I am using Component Space SAML 2.0 library to send an Single Sign On assertion to a partner site. They claim I am not sending my SAML assertion correctly. The library is high level so there's not much area for me to be messing it up, but I don't know how to see the message before i send it.
I would like to use the debugger (VS) or output the SAML XML token to the screen when I click a link on my page. Does anyone know how I can do this?
Not sure how to capture it before you send it with your code/library... However...
Once it's "in" your browser... You can use TamperData, SAMLTracer, or the Developer tools in Firefox, the developer tools in Chrome, or a "proxy" like Fiddler or Charles. All of those will let you capture the encoded assertion.
Then, you can decode it using this handy online tool. That will show you your assertion. SamlTracer will "decode" it automatically, IIRC.
The solution was to turn on debugging in the web config file. This gave me a SAML assertion with comments that I could read.
Also using fiddler to look for the post worked as well. This gave me a encoded assertion that i could decode to see exactly what was being sent
Related
I'm trying to write a VSCode extension where users could log into Google AppEngine with a google account, and I need to get their SACSID cookie to make appengine requests.
So I'm opening a browser window at
https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttp://localhost:3000/
(generated by google.appengine.api.users.create_login_url)
The user logs in and is redirected to my local webserver at
localhost:3000/_ah/conflogin/?state={state}
Now I try to forward the request to my AppEngine app (since it knows how to decode the state parameter), so I do a request to
https://my-app.appspot.com/_ah/conflogin/?state={state}
basically just replacing localhost with the actual app.
but it doesn't work, presumably because the domain is different. I assume this is on purpose, for security.
Is there any way I can make this work ?
Not ideal, but the only solution I've found is to have an endpoint on my GAE instance that does the redirection. Then I can set that as the continue url, when I'm starting the authentication process
https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://my-app.appspot.com/redirect?to=http://localhost:3000
I think you should center the attention on the protocols you are using, since it’s known that the cookie name is based on the http protocol (HTTP : ACSID, HTTPS:SACSID), and that’s the security perspective till this point for me.
Having the error you are facing now would be helpful to understand the problem better. Also, how are you performing the call to the API and the code you are using would be helpful too.
We have a web app which is HTML/AngularJS on the front-end and uses MS Web API on the background. We require the use of HTTPS for security reasons. Every article I've read about using plaintext passwords and how to login basically comes down to "just use HTTPS and everything will be secure".
Recently, we were testing the app in-house and the Web API service was accidentally down when the QA person was trying to login. What happened next is what you see in the image below. The password was shown in plain text in the browser. QA, my boss, the company, God and everyone in America is "having a cow" because of this.
The message being displayed in the browser isn't something I coded, it appears that it is part of AngularJS which is trying to do me a favor by showing me a failed API call and what object it was trying to pass to the API. In which case, it makes sense (I think) that Angular has that information.
Can anyone please help me understand what happened here? And what is considered the proper way to address this? I assume I can add some JavaScript code to encrypt the password on the client side first, but that also seems like it would be super easy for a hacker to intercept on the client side. So what's the correct approach to take to keep things secure on the client?
What happened is that the user (you) and the browser (on your machine) live in the same trust boundary.
You just typed that password into the browser. The browser only hides it in the input box to prevent shoulder-surfing. The browser does not really attempt to hide something you just typed in from you.
If you open dev tools in the browser, you can see anything that is sent over the wire in the HTTP protocol. Anyone outside your trust boundary cannot see this because the HTTPS protocol encrypts anything on the wire.
its hard to tell without looking on the code, but I found the similar issue :
app.config(['$qProvider', function ($qProvider) {
$qProvider.errorOnUnhandledRejections(false);
}]);
I am implementing single page application(SPA) using of Angular Js, MongoDb. And I am using rest call with promises. Rest call working fine in Chrome, Mozila browser which is using for development. But rest call is not working in IE-11. It is giving me 500 Internal Server Error.
I am not able to find out line of rest call. Because it is not showing line number. But I can share sample code of rest call.
Rh.all('apicall').get('dbname/_aggrs/'+ ar_dep +'?avars=' + query).then(function (d) {
console.log("response data");
});
Above call is not printing console. Because It is breaking in IE-11, But these rest call working fine in other browser.
If I putt direct path not with variable then it is working in IE-11.
Working Rest Call below
Rh.all('apicall').get('dbname').then(function (d) {
console.log("response data");
});
NETWORK in Console(IE-11)
IN CHROME
I am updating my question. Because I found some difference parsing url, Because of restheart.
IN CHROME:
Rh.all('apicall').get('dbname/_aggrs/'+ ar_dep +'?avars=' + query)
After parsing
localhost:8080/apicall/dbname/_aggrs/rout?avars={%22routes%22:%22US%22}
In query object I have routes:us. So in chrome it parsing %22--%22 place of " ".
IN IE-11
Rh.all('apicall').get('dbname/_aggrs/'+ ar_dep +'?avars=' + query)
After parsing
localhost:8080/apicall/dbname/_aggrs/rout?avars={"routes":"US"}
In IE-11, It is not parsing double qoutes to %22 %22. It is parsing same as string.
A 500 error is always related to the server. The symptoms may only occur with a specific browser, but it is the server that is failing; the request that is being sent to the server is causing the server-side code to fail in some way.
Error 500 on its own is too generic; without knowing more details about the error, it is always very hard to diagnose, and frankly I won't be able to give you a definitive answer here.
At your end, you should rule out the obvious, and check your browser settings in IE. Specifically, any settings that might cause it to fail to communicate properly with the server. For example, make sure that cookies are enabled and are working properly.
But the first thing you should do is discuss with the vendor or developers of the API because they will have access to the server error logs, and they will want to know about it if their code is throwing a 500 error.
However, if you do want to investigate at your end, the fact that it is specific to one browser is a clue. If the other browsers are working, then what this tells us is that this one browser (IE11) is sending the request with something about it that is different to the other browsers, and it is that something that is triggering the server-side code to fail. This gives us something to work with in the investigation.
So the first thing to do is to examine the request in all browsers. Use the F12 dev tools in Chrome, Firefox and IE, and get to the point where you've made the same call in all three of them, and it works in FF and Chrome but not in IE11.
In the dev tools, you should now be able to examine the request details for all three. Compare them.
Start by looking at the request data -- ie the actual query string that was sent. If there are differences, consider whether any of these differences may be responsible for the error. Something may stand out obviously; eg if IE has truncated a variable or something like that. If this solves the problem, then great.
If it doesn't help, then you need to look in more detail. Maybe there are some differences but they don't look like they should break anything? Modern browser dev tools allow you to edit and re-send a request, so try editing the request in Chrome or Firefox's dev tools, and make the parameters the same as the ones from IE that failed. Now try re-sending that request. If you're lucky, this will cause the request to fail in the other browser, which will allow you to show that a specific set of data is the problem (rather than a specific browser). You mentioned that it's a third party API, so you'll then need to discuss with the API vendor to find out why that query breaks their API.
If you still haven't found the problem at this point, and you're sending identical queries in both browsers, and you're logged in as the same user, then the next step is to look at the request headers.
There is one request header that will definitely be different: the User Agent string. But there may be others too. Again, try re-sending request that works in Chrome, but with headers from the failing request in IE (including the UA string). Does the request now fail in Chrome? If so, narrow down which headers are different that make it fail.
Again, if this allows you to find a specific set of request data and headers that causes the problem, then you will need to discuss with the API vendor.
If all of this doesn't help, then try looking at the cookies. You already checked that cookies are working, so this seems like a long shot now, but again compare the cookies between browsers, and see if there's anything obviously different about them.
I hope the above is enough to help you diagnose the issue.
I need to stress-test a silverlight application which uses Windows authentication mode. To achieve this task I am using the StressStimulus Fiddler addin.
What I am doing is to log in and doing some stuff like search etc. I captured the HTTP messages transferred in Fiddler and replayed them using the above mentioned tool.
However, when I replay the packages I always get a 401.1 Server responses.
I tried to use different Authorization approaches (NTLM and Negotiate) but I always get the same response message.
Fiddler seems to be properly configured. In the Fiddler options menun "Reuse client connection" is checked as well as "Reuse connection to server". I even raised the KeepAliveTimeout in the registry without any success.
Does anybody have an idea whats going wrong?
You can't replay authentications such as NTLM and Negotiate. One the most important features of any challange/response authentication is that it must not be replayable. Without this feature an attacker can monitor a successful authentication and then replay the same sequence to gain access to things they aren't entitled.
I'm working on a Windows Phone 7 application that makes a REST service call. The third party that hosts the web services has an invalid certificate in the current environment. When I hit the URL in Firefox, I get a warning about the cert and I am asked if I want to continue. I'm also using the Poster FF extension to test the call. It works with Poster if I first accept the invalid cert in Firefox. If I don't, then POSTER wont make the request.
In my WP7 Emulator, I can't make the request at all. I get a 404 at the EndGetResponse method. I making the same request as in Poster, so I know there is nothing wrong with the request. I have successfully hit another web service using the same code (no certs involved), so I don't think it's the code. The only thing I can think of is that WP7 doesn't allow requests to an invalid cert. Has anyone had experience with this situation? Is there any way around it?
Is there a way I can tell my app to accept all communication, even if there is an invalid cert?
There is sadly no way to do this on the phone. Ordinarily, i.e. on the desktop this simple line of code will disable certificate checking.
System.Net.ServicePointManager.ServerCertificateValidationCallback = (se, cert, chain, sslError) => { return true; };
If you look at the ServicePointManager on the phone, there's no callback to hook into. It's a massive pain in the arrrrse.
Have you considered writing to the service owner and asking why they're being bad internet citizens? (essentially, what you're seeing here is web security in action, for better or worse)
As Matt says, you might be able to code a simple relay on a web server. It doesn't have to be a special service, but maybe just a web page that does the call for you and spits out RAW text or XML. Your phone client just GETs this page and picks through the response manually.
Where there's a will there's a way.
Luke
You need to install the root CA cert of the issuing party on the phone.
You can do this by emailing the RootCA to the user of the phone. They click on the attachement and it will prompt them to ask if they want to install the certificate on the phone.
Once you have done that your requests should go through.
I dont believe there is a way to do this programatically in your app however.
I'm not aware of a way to install additional certificates on the phone.
In this situation I'd create a proxy service between your app and the 3rd party site and have your app call that. If you need to, you could put the proxy behind a valid cert.