I'm working in an app with Phonegap. I did many GET requests for getting JSON files and they work nicely, but when I try to do the same but with a POST request, I have no callback and in the server I get error 400 (I don't even send anything to the server).
So I minimized my app and I included this in a plain HTML:
<form action="https://edge.suitepad.de:442/api/v1/8b17ec5acab7537b/orders/a4054d5fe4184431f55aca69cca9a7ef/purchase" method="post">
<input type="hidden" name="order" value='{"currency":"eur","order_items":[{"id":265,"quantity":5}]}' />
<input type="submit">
</form>
Does this work for you? Do you receive any callback having this form in an app with Phonegap?
Thank you.
Post requests work just fine from phonegap - the bad request error is something specific to your combination of data and server setup.
The html you show certainly won't fire a callback though - as soon as you click submit, it is loading a page from the server and the phonegap page containing the callback is gone.
Related
So I'm scraping a website (instacart.com) and it requires a zip code to determine what data it displays. I want to use Python requests to post an arbitrary zip code. The only problem is I don't know what url to post it to and whether it requires any other arguments like an authenticity token or a user cache key. The zip code is entered via an text box that looks like this:
<form data-radium="true">
<input id="postalcode-16749"
name="postal_code"
type="text"
aria-invalid="false"
aria-describedby=""
autocomplete="on"
placeholder=""
data-radium="true"
value="" style=(super long block of css stuff)>
</form>
and then posted via a button that looks like this:
<button type="submit"
data-radium="true"
style="touch-action: manipulation; (long block of more css)">
Continue
</button>
I don't know a lot about web programming, but I was taught in school that HTML forms would look more like this: <form action="/action_page.php" method="get"> and you could use the action attribute to find where it was posting to. Is there a way to use the developer console to find what I'm looking for? How can I post a zip code to this website with Python?
Edit: I did a little more digging and I found that the request payload is {"current_zip_code":"some_zip_code"}, and that it's actually not using POST, it's using PUT. There's still a problem though, the request url looks like this: https://www.instacart.com/v3/bundle?source=web&cache_key= and then there's a different code each time for the cache_key. How do I know what url to post to?
I'm posting this answer in case anyone tries to do a similar thing. I found the url the button posts to and its parameters by looking in the network tab of the developer console and clicking the button. Then I ran into the problem that the url it sends the PUT request to changes every time, always ending in a different cache_key.
The solution was to use a python module called seleniumwire to simulate a browser and then grab all the network traffic. From there I looped through it and found urls containing cache_key= and stored everything after that as a string. Then tacked that string to the end of this url: https://www.instacart.com/v3/bundle?source=web&cache_key= and went back to using requests.
hope this helps someone!
I have a web application, on which we currently implement XSRF protection.
From what I gather, XSRF attacks work this way:
the attacker finds out how the client communicates with the server of
the web application, i.e. how its HTTP requests are formatted
the attacker rewrites (forges) a http request that would order the
server to do what the attacker wants
all the attacker now lacks is an authentification on the server
the attacker tricks people into loading a webpage that sends his
forged request. Out of the people who get tricked, those who
happen to be currently logged in the application will unwillingly
provide the forged request with the credentials it needs to be executed
by the server.
To test our website, I looked at the POST HTTP requests the client sends to the server to give it orders (using F12 in Internet Explorer), and forged one myself.
It looks like this:
https://mywebsite/Camp.aspx?
EventTarget=SaveButton
&TargetField=I+am+the+king+of+the+world
First line is the URL seen in the browser (minus the "?"), second line is the action to be executed by the server, 3rd line is the field I want to update.
Then I logged on the website and tested my forged request in 2 ways:
A) I simply open a new tab in the browser, paste the forged URL above and click enter
(tested with IE and Chrome)
B) I open in another tab a page with content:
<html xmlns="http_www.w3.org/1999/xhtml">
<body>
<form method="post" action="https://mywebsite/Camp.aspx">
<input type="hidden" name="EventTarget" value="SaveButton">
<input type="hidden" name="TargetField" value="I+am+the+king+of+the+world">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
(tested with methods GET and POST)
I would expect both tests to be identical but to my surprise:
test A opens the target page on the website and actually updates the
target field
test B opens the target page on the website but does not update
the target field
I have 2 questions:
Why do test A and test B bring different results?
Test B definitely is a valid CSRF Attack Test (even though an
attacker would rather want to do the action without opening the
page), is Test A also valid?
Thanks!
Solved the Problem myself.
I had obviously posted a simplified version of the request. The real request contained signs that need to be URL-encoded. Here it was the sign "$", which encodes in URL as "%24".
So if the direct URL is
https://mywebsite/Camp.aspx?
EventTarget=abc%24def
then the corresponding HTML form should be
<html xmlns="http_www.w3.org/1999/xhtml">
<body>
<form method="post" action="https://mywebsite/Camp.aspx">
<input type="hidden" name="EventTarget" value="abc$def">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
I have a simple html form in a coldfusion application. Here is the code:
<form id="form1" name="form1" method="post" action="myAngularApp/#/myapp/new">;
<input name="data" type="hidden" id="hiddenField" value="<cfoutput>#form.data#</cfoutput>" />
</form>
<script> document.form1.submit(); </script>
The Url in 'Action' points to a different server that hosts an angular app (running on nodejs). Also I use full path including http (removed above for brevity) in Url. When I click submit, it goes to the other site but shows 'Cannot POST /' message. If I access the same link directly in a new browser window, the page loads fine. If I replace POST with GET method, then the destination page loads but immediately redirects the user to login page for authentication and when user comes back, the data posted (available as querystring) is lost. Angular app is a hybrid app (Angular version 4.4 and 1.6; node version 9.x). How do I make POST work? I am not using express. Most of the links I found while searching online show express examples but I dont use express. Do I need to use ngRoute? Since it's a hybrid app, I am not sure whether to use angular-route (ngRoute) or angular-router. If the destination page loads directly in browser, why does not it load when redirected from the other server?
I am sending a form post to a third party and it is returning a page with Success if the action is done. Once I get the success page, I need to redirect user to a Thank You page. Can somebody tell me how the see if the success page is returned and redirect to another page?
<form name="abc" method="POST" action="third party url" >
<input />
<input />
</form>
... how about submitting the form and receiving response in an iframe? If you can use an iframe you'll be able to detect the change then.
the code goes like this:
<form name="abc" method="POST" action="third party url" >
<input/>
<input/>
</form>
but i am not sure how to capture the response
You won't be able to do this easily with plain javascript. When you post a form, the form inputs are sent to the server and your page is refreshed - the data is handled on the server side. That is, the submit() function doesn't actually return anything, it just sends the form data to the server.
If you really wanted to get the response in Javascript (without the page refreshing), then you'll need to use AJAX, and when you start talking about using AJAX, you'll need to use a library. jQuery is by far the most popular, and my personal favourite. There's a great plugin for jQuery called Form which will do exactly what it sounds like you want.
I need to retrieve the news feed for a user, and using the Graph API that returns multiple pages. I'd like to get four pages, and that's pretty slow, so I'd like to batch a request for all pages into one request using batching. I can't figure out how to batch-request multiple pages - clearly each request in the batch is dependent on the previous.
I wrote up a webpage to let me test this all out, containing the following form:
<form method="GET" action="https://graph.facebook.com">
<input type="hidden" name="access_token" value="blahblahblah">
<input type="hidden" name="batch" value="[{'method':'GET', 'name':'getnews',
'omit_response_on_success':false, 'relative_url':'me/home'},{'method':'GET',
'relative_url':'{result=getnews:$.paging.next}'}]">
<input type="hidden" name="method" value="post">
<input type="submit">
</form>
Of course, when I get a response from Facebook that requires paging, the paging.next value is a full URL and the batching functionality wants a relative_url, so my first request works and my second request returns with the paging.next URL in a "body" key.
I found a piece of facebook documentation which states that a request like the following works, where you graph.facebook.com is followed by a full URL specifying a request://graph.facebook.com/http://graph.facebook.com/me/home?_fb_url=me/home&access_token=blahblahblah"
I was surprised to find that this works, but it does when I just make that GET request to the Graph API. Unfortunately, the batching functionality does not allow me to put that full URL in the "relative_url" field - it just does that "body" thing.
Does anybody have a good way to batch requests for multiple pages? kongo09 and I were wondering this over in the facebook dev forum, but I guess that's on its way out... http://forum.developers.facebook.net/viewtopic.php?id=107098
Thanks,
-Karl
I have found a way:
You should use
"relative_url":"me/home?after={result=getnews:$.paging.cursors.after}"