error:
Your access is
denied
Access denied due to firewall policy violation
Your issue ID for support is: 5e81fac2-1-1ae9967f-c0000000
This is how it looks like:
This error comes when a user presses a save button which performs a jQuery ajax request to the server. The error only appears so far when I have the word "find" in the ckEditor as shown above(<div>any-text find any-text</div>). When the find word is replaced everything works ok. Looking in the encoded message that is transferred it looks something like this:
Not Working:
clName=A+S+LTD&contactPerson=S+Ei&contactEmail=&contactPhone=002&problem=%3Cdiv%3Efind%3C%2Fdiv%3E%0A&subject=Support............
Working:
clName=A+S+LTD&contactPerson=S+Ei&contactEmail=&contactPhone=002&problem=%3Cdiv%3Eind%3C%2Fdiv%3E%0A&subject=Support............
clName=A+S+LTD&contactPerson=S+Ei&contactEmail=&contactPhone=002&problem=%3Cdiv%3Efxnd%3C%2Fdiv%3E%0A&subject=Support............
clName=A+S+LTD&contactPerson=S+Ei&contactEmail=&contactPhone=002&problem=find&subject=Support............
I have this issue for two users working remotely using a VPN connection (Checkpoint end point security). On my local network when everyone else is connected the same request works fine.
Does anyone have ANY clue where this message comes from or how can it be resolved?
Thanks in advance
It seems that #chrylis-on-strike was right. The problem indeed came from the Checkpoint firewall.
It seems that the word 'find' was detected as a 'command injection' and was blocked.
The solution was to add a rule on the firewall to just detect and not block this kind of requests coming from the VPN connected clients.
Related
We are using the owasp csrf tool in our application. It is quite an old java8 / Tomcat application but this aspect has worked without a problem for a long time. We have 3 environments -
dev - local machine test
runs on remote servers as production
production
runs on remote servers
We recently changed the ip address of the test server and the OWASP protection no longer seems to trigger on this environment. I don't believe there is anything in the code base to cause this change as it still works on dev. I have checked and there is no hard coded reference to the old ip address in the code.
The token is still being injected into the form on test, and changes between initial set up and 2nd logon & submit.
The owasp_csrf.js file is still active as I put some alerts in there to check and they fire (I noticed on dev our warning message appears before the alerts so I don't think this is where the main part of the token checking is happening).
Everything seems to work as expected except the csrf check doesn't seem to fire.
So, my test is
log in and enter data into a data entry form
log out before submitting
log back in (different user, although this isn't necessary on production)
use back button to get to previous filled in form and submit
on test this allows submission (on dev and production it triggers csrf alert).
I don't think this has been tested on test for a while but but I know it as been in the past. I believe the only significant difference is the IP address change but I can't find anywhere in the code base or Tomcat configs where this looks relevant. (I've double checked the hosts files and rebooted in case any aspect of (linux) server setup had missed the ip change).
Apologies if this is a little vague but I wondered if anyone had any ideas about where the ip address may be relevant to the OWASP csrf set up ?
I used to create accounts and connect to my application with firebase but then soon when I disconnected I couldn't create accounts. After 1h of that, I managed to create an account and when I disconnected to see if the problem was resolved, I realize that it's still there.
By doing task.getException() in case of account creation failure, I get this error:
"com.google.firebase.FirebaseException: An internal error has occurred. [7:]"
Do you have an idea of the cause of the problem?
I have same problem because my internet was not active.
Make sure you have active internet connection.
If you are sure you have an active Internet connection and you are testing from an Emulator, restart your emulator and it should work. Sometimes, the emulator disconnects from the Internet and these sort of problems occur.
I had a similar issue and got the same exception and code: 7. I was calling firebaseUser.getIdToken() in a Rx stream. So while testing the apps functionality while being offline, I found that the JWT token that is returned in firebaseUser.getIdToken() had expired and was throwing said error. It has a lifetime of 1h.
So I split out my implementation to separate functions, only calling firebaseUser.getIdToken() before a authorised call, which must be done while online anyway to be sure and secure.
Without seeing any code, it seems you are signed in/keep a reference to a expired firebase token. Make sure you signed out properly from firebaseAuth before calling your "account creation" piece.
Here is how I solved the same issue: Opened a browser on my emulator, typed something and searched. After that, I came back to my app and retried to connect to firebase and everything started to work well.
The reason of the issue was probably the emulator not being able to connect to internet until I searched something in Google.
I have the same issue too.
My application crashed on offline mode/airplane mode.
getIdToken returns the current token if it has not expired. Otherwise, this will refresh the token and return a new one, more info here
In my case, I called the getIdToken like this getIdToken(true) which means I force refresh regardless of token expiration.
In my case call, getIdToken(false) like this solves the issue.
I have tested the offline mode/airplane mode and it works great.
I am having difficulty getting Cognito registration and login to work for my app in Android Studio using this sample. When I attempt to log in via the simulator, the app works for a few seconds, then displays an error message: "Unable to execute HTTP request: Unable to resolve host 'cognito-idp.us-east-1.amazonaws.com': No address associated with hostname". This same error is the only error that appears in the console. I have seen similar questions and tried solutions such as checking to ensure my app has the permissions android.permission.INTERNET and android.permission.ACCESS_NETWORK_STATE, but the error persists. It also doesn't seem to be a network issue. I have updated to the latest version of the Android SDK as well as the AWS SDK, and the problem persists.
I currently I have a Cognito user pool set up which works properly for login on the iOS version of my app. Following the instructions in the readme for the sample code, I added an app to my existing user pool, and then copied and pasted the newly generated app client ID and app client secret into AppHelper.java for clientId and clientSecret respectively. I also set userPoolId to the ID listed for my user pool under "pool details" in the Cognito conosle, and cognitoRegion to US East, since this is the region of my user pool. I noticed that there was no need for me to set the pool name, as there was in the iOS version, so I'm wondering if that's something I need to do.
Sorry if this counts as a duplicate, but I wanted to post a question with the exact error message I encountered and the steps I took, and I'm wondering if someone has managed to get this specific sample working and what I should do.
The problem has been resolved, but unfortunately I'm not quite sure what fixed it since I didn't change anything in the code. All I did was install an update, so anyone with a similar problem should probably ensure that all SDKs used in the sample are properly updated, along with the simulator. It's also worth noting that I was using a different network than in my previous tests, so it's possible that it was a network issue after all.
I had the same issue.
The issue occurred when I used a VPN with emulator to test my program. The reason was that the internet connection in the emulator was too slow when connecting through a VPN.
This could also happen if your internet connection is not strong enough.
The solution is, use a real android device to test your code, if your internet connection is not good enough.
More info: https://github.com/aws-amplify/aws-sdk-android/issues/567
I have an Android application where I connect frequently to a web service that I control using SSL exclusively. The first thing a user does that results in network activity is login and I currently use the Ion library for this although I tend to think my issue is not specific to Ion. This works as expected except for one specific user that has limited all internet access on the Android device to only work with my web service. They have done this by using their router to create a firewall that blocks all traffic except the specified domains. When this firewall is turned on they can't login via the app because of the following error:
java.net.SocketException
recvfrom failed: ECONNRESET (Connection reset by peer)
They can use the browser to go to my website and access the same web service with the firewall turned on and everything works fine. In addition, they can turn the firewall off, login successfully (i.e. successfully initial the first connection), turn it back on and subsequent network connections continue to work. The user can even log off and log back in without issue. It continues to work with the filter on until they quit the app. When they then restart the app and try to login the error returns. This seems like very odd behavior and I'm not entirely sure it is an ion issue but I'm not sure what to do. Does anyone have any ideas on what could be causing this issue?
UPDATE:
Per a comment, I tested my application with Volley. It does appear that Volley works with the filter turned on. I would prefer to stick with Ion though due to some of its other feature so if anyone has any ideas on how to make Ion work in this scenario I would greatly appreciate the help.
So far I managed to capture the traffic of local Java programs & Android browser successfully. However, I failed to capture traffic of my Android application (using HttpsUrlConnection).
While following the steps in this guide to configure the WiFi network on the device, in the step of downloading the certificate I faced an odd behavior as Chrome raised an error and Firefox installed it without opening the expected dialog:
But when I try to download it again, it says that the certificate is already installed.
Anyway, when running my app (on a real device, Karbonn S203 API 19), there are no requests nor tunnels logged in Fiddler. I tried a lot including inspecting this thread to no avail. In other articles I read about showing tunnels only but I don't have them either. Am I missing anything?
Thanks.
EDIT: I managed to install is "correctly" (with the above screen) from Settings -> Security -> Install Certificate after copying if from PC. Still I cannot see the requests in Fiddler.
Apparently the problem occurred due to using some uncommon devices (well, at least uncommon in Europe/North America). They've probably made some configuration changes in their AOSP version. When working the same way with Nexus 5 I managed to add the ceritifcate under 'WiFi' and then captured requests successfully.
Looks like your app does not use Fiddler as a proxy. When you call openConnection do you pass a Proxy object to it? If so, how do you initialize this proxy object?
You might want to try sending some HTTP traffic through first to make sure you are using the correct proxy settings and then try with HTTPS.