I need help in setting the authorization header in html file. So I used OAuth tool on dev.twitter.com and got this header content:
Authorization: OAuth oauth_consumer_key="BKsXdR3SO4hSZyFT2JevHQ", oauth_nonce="718a5099a51230e737474c7e76d21581", oauth_signature="rQ5DJWi8qMmdR76rwIOwJYUhuvc%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1341342796", oauth_token="69848552-B6geQZCA8ttirQIMKrIk47SOE541V7d5ZcYwEBUqQ", oauth_version="1.0"
Now I don't know what to do. I tried this:
<meta name="Authorization" content="OAuth"
oauth_consumer_key="BKsXdR3SO4hSZyFT2JevHQ",
oauth_nonce="b98cf39b3f8dba6286cbd1b741eb7504",
oauth_signature="Vgmudlrkv1dzFel9zpFztXfR6gI%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1341339879",
oauth_token="69848552-B6geQZCA8ttirQIMKrIk47SOE541V7d5ZcYwEBUqQ",
oauth_version="1.0">
But it doesn't work! I am sure doing something wrong.
Help, please!
Aram.
There's an essential difference of headers. OAuth requires an "Authorization" on HTTP header, not in HTML header.
POST /1/statuses/update.json?include_entities=true HTTP/1.1
Accept: */*
Connection: close
User-Agent: OAuth gem v0.4.4
Content-Type: application/x-www-form-urlencoded
Authorization:
OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog",
oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg",
oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1318622958",
oauth_token="370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb",
oauth_version="1.0"
Content-Length: 76
Host: api.twitter.com
You can set this headers on a request through server-side scripting (with PHP, Python, ...)
You can do HTTP requests (specifically XMLHttpRequests) from Javascript using AJAX calls (e.g. with jQuery). Check the example for the Perfect jQuery AJAX Request. Then you also can also set your request header.
Related
Trying to create a product rule using Postman on BigCommerce. All my other queries to BC work fine but on this one I receive the
[{"status":415,"message":"The specified input content type is not valid."}]
Doesn't seem to matter what is in the actual body, even if it is empty.
call:
https://api.bigcommerce.com/stores/xxxxxxxxx/v2/products/34371/rules
headers:
X-Auth-Client:xxxxxxxxxxxxxxxxxxxxxxxx
X-Auth-Token:xxxxxxxxxxxxxxxxxxxxxxx
Accept:application/json
Content-Type:application/json
I found that the issue was with Postman.
Postman was changing Content-Type: application/json to multipart/form-data behind the scenes.
I guess I ran into a dot-stuffing problem sending SMTP messages. What i basically want to do is to send a message with a text and a attachment part.
In my example I defined a multipart/mixed message like following:
Mime-version: 1.0
Content-Type: multipart/mixed; boundary="YJiPVI9C2M93dRDm"
--YJiPVI9C2M93dRDm
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message
.
--YJiPVI9C2M93dRDm
Content-Type: application/gzip
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=2015-06-22-114558.tar.gz
H4sIAFbZh1UCA+2dXW/dNhKGc72/QujVLtAmIocjSqdXbbH9AJJt0G63F0URuPZJYdT2MezjNP33
FXkcbyQxh6TmnX4AOTdpUs3D0ejlkOKXbGv4o7b7yNqPjHHM/ZNH8F87/jxz/HP8zf+M/20sO+PZ
--YJiPVI9C2M93dRDm--
If I send the SMTP massage with libcurl like described above i will get connection timeouts. The problem is the single point (after "Message"). I know that this is a escape sign in SMTP, but it should be interpreted as a "normal" point. So how to do this? Is the mime body correct? Do i need to masquerade the single point?
I'm to work with goo.gl for URL shortening. I need to make the following request:
POST https://www.googleapis.com/urlshortener/v1/url
Content-Type: application/json
{"longUrl": "http://www.google.com/"}
my html:-
<form method="post" action="https://www.googleapis.com/urlshortener/v1/">
<button type="submit"> submit </button>
</form>
how do i add the 'content-type' and json here?
Browsers do not support JSON as a media type for form submissions (the supported types are listed in the spec).
The only way to make such a request from a web page is to use the XMLHttpRequest object.
Google provide a JavaScript library (which wraps XMLHttpRequest) that can interact with their URL Shortener API.
HTML forms don't support JSON, you have to use AJAX to send JSON.
But if you just want to test the security of an application, to see if it is vulnerable to a CSRF attack, there is a hack to send JSON data as plain text, like described in this article: https://systemoverlord.com/2016/08/24/posting-json-with-an-html-form.html
An HTML form has the advantage to not require JavaScript enabled and does not have a same-origin policy protection unlike AJAX XMLHttpRequest, so an HTML form can send data to any third-party domain.
In fact it looks like it is also possible to send GET and POST request to third-party domains with XMLHttpRequest (you will just get a warning saying that you can't read the response), even if not allowed by CORS as long as you don't change the Content-Type header to "application/json": https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS?redirectlocale=en-US&redirectslug=HTTP_access_control#Examples_of_access_control_scenarios
Here is an example from the article:
<body onload='document.forms[0].submit()'>
<form method='POST' enctype='text/plain'>
<input name='{"secret": 1337, "trash": "' value='"}'>
</form>
</body>
However if you try to set the enctype form parameter to "application/json" instead of "text/plain", it will not be recognized and it will result in the default "application/x-www-form-urlencoded" Content-Type HTTP header.
Some applications will check that the Content-Type HTTP header is "application/json", so it will prevent a CSRF attack (unless you have Flash Player installed: https://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/). A better security would be to use an authenticity token, this will protect HTTP requests even if the data type is not JSON. Otherwise, it is also possible to use the sameSite attribute on the session ID cookie to prevent CSRF (https://www.owasp.org/index.php/SameSite).
Using Ajax request makes life much easier.
$.ajax({
url: 'https://www.googleapis.com/urlshortener/v1/url',
type: 'POST',
data: JSON.stringify({
longUrl: $scope.url
}),
contentType: 'application/json',
success: function(got) {
return alert("shortened url: " + got.id);
}
});
The above works perfectly.
JSON POST requests possible from the browser via Javascript
Most browsers (which should be supporting the Fetch API as of 2020) allow you to make POST requests with JSON. See the MDN reference here - but you'll have to, of course, do that in javascript.
I need to send the following HTTP request to my REST server from an HTML page to retrieve another page. How to do that using javascript or forms or links or whatever ?
Note that the HTTP request body must contain plain text with no key/value pairs as a form usually does.
PUT /somerequest HTTP/1.1
Host: www.myhost.com
Accept: text/html,application/xhtml+xml
Payload of the request to be read by the server script.
The script will return a HTML content to my browser.
Thanks !
You could use jQuery?
http://api.jquery.com/jQuery.ajax/
I'm sure you will find what you want there.
And if you don't look at a lower layer: XMLHttpRequest
http://www.w3.org/TR/XMLHttpRequest/
For google found that the oauth header format is
GData-Version: 3.0
Authorization: OAuth oauth_version=1.0,oauth_nonce=5887e5b11904194f7d217e9b7f795d62, oauth_timestamp=1317623602,
oauth_consumer_key=56565768768.apps.googleusercontent.com",oauth_verifier=PH9etu_6shPOPvlFgiFJS-Dd,
oauth_token=4%2Fpdn5ZtajHsU-zeSxScNSil43sTK0,oauth_signature_method=HMAC-SHA1,
oauth_signature=ybgad%2B6LlQ8P3rwnFa8BpI8awok%3D
Content-Length: 353
Content-Type: application/atom+xml
Seeing this made a request header for facebook as
Authorization: OAuth oauth_version=1.0,oauth_nonce=5887e5b11904194f7d217e9b7f795d62, oauth_timestamp=1317623602,
oauth_consumer_key=12904260719,oauth_verifier=PH9etu_6shPOPvlFgiFJS-Dd,
oauth_token=4%2Fpdn5ZtajHsU-zeSxScNSil43sTK0,oauth_signature_method=HMAC-SHA1,
oauth_signature=ybgad%2B6LlQ8P3rwnFa8BpI8awok%3D
Content-Type: application/X-WWW-form-urlencoded
What's the mistake in this header
Can anyone help me out please
Got it solved. Facebook is not expecting a header which contains parameters like oauth_nounce, oauth_consumer_key etc