I have a simple html form in a coldfusion application. Here is the code:
<form id="form1" name="form1" method="post" action="myAngularApp/#/myapp/new">;
<input name="data" type="hidden" id="hiddenField" value="<cfoutput>#form.data#</cfoutput>" />
</form>
<script> document.form1.submit(); </script>
The Url in 'Action' points to a different server that hosts an angular app (running on nodejs). Also I use full path including http (removed above for brevity) in Url. When I click submit, it goes to the other site but shows 'Cannot POST /' message. If I access the same link directly in a new browser window, the page loads fine. If I replace POST with GET method, then the destination page loads but immediately redirects the user to login page for authentication and when user comes back, the data posted (available as querystring) is lost. Angular app is a hybrid app (Angular version 4.4 and 1.6; node version 9.x). How do I make POST work? I am not using express. Most of the links I found while searching online show express examples but I dont use express. Do I need to use ngRoute? Since it's a hybrid app, I am not sure whether to use angular-route (ngRoute) or angular-router. If the destination page loads directly in browser, why does not it load when redirected from the other server?
Related
I have a web application, on which we currently implement XSRF protection.
From what I gather, XSRF attacks work this way:
the attacker finds out how the client communicates with the server of
the web application, i.e. how its HTTP requests are formatted
the attacker rewrites (forges) a http request that would order the
server to do what the attacker wants
all the attacker now lacks is an authentification on the server
the attacker tricks people into loading a webpage that sends his
forged request. Out of the people who get tricked, those who
happen to be currently logged in the application will unwillingly
provide the forged request with the credentials it needs to be executed
by the server.
To test our website, I looked at the POST HTTP requests the client sends to the server to give it orders (using F12 in Internet Explorer), and forged one myself.
It looks like this:
https://mywebsite/Camp.aspx?
EventTarget=SaveButton
&TargetField=I+am+the+king+of+the+world
First line is the URL seen in the browser (minus the "?"), second line is the action to be executed by the server, 3rd line is the field I want to update.
Then I logged on the website and tested my forged request in 2 ways:
A) I simply open a new tab in the browser, paste the forged URL above and click enter
(tested with IE and Chrome)
B) I open in another tab a page with content:
<html xmlns="http_www.w3.org/1999/xhtml">
<body>
<form method="post" action="https://mywebsite/Camp.aspx">
<input type="hidden" name="EventTarget" value="SaveButton">
<input type="hidden" name="TargetField" value="I+am+the+king+of+the+world">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
(tested with methods GET and POST)
I would expect both tests to be identical but to my surprise:
test A opens the target page on the website and actually updates the
target field
test B opens the target page on the website but does not update
the target field
I have 2 questions:
Why do test A and test B bring different results?
Test B definitely is a valid CSRF Attack Test (even though an
attacker would rather want to do the action without opening the
page), is Test A also valid?
Thanks!
Solved the Problem myself.
I had obviously posted a simplified version of the request. The real request contained signs that need to be URL-encoded. Here it was the sign "$", which encodes in URL as "%24".
So if the direct URL is
https://mywebsite/Camp.aspx?
EventTarget=abc%24def
then the corresponding HTML form should be
<html xmlns="http_www.w3.org/1999/xhtml">
<body>
<form method="post" action="https://mywebsite/Camp.aspx">
<input type="hidden" name="EventTarget" value="abc$def">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
I am using UWP store app using typescript and winjs. As per requirement we need to load remote web page in our app and that page required some form parameter which are not possible to set with query string as size limitation. so we decided to use IFrame which allow to receive form post data. for this I have add the remote web page URI to the ApplicationContentUriRules section of the package manifest.
but getting me below error while performing post form action.
APPHOST9625: Unable to navigate to: 'https://www.mytestweb.com/'. An
iframe attempted to navigate to a URI that is not included in the
ApplicationContentUriRules for this app. Use a x-ms-webview element to
view the URI instead, or add the URI to the ApplicationContentUriRules
section of the package manifest so that the iframe can navigate to it.
(In Visual Studio, add this URI to the Content URIs tab of the
Manifest Designer.)
Is anything I am missing or wrong? I need help to resolve this.
below is my sample code,
<form id="my-form" action="https://www.mytestweb.com/operations" method='post' target="my-iframe">
<div class="col">
<div class="row">
<input type="hidden" name="token" value="largeTokenString" />
</div>
<div class="row">
<input type="hidden" name="transaction" value="serializedTransactionData" />
</div>
<div class="buttonContainer">
<button type="submit" data-bind="click: postFromData">Post</button>
</div>
</div>
</form>
<iframe id="my-iframe" name="my-iframe" src="about:blank"></iframe>
When I submit on from post button remote URL loads with form data, without from data my remote URL is not loaded.
I am able to resolve my issue. One of my team member question me, how you know your app refers updated app manifest. I don't know where I find this.
So I have uninstall my app from computer clear app memory from app data using app name search and delete. Create new app package using msbuild command and install new app, now my app able to load remote URL successfully in IFrame.
Can someone please tell me what happens behind the scenes in the following case (i.e. explain the whole technical process)?
<form method="get" action="#">
<input type="text" name="d" value="flowers">
<button type="submit">send</button>
</form>
In this case after one has clicks on “send” a new webpage opens saying: "You have searched for "flowers" " and an image of some flowers below.
In the browser tab right after the URL of the newly opened page there is
“/?s=flowers”. What is that?
Thank you in advance for your answers!
When you click Send, the page data specified in the form information and values is passed to the server via HTTP.
The /?s=flowers is the GET data being passed back to the server. Although, based on the form code you've provided, the "name" of that value is d. So the URL would actually have /?d=flowers
The PHP or server side language then handles that information to do specific tasks. It can access the info using the name "d". This method of sending data is called GET, there are also other ways of doing this. The most common, POST, does not display the data in the URL and send the data through HTTP headers.
The code you've shown has an action of "#" which means the HTTP method is being sent the same page. Meaning this page code would have some PHP located in it. This can also be done by using a seperate file, such as action='send.php'
I have used template/login.html for logging in, after successful logged in how to redirect the login.html page to chatwindow.html page (some other html) in Django framework.
So, do I need to redirect it from views.py file or from login.html?
Any help highly appreciated.
Django implements multiple ways to do this:
1. LOGIN_REDIRECT_URL
This is a global setting in your settings.py. It works for all login pages when next= parameter is not specified in login url (e.g. example.com/login?next=/foo).
2. Use next parameter in the login URL
This is usually used to customize the login redirect for individual cases.
The common use-case is when you use #login_required decorator. When a user tries to access a page which requires authentication, a user is then redirected to a login page with a next= parameter pointing to the current page. For example if the user went to /secure/page, then the login page will be something like /login?next=/secure/page. After the user will successfully authenticate, Django will redirect them back to the protected page.
3. Use the hidden input next on the login page
Finally you can set the redirect path in the login form itself:
<form method="POST" ...>
<input typy="hidden" name="next" value="/secure/page">
...
</form>
I would guess that first method might be the most appropriate in your case however keep in mind the other options if you will need them.
I'm working in an app with Phonegap. I did many GET requests for getting JSON files and they work nicely, but when I try to do the same but with a POST request, I have no callback and in the server I get error 400 (I don't even send anything to the server).
So I minimized my app and I included this in a plain HTML:
<form action="https://edge.suitepad.de:442/api/v1/8b17ec5acab7537b/orders/a4054d5fe4184431f55aca69cca9a7ef/purchase" method="post">
<input type="hidden" name="order" value='{"currency":"eur","order_items":[{"id":265,"quantity":5}]}' />
<input type="submit">
</form>
Does this work for you? Do you receive any callback having this form in an app with Phonegap?
Thank you.
Post requests work just fine from phonegap - the bad request error is something specific to your combination of data and server setup.
The html you show certainly won't fire a callback though - as soon as you click submit, it is loading a page from the server and the phonegap page containing the callback is gone.