We Keep Coding

Error xss AWS WAF CrossSiteScripting_BODY in my request

I need to send some information to an API, in one of the fields the information is contained in an HTML so that the message contains some style editing, and I am getting a 403 CrossSiteScripting_BODY error.
I shouldn't disable this CrossSiteScripting_BODY check and I need to send this information as HTML. Would it be possible for me to put some parameter in the HTML that I am sending so that an attack attempt does not occur?
For example: <div xss-remove>Test</div>
My Request :
{
id: 1,
description: "<b>Test</b><div style=\"text-align: center;\">TestTest;</div>"
}
Response:
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;
charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Request blocked.
We can't connect to the server for this app or website at this time. There might be too
much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to
EVIDÊNCIA DE TESTES
troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: 9UXcrNUxCQ7qsbNC9xGzCiG-a44RDKDBVv4p4NYtWvVwDaMoTjF0Iw==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML> ; Zone: <root> ; Task: Promise.then ; Value: TypeError: Cannot use
'in' operator to search for 'detailedMessage' in <!DOCTYPE HTML PUBLIC "-//W3C//DTD
HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;
charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Request blocked.
We can't connect to the server for this app or website at this time. There might be too
much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
Switching to base_64 is not an option

How can I download web content using postman when I get a 403 error?

I am trying to download a webpage using Postman from:
https://cookidoo.co.uk/recipes/recipe/en-GB/r252593
but I get a response from server as shown below and error 403 is quoted:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD>
<BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Bad request.
We can't connect to the server for this app or website at this time. There might be too much traffic or a
configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: 4SL0NvJZt4eLt9GqQHw-RsgEJLVCpyY1n5zROPtiolExUJcup2J8Lw==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY>
</HTML>
I am not very familiar with postman or web technologies so any help would be gratefully received. I can download the page successfully in Safari. Am I missing some pertinent information in postman? Is it something to do with the website being a secure https site?

Some headers/ cookies are missing.
To recreate a request from the browser in Postman, open the developer tools in the Browser (press F12).
Go to the Network tab, do a right click on the request you want to rebuild in Postman (in this case it's r252593) and select Copy/ Copy as cURL (bash).
In Postman, click the Import button, then select Raw text. Paste your clipboard (it contains the cURL copied in the browser) and click Continue.
This request in Postman returns the HTML of the page, it also has the same http status code (260) as the copied request in the browser:

I deleted a body that I was passing by mistake from another collection.

Twitter Card fails validation - why is this not picking up any tags

I have a bare bones html page created for testing sharing via twitter. When I test this out in twitter card validator it says:
INFO: Page fetched successfully
WARN: No metatags found
Here is the complete webpage:
<!doctype html>
<html>
<head>
<meta content="text/html; charset=UTF-8" name="Content-Type">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="Title for this page">
<meta name="twitter:description" content="115 character description">
<meta name="twitter:image" content="https://urlToAzure/thatends/withjpgfilename.jpg">
<title>Page Title</title>
</head>
<body bgcolor="#CCCCCC">
<div id="allContentInBody">
Test page.
</div>
</body>
</html>
Here is the public link of this webpage:
https://www.privatebox.com/casa/test.html
I've updated robots.txt to allow is all.
EDIT 2: I made some progress and have additional information.
My setup is a NGINX acting as reverse proxy to node.js for all traffic, no static pages.
I setup a static page that will be served by NGINX itself. And now Twitter card validator works. I see the image and other information in the card.
So the problem is that somehow when NGINX is forwarding the request to node.js - the page served seems to be failing twitter's card validation. In that it is not able to see the metatags.
I'm certain that NGINX is not stripping the meta tags. so there is something else that twitter tries to do which my node server does not get to see and is thus failing.
Any advice on NGINX as reverse proxy with node.js and how to get twitter to work is appreciated.

I figured out the problem. It was on the node Server, I was serving the file with
res.write(<contents>)
res.end().
I changed it to
res.send(<contents>)
and that fixed the issue. The metatags are now seen by twitter card validator and the image gets picked up too.

Save To Drive Button Doesn't Work

I wrote a simple file server in NodeJS to serve a HTML page with a Save To Drive button. HTML page is served at my_address:1337 and file to be saved is served at my_address:1338. Upon clicking the Save To Drive button, it shows "Starting Download" for a long time then displays Failed Download. XHR Error.
I thought this was due to the fact that the file was being served from a different port so I decided to do the same with an appengine app. Page served at http://sayodrive.appspot.com/index.html and file served at http://sayodrive.appspot.com/drivefile.jsp, I got the same problem.
Then I decided to do a local Java web application: same problem. Then I tried changing the content disposition to attachment (to force a download) but didn't work either.
Frustrated, I started Googling and came across this page that claims the Save To Drive button doesn't actually work.
So I went back to the official Google Drive SDK page and discovered that their example button doesn't work too. Is this a bad dream?
SOURCE: index.html
<html>
<head>
<title>Test: Save To Drive</title>
<!-- -->
<link rel="canonical" href="http://sayodrive.appspot.com">
<script src="https://apis.google.com/js/plusone.js"></script>
</head>
<body>
<p>This must be the worst HTML you have ever seen :)</p>
<div class="g-savetodrive"
data-src="//http://sayodrive.appspot.com/drivefile.jsp"
data-filename="Test Drive"
data-sitename="Sayo Saves">
</div>
</body>
</html>
SOURCE: drivefile.jsp
<%# page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>DriveFile</title>
</head>
<body>
<%
java.io.Writer w = response.getWriter();
response.setContentType("text/plain");
w.write("If you're reading this in Drive, congrats!");
w.flush();
w.close();
%>
</body>
</html>

The original sample was not working because the Cache-Control header was not being exposed by the server. This is now fixed.
Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
More in the documentation.

website not running in iis 7.5

Bit of a IIS newbie so here goes: I am trying to run a website from iis 7.5:
The boerekneiter.com folder contains file boerekneiter.htm
html:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>hi there</title>
</head>
<body>
this is the body
</body>
</html>
Unfortunately when i go to http://www.boerekneiter.com:8000/ chrome says:
Oops! Google Chrome could not find www.boerekneiter.com:8000
How can I fix this? do i need to install additional filters or components?
It is the only website i have in IIS:

This isn't an IIS issue as much as a DNS issue.
www.boerekneiter.com is just the name of your site in IIS. If you have not set up DNS to point that domain to that server's IP, you won't be able to serve via the URL. As mentioned in the comment, you can test access to the server via the URL localhost:8000 or replace 'localhost' with the IP address of the server. You can also set up your HOSTS to direct requests for www.boerekneiter.com to the server for the time being.