Say I go to google.com and search for "Klaus Harmony". The first result is a Wikipedia page. If I open the network tab and click "preserve log", so that the requests won't be cleared upon navigation, I see 2 things:
A POST request, with the status (ping)
A GET request which carries the HTTP Referrer of "http://google.com"
My questions are:
What are they trying to accomplish here, especially with that strange first request?
How are they changing the HTTP Referrer?
I'd say its to check if the site still works or should you see see the last crawled version of the page if the ping fails, another thing might be for google analytics purposes
if you search at google.com, google.com is your referrer, there is no need to change anything. You can modify it to omit the ?Q=== part by proper meta, you can read here: http://wiki.whatwg.org/wiki/Meta_referrer
Related
I am a total newb to API and json so this might be basic. But couldn't find a solution by googling.
I want to change e-shop order status via API by clicking a hyperlink in an e-mail.
I activated an API and managed to change the order status by Postman by following command:
PUT {url}/api/v2/orders HTTP/1.1
Content-Type: application/json
Authorization: Basic {abcdefgh}
{
"orders": [
{
"order_number": "00001",
"status_id": "16",
}
]
}
Is there a way how to run this command by simply clicking a hyperlink?
And should I be concerned about security since the authorisation is hardcoded there?
CHeerS!
Email clients for safety reasons do not support the execution of scripts or anything else other than a GET request. As this would require the use of javascript/jquery to build up a payload and call the API with said payload.
You will need to take the client to a secure page to sign in and manage their order.
The hyperlink can perhaps take them to a sign-in page or register page.
Token authorization might work with email being the verification taking the user to a page to see their orders. But again, you won't be sure an authorized person opens the email.
Regarding hard coding any type of authorization, that is a big no.
Since clicking a hyperlink in an email is the same as typing out the address in the browser bar, you can't make POST requests through it. One way of doing what you want is to generate a onetime-use token, and simply put it in the url. When the user clicks the kyperlink, the GET request to the server will contain the token, which can be used for validation.
Is there a way how to run this command by simply clicking a hyperlink?
Not in general, no. Clicking on a link in an e-mail issues a GET request, which can't contain a body. That is: your "orders" JSON won't be included. It also won't know to include the Authorization header.
As far as I know, no common e-mail clients allow you to issue PUT or POST requests.
So: could you encode the request in the URL, and use a GET request instead? Absolutely you could. Don't do this.
There are several reasons for this. The most important is the one you mention:
And should I be concerned about security since the authorisation is hardcoded there?
Hardcoding authorization is a bad idea in general, but particularly in an email: (1) you can't guarantee that an email is encrypted, which exposes the credentials to anyone who can capture the message; (2) if you forward the email to me, I now have your credentials.
Moreover, if you include the authorization in the URL, that's now in the user's browser history, and if they share the link with anyone ("hey, look at this deal on paperclips!"...), well: same as above.
I am struggling to understand how our local gov website functions. Specifically the URL https://self.maidstone.gov.uk/service/check_your_bin_day
Beginning to enter a postcode (not mine) such as 'ME15 7HQ' and without submitting the form, a list of addresses is available.
Selecting an address and then selecting 'black bin and food', the website will return a result of 'Your collection date will be FRI 30/07/2021'. Again without submitting the form.
Running OWASP's ZAP, I can see that data is being submitted and returned as JSON. The data begins to be submitted as soon as the postcode is being entered.
I'm obviously an amateur but have never seen a site like this. The purposes of the request to Stackoverflow is that I would like (either via curl or a HTTP request) to be able to submit a postcode and address, and then receive the bin days as relevant.
Is this possible? If so any pointers please?
This website uses JavaScript and HTTP requests to dynamically load data.
For viewing those requests, open devtools > Networktab, and click on XHR button:
Afterwards, try to write postcode into the form. For me, it made request to runLookup url. When you click Preview tab, you can see the JSON you was mentioning. In this case, you can find the Street addresses (which are then added to next input on website) is on integration > transformed > rows_data.
The devtools have one amazing feature, that will convert the HTTP request to cURL command, you can do it by right-clicking on the request, Copy > Copy as cURL command:
By this way, you can make the whole process, although, from seeing the whole complexity of their API, I don't think it will be that easy, due you probably would need to preserve cookies, and generally follow some steps of requests to get the result (but this doesn't need to be true, it's just my observation).
When I go to this URL in Firefox Developer https://itunes.apple.com/search?term=mozart, it asks me if I want to download a file called 1.txt containing the results in JSON, but I want to see them directly on my browser.
That may be because the Itunes API doesn't have the content-type: application/json header in its responses (the header is content-type: text/javascript; charset=utf-8), but I cannot find another simple API that doesn't require authentication to teach someone how REST APIs work (Twitter, Facebook, Google Maps all require a token). I don't want to use Postman or something like that, it would only confuse this person.
So I seek help here, either to see the Itunes responses directly on my browser, or to find another API where there isn't this problem.
Thank you for your help.
Type about:config on your address bar
Search for 'devtools.jsonview.enabled'
If the status is not default, right click on the line and select 'Toggle'
After that the json should start appearing on the page
I am running a website with affiliate links .
When the visitors of mydomain.com/page.php click on such an affiliate link,
they are being sent to a link on a domain owned by the affilate network (network.com/link), and then redirected through the affiliate network, to the relevant page in the store (store.com/page.asp).
Over the last two months, the reports of the affiliate network indicate that about 13,000 clicks that I sent to such links, carried mydomain.com/page.php as the referring URL, as I would expect.
However, about 20 other clicks carried abnormal referring URLs, such as:
http://app.mam.vaccint.com/getapp/CT3297962/mam.html
http://www.store.com/page.asp
http://www.network.com/link
http://apnwidgets.ask.com/widget/everest/radio/4/radio-button.html
http://search.yahoo.com/search
http://www.google.com/webhp
http://www.bing.com/
http://192.168.1.1/spyware/blockpage
Unfortunately, This has led the compliance team of my affiliate network to believe that I have a hidden traffic source apart from my website, they claim that it appears to be as if I am using some kind of a third party software to send traffic to store.com, which is not true of course.
They are holding me accountable for this situation and I am required to provide explanations to this situation.
What could have caused my website visitors to arrive at network.com / store.com while carrying the above referring URLs?
Not sure though, but looking at the referring URL's its quite certain that these pages had your content listed on their webpages. Like:
e.g. google.com/webhp - listing the result content / cache / image result of your webpage
Bing.com - another result related webpage (generally web cache)
192.168.1.1/spyware/blockpage - looks like someone accessed your portal but ended up reaching this firewall custom page. But somehow the affiliate widget got loaded as it would have been permitted by the firewall.
Store.com/page.asp & network.com/link - looks like some internal redirected urls which sent traffic to the relevant page (store.com/page.asp)
(rest other) - all other links also can have a similar story which ended up sending traffic to your affiliate network, but had another URL.
I'm sure if you replicate this case in front of them via Google cache / Bing cache, they would get a better understanding of the issue.
Else, try to identify the source referrer of page: network.com/link, which probably is under their control and they would have access to the logs.
I am trying to add the tab to a page I am admin of.
I use the url to do that -
http://www.facebook.com/dialog/pagetab?app_id=&next=.
Facebook shows a list of all the pages I am admin of. And that drop down has no specific sorting order.
Now my problem is - I have multiple pages with same page name. They ofcourse have different urls. I tried changing the name of pages, but due to high number of likes I can't change the names.
The only option I am left with is hit & Trial. And I have to do it for more than 30 apps.
So you understand my pain point.
Please advice any alternative.
Thanks
Pankaj
I would recommend writing down the page ids and making some sort of system for yourself to remember (perhaps only the last few digits) which page is which.
In any case, there is a way for you to add a tab application directly to a page without ever seeing that "Add Page Tab" dialog. You can do it all through the API. This means you'll need your pages access token so head on over to the Graph API Explorer, make sure you click the "get access token" button and mark the manage_pages permission.
You need to query /me/accounts to get a list of all the pages you administer.
You'll see a list with the page id, name, category... I hope you will be able to identify your page more easily here. Once you have, you'll need to get the access_token for that page. Keep a record of it - we'll need it in a few minutes. You'll also need the page id.
Modify the following URL to include the parameters we got previously -
https://graph.facebook.com/PAGE_ID/tabs?app_id=TAB_APP_ID&method=post&access_token=PAGE_ACCESS_TOKEN
Navigate to that URL and if all goes well, you'll get a simple true message indicating that the action was successful.