I was wondering, what is the easiest way to convert a request captured by Fiddler to Java code? For example, Fiddler captures a request, and I'm wondering if there is an easy way to turn it into Java code so that I can send the same request programmatically!
I am open to suggestions of other Chrome plugins that would work for this!
You have the possibility of:
Selecting all desired requests
Open a contextual menu
Choose "Save" and save them to a file.
Then, you can just read the file and use Apache HttpClient (one option out of thousands) to build the different types of requests (GET,POST,etc) to the hosts specified in the saved file.
For instance, this is a POST request sent to SO while I was writing this answer:
POST http://stackoverflow.com/posts/validate-body HTTP/1.1
Host: stackoverflow.com
Connection: keep-alive
Content-Length: 332
Accept: */*
Origin: http://stackoverflow.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://stackoverflow.com/questions/31931998/convert-captured- fiddler-requests-to-java
Accept-Encoding: gzip, deflate
Accept-Language: es,de-DE;q=0.8,de;q=0.6,en-US;q=0.4,en;q=0.2
Cookie: <<ommitted>>
body=You+have+the+possibility+of+selecting+...
Related
From my browser I am doing an ajax call to the server so that it sends a response
Request URL: https://test.com/ac_helper/
Request Method: POST
**Content-Type: application/x-www-form-urlencoded**; charset=UTF-8
Cookie: xxxxxxxxxx
Host: another site
Origin: https://<site>
Referer: https://<site>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
**X-Requested-With: XMLHttpRequest**
Sending body as Form Data:
<helperQuery><somefield>something</somefield><password>123</password> <helperQuery>
Response Headers received:
HTTP/1.1 200 OK
sei_http_code: 200
Content-Encoding: gzip
Content-Type: text/xml
Content-Length: 4670
And response received:
<helperReply><res>test</res><response>Authentication Success (Y)</response></helperReply>
And I have to use java to mimic this browser action of post.
I have tried HttpURLConnection, JSoup, RestAssured.
But none of them worked. Though I managed to get a 200 response using HttpURLConnection, I can't get the response read which is a text/xml response.
Kindly help.
I heard x-requested-with is an inbuilt library browsers use to make ajax calls to the server.
I'm just trying to find the solution for host header injection but couldn't find it. Need help from you techies.
Using struts2 as a framework, jsp as frontend and jboss 7 as an application server .
Below are the sample request,
GET /xxxxxxxx/xxxxxxx/xxxxxxxxxMaster.action HTTP/1.1
Host: xxx.xxx.xx.xxx:8444
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://xxx.xx.xx.xxx:8444/xxxxx/xxxxx.action
Cookie: menusToExpand=LINKID000001323Menu%2CLINKID000041521Menu%2CLINKID000055923Menu%2CLINKID000042954Menu%2CLINKID000094209Menu; itemToHighlight=https%3A//xxx.xxx.xx.xxx%3A8444/xxxxx/xxxxxxxxxxxx/xxxxxxxxxx.action; JSESSIONID=qKGED+F7LXZ1hvQijXKO+5Qp.hellnode01
Connection: keep-alive
I want to hide host ip address to prevent Host Header Injection..
any help would be appreciated!
Thanks
After payment is done. When payumoney redirects to my application with POST request. I am getting 404 even having request mapping.
URL: [test.payumoney.com/payment/postBackParam.do:23][1]
I tried with the plain form from my application, it is hitting my application. When it comes to request from another site, it is throwing 404 error.
Do I need to change any server setting Where it should accept this kind of request?
REQUEST HEADERS:
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/ *;q=0.8
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:1075
Content-Type:application/x-www-form-urlencoded
Cookie:JSESSIONID=60A54F6DAB5259BAD651EC00C199FCE5
Origin:null
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36
Thanks in Advance.....
I am running jmeter and encounter this problem, i have tried cookie manager and header manager, cache manager there, the problem is still there.
POST data:
store_id=34926840&country_code=SE&amount=2.00&merchant_reference=1487698674350&bank_name=Forex+Bank&payment_reference=DHUDYTHMMTV&internal_reference=185524¤cy_code=SEK&status=PENDING
Cookie Data:
JSESSIONID=A5A4905F9FBDF18DC47A376F0226A388; AWSELB=B5FF67AD1CFA5460C8C7E086624D3BB9CE4C254E9C05CAED2F8B4C138D77F2FB3E8E2D91BE28957E695EB58D84B77AABC0950A0B63FB43504A613D484F319EB551578DB7CB
Request Headers:
Connection: keep-alive
Origin: https://qa.instantinternetbanking.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://qa.instantinternetbanking.com/internetbanking/webPASubmitData.form
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Content-Length: 188
Server Error 5xx
The 5xx (Server Error) class of status code indicates that the server
is aware that it has erred or is incapable of performing the
requested method...
500 Internal Server Error
The 500 (Internal Server Error) status code indicates that the server
encountered an unexpected condition that prevented it from fulfilling
the request.
So I can see 2 possible explanations:
Issue with your server, execute the same request manually using browser to see of it is the case.
Issue with your request. When it comes to more or less complex web applications testing you cannot just record and replay the test, you need to keep in mind that there could be some mandatory dynamic parameters which need to be handled (the process is known as correlation) or some actions are not repeatable (for instance if transaction with reference number DHUDYTHMMTV is already finished you cannot send it once again, you will need a new one), etc.
I am working on "Host Header Injection" attack for one of my client. The issue is, using Burp Suite they are capturing the request and modifying the Host header as below. The application is Java Servlet and hosted on apache (web Server) + weblogic (App servers)
Original request
GET /myContext/testServlet?rq=home&tenId=123456 HTTP/1.1
Host: beta.testinglab.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Modified request
GET /myContext/testServlet?rq=home&tenId=123456 HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
At Server side, even after modifying the "Host Header", request is submitted to "beta.testinglab.com" and when on server i use request.getRequestUrl() it gives me "www.google.com".
Is there anyway to find out what was the original host that was requested. The request is making to correct host be internal redirection the issue.
I can't maintain the predefined list of Host entries since this application is customized by lot many tenants.
Is there any other way to fix this attack by changing configuration on Servers?
As far as I see, when the web or app server starts up it starts listening on a particular port of the machine. Which host name gets resolved to that particular machine is outside the knowledge of the web/app server. It depends on your network configurations. So there is no way the web/app server could validate that the hostname coming in the HTTP request is correct.
As you've mentioned you could keep in a configuration the expected hostname and write a servlet filter to validate all incoming requests do match that hostname.Othewise in apache webserver it self you could test if the correct hostname value is present in the header. Either way the correct hostname might be needed to be configured.
http://httpd.apache.org/docs/trunk/vhosts/name-based.html