I need to send some information to an API, in one of the fields the information is contained in an HTML so that the message contains some style editing, and I am getting a 403 CrossSiteScripting_BODY error.
I shouldn't disable this CrossSiteScripting_BODY check and I need to send this information as HTML. Would it be possible for me to put some parameter in the HTML that I am sending so that an attack attempt does not occur?
For example: <div xss-remove>Test</div>
My Request :
{
id: 1,
description: "<b>Test</b><div style=\"text-align: center;\">TestTest;</div>"
}
Response:
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;
charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Request blocked.
We can't connect to the server for this app or website at this time. There might be too
much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to
EVIDÊNCIA DE TESTES
troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: 9UXcrNUxCQ7qsbNC9xGzCiG-a44RDKDBVv4p4NYtWvVwDaMoTjF0Iw==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML> ; Zone: <root> ; Task: Promise.then ; Value: TypeError: Cannot use
'in' operator to search for 'detailedMessage' in <!DOCTYPE HTML PUBLIC "-//W3C//DTD
HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;
charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Request blocked.
We can't connect to the server for this app or website at this time. There might be too
much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
Switching to base_64 is not an option
Related
I am migrating from the deprecated OSS end points to the direct to S3 end points, and when I try to upload my file to one of the generated upload URLs, the call fails with this error:
E0117 16:56:40.788842 23620 forge_cloud_storage2.py:238] ERROR: Unable to upload input file: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Bad request.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: EfhaqFu0YNzL4wsw2BptqCoyXluTEIJc8sne1YN3z6Ki_HNtPwK_0w==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>
Is there something that I am doing wrong?
I have an error when I try to embed a stripe princing table on a web page.
When I copy the code provided by stripe during the cration of the pricing table and refresh the page it gives me unknown error. I used the HTML method to embed the pricing table.
Here my code :
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>test</title>
</head>
<body>
<script async src="https://js.stripe.com/v3/pricing-table.js">
</script>
<stripe-pricing-table pricing-table-id="{{PRICING_TABLE_ID}}"
publishable-key="{{PUBLISHABLE_KEY}}">
</stripe-pricing-table>
</body>
</html>
Do you guys have any solution ?
In order to test the pricing table in your local environment, you need to have have a local HTTP Server(e.g. Nginx, Apache).
The pricing table requires a website domain to render. You need to run a local HTTP server and host your website’s index.html file over the localhost domain.
More details can be found here [1].
[1] https://stripe.com/docs/payments/checkout/pricing-table#limitations:~:text=Testing%20the%20pricing,server%20npm%20module.
I am trying to download a webpage using Postman from:
https://cookidoo.co.uk/recipes/recipe/en-GB/r252593
but I get a response from server as shown below and error 403 is quoted:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD>
<BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
Bad request.
We can't connect to the server for this app or website at this time. There might be too much traffic or a
configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: 4SL0NvJZt4eLt9GqQHw-RsgEJLVCpyY1n5zROPtiolExUJcup2J8Lw==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY>
</HTML>
I am not very familiar with postman or web technologies so any help would be gratefully received. I can download the page successfully in Safari. Am I missing some pertinent information in postman? Is it something to do with the website being a secure https site?
Some headers/ cookies are missing.
To recreate a request from the browser in Postman, open the developer tools in the Browser (press F12).
Go to the Network tab, do a right click on the request you want to rebuild in Postman (in this case it's r252593) and select Copy/ Copy as cURL (bash).
In Postman, click the Import button, then select Raw text. Paste your clipboard (it contains the cURL copied in the browser) and click Continue.
This request in Postman returns the HTML of the page, it also has the same http status code (260) as the copied request in the browser:
I deleted a body that I was passing by mistake from another collection.
I have a bare bones html page created for testing sharing via twitter. When I test this out in twitter card validator it says:
INFO: Page fetched successfully
WARN: No metatags found
Here is the complete webpage:
<!doctype html>
<html>
<head>
<meta content="text/html; charset=UTF-8" name="Content-Type">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="Title for this page">
<meta name="twitter:description" content="115 character description">
<meta name="twitter:image" content="https://urlToAzure/thatends/withjpgfilename.jpg">
<title>Page Title</title>
</head>
<body bgcolor="#CCCCCC">
<div id="allContentInBody">
Test page.
</div>
</body>
</html>
Here is the public link of this webpage:
https://www.privatebox.com/casa/test.html
I've updated robots.txt to allow is all.
EDIT 2: I made some progress and have additional information.
My setup is a NGINX acting as reverse proxy to node.js for all traffic, no static pages.
I setup a static page that will be served by NGINX itself. And now Twitter card validator works. I see the image and other information in the card.
So the problem is that somehow when NGINX is forwarding the request to node.js - the page served seems to be failing twitter's card validation. In that it is not able to see the metatags.
I'm certain that NGINX is not stripping the meta tags. so there is something else that twitter tries to do which my node server does not get to see and is thus failing.
Any advice on NGINX as reverse proxy with node.js and how to get twitter to work is appreciated.
I figured out the problem. It was on the node Server, I was serving the file with
res.write(<contents>)
res.end().
I changed it to
res.send(<contents>)
and that fixed the issue. The metatags are now seen by twitter card validator and the image gets picked up too.
I wrote a simple file server in NodeJS to serve a HTML page with a Save To Drive button. HTML page is served at my_address:1337 and file to be saved is served at my_address:1338. Upon clicking the Save To Drive button, it shows "Starting Download" for a long time then displays Failed Download. XHR Error.
I thought this was due to the fact that the file was being served from a different port so I decided to do the same with an appengine app. Page served at http://sayodrive.appspot.com/index.html and file served at http://sayodrive.appspot.com/drivefile.jsp, I got the same problem.
Then I decided to do a local Java web application: same problem. Then I tried changing the content disposition to attachment (to force a download) but didn't work either.
Frustrated, I started Googling and came across this page that claims the Save To Drive button doesn't actually work.
So I went back to the official Google Drive SDK page and discovered that their example button doesn't work too. Is this a bad dream?
SOURCE: index.html
<html>
<head>
<title>Test: Save To Drive</title>
<!-- -->
<link rel="canonical" href="http://sayodrive.appspot.com">
<script src="https://apis.google.com/js/plusone.js"></script>
</head>
<body>
<p>This must be the worst HTML you have ever seen :)</p>
<div class="g-savetodrive"
data-src="//http://sayodrive.appspot.com/drivefile.jsp"
data-filename="Test Drive"
data-sitename="Sayo Saves">
</div>
</body>
</html>
SOURCE: drivefile.jsp
<%# page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>DriveFile</title>
</head>
<body>
<%
java.io.Writer w = response.getWriter();
response.setContentType("text/plain");
w.write("If you're reading this in Drive, congrats!");
w.flush();
w.close();
%>
</body>
</html>
The original sample was not working because the Cache-Control header was not being exposed by the server. This is now fixed.
Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
More in the documentation.