I have a web application running in my browser. It is third party obfuscated javascript. It connects to the server with SSL and it fetches data and then displays it in the browser. I want to get programmatic access to the data, but I cannot figure out how it gets it from the server.
I tried to open Chrome Canary Dev Tools, but it does not show any network access (other than loading some html, js code and images). I ran wireshark and it shows lots of network access (all encrypted, so it is useless). What gives? This javascript app seems to be able to fetch data in a sneaky way, so that Chrome Dev Tools doesn't show it.
Any advice how I can reverse engineer this?
EDIT: I think that the data is fetched by redirecting to a download link, or perhaps with window.navigator.msSaveBlob. Anyway, I found it using postman.
I was able to capture the API call using POSTMAN (native Win 6.0.9). I enabled a Proxy on port 5555, and then click the button to trigger the action in the web app.
Because the web is using SSL, I get an error "Your connection is not private". However, I can click Advanced / Continue and call the API anyway, which gets captured by POSTMAN.
Advice: In postman, capture to a new folder (called Proxy data). Try it first using a non-SSL site, such as this one.
Related
I'm using DroidCamX to stream my phone's cam to a C# app, works easy. Now I have to enable the camera flashlight from inside my app (important), which usually you would do via the web interface by going to localip:4747 and clicking a button. I have zero knowledge regarding network communication, so I don't even know where to start.
The only thing I could find out is that when I go to the Network Tab in chrome and click the flash button on the page, it shows something named "led_toggle" of type "xhr" with Initiator "jquery.min.js:5", apparently that thing only exists in JavaScript, is there any way to do it with C#?
XHR is just the handle/API used by Browsers to do a https network call. Here the prototype https is what you must be concerned about not XHR as it is just the API the browser provides. In fact XHR stands for XMLHttpRequest. In C# you can use http packages already available to do the same network call. Here is the link that provides the API to make network call from C#
https://learn.microsoft.com/en-us/aspnet/web-api/overview/advanced/calling-a-web-api-from-a-net-client
Hope it helps!
I am new to Ember and have posted a similar post regarding troubleshooting of a simple Ember front-end with JSON API web back-end (see below). My problem here is that I am unable to get Postman to display any data in the DevTools console - its blank. I can use Postman to submit requests and see the response in the body, that is all.
I have tried various permutations of using the application while going so far as to uninstall and re-install. But, nothing is working. Is anyone aware of the steps necessary to use Postman to troubleshoot problems?
Ember 3.2.2 not routing request to .NET Core 2.1 JSON web API
As figured out in comments you were messing up Postman with developer tools of browser.
While Postman is great to debug and test REST APIs, it can't be used to inspect single page applications (SPA) running in browser window. Postman is it's own application and does not interfere with your ember.js web application which is running another task.
To inspect a single page application (or other websites) the developer tools which are provided by all major browsers are very helpfull. These ones are shown in the video you have mentioned in comments. They have a network tab listing all requests fired. Here you find a detailed description of Google Chrome's network tab in developer tools. The other browsers share most of the features.
So to put it together: To investigate what network requests are fired by your single page application (e.g. ember.js) use the network tab of browser's developer tools. If you need to investigate your API behavior more in detail (e.g. to see why a network request of your SPA fails), Postman is a great tool to do this.
What I want to do
Make a simple socket connection to a server on the browser. I want to not send any header information with the socket connection.
The Problem
It looks like I am unable to make a socket connection with javascript that does not send header data (Is there a way to do a tcp connection to an IP with javascript?).
I thought maybe I could make a connection with a chrome extension, however it looks like the socket API is only available for chrome apps (Google Chrome Socket API in extensions).
I am thinking that I might need to make a native application that will make socket connections through requests made by the browser using Native Messaging.
Is there anyway I can achieve this or am I out of luck?
Raw socket connections through the browser are wrapped up in security concerns. Users can be easily manipulated to allow things to run that shouldn't.
TCP and UDP Socket API
W3C Editor's Draft 20 January 2016
is located here.
http://raw-sockets.sysapps.org/
Mozilla's API information here: https://developer.mozilla.org/en-US/docs/Archive/B2G_OS/API/TCPSocket "This API is available on Firefox OS for privileged or certified applications only."
If you work with raw TCP connections. I would suggest
(1) downloading PHP onto the local computer. PHP has a developer web host build in so you can run whatever application you want on PHP using the browser as your GUI.
(2) download node.js.
You are not out of luck you just need to achieve it with the understanding that you are working outside the box for normal browser based scripting created from security concerns, and that means the user/client needs to install something manually.
If you must use chrome browser on the client side, you will need to make an -extension- correction webapp. You can as a developer make one that you can use on your own computers.
https://developer.chrome.com/extensions/getstarted
https://developer.chrome.com/apps/first_app
Load the extension#
Extensions that you download from the Chrome Web
Store are packaged up as .crx files, which is great for distribution,
but not so great for development. Recognizing this, Chrome gives you a
quick way of loading up your working directory for testing. Let's do
that now.
Visit chrome://extensions in your browser (or open up the Chrome menu
by clicking the icon to the far right of the Omnibox: The menu's icon
is three horizontal bars. and select Extensions under the Tools menu
to get to the same place).
Ensure that the Developer mode checkbox in the top right-hand corner
is checked.
Click Load unpacked extension… to pop up a file-selection dialog.
Navigate to the directory in which your extension files live, and
select it.
Alternatively, you can drag and drop the directory where your
extension files live onto chrome://extensions in your browser to load
it.
If the extension is valid, it'll be loaded up and active right away!
If it's invalid, an error message will be displayed at the top of the
page. Correct the error, and try again.
This insures that non developers don't load an extension which does not comply with the normal security concerns.
Communicating between with the script on the web page to the extension.
Can be done with message passing ... https://developer.chrome.com/extensions/messaging
The extension can add content directly to the web page which is available to the script on the web page. If for example the extension replaced the web cam image with a static image when the webcam script reads what it believes is the webcam it gets the static image instead, which explains why I look like an alien from space on the webcam. Although I did not create an extension to do that, I merely modified an existing extension to replace the function that gets the webcam image with a function to get a static image.
You can use SignalR, it is javascript library (JQuery Plugin) and it enables you to open web sockets from the browser to a server. Please check the following links:
https://blog.3d-logic.com/2015/03/29/signalr-on-the-wire-an-informal-description-of-the-signalr-protocol/
http://blog.teamtreehouse.com/an-introduction-to-websockets
https://github.com/SignalR/SignalR
I'm helping a developer who has build a website and wants to port it to a windows 8 application. The application has to be build with html and javascript. I got it running, but for some reason requireJS with i18n won't work correctly. Most of the time it does it's job, but some variables won't load the correct information. In a webbrowser I would look at the network request to see what is happening.
Is there a way to see the network requests a windows 8 application does?
*I've tried using fiddler, but it only shows outgoing information. Not the information request information from inside the application.
I'm trying to write an app using Sencha Touch that ultimately targets iOS and Android. It's supposed to log into the corporate web server and then retrieve and parse some JSON data. It should be very simple. However I'm very new to both Sencha and Javascript, so I'm having a hard time doing this sort of client-side authentication. I can't even seem to make it authenticate from a web browser on my dev machine.
I used this link to help create my login page:
http://miamicoder.com/2012/adding-a-login-screen-to-a-sencha-touch-application/
But when I attempt to log in I seem to get the following error message and a null object:
XMLHttpRequest cannot load https://www.server.com/index.html?=_dc1234567890123
Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
Does anyone have any advice or good resources on getting this app to log in? Any help would be greatly appreciated!
Steve, the "is not allowed" error is returned because your login request violates the browser's same-origin policy (essentially it states that all XhrHttpRequests must go to the same domain the page was initially loaded from).
Some browsers offer ways of disabling this error temporarily (which might be fine for short-term development purposes), but for the long-term you'll either need to host your application in the same domain as your backend server, or look into using CORS or JSONP for your requests.
Your AJAX request violates the Same-Origin-Policy. That's why you are getting the error message. If you are using chrome for debugging u can disable the cross-domain Javascript security by doing the following :
For Windows:
1) Create a shortcut to Chrome on your desktop. Right-click on the shortcut and choose Properties, then switch to “Shortcut” tab.
2) In the “Target” field, append the following: –args –disable-web-security
For Mac, Open a terminal window and run this from command-line:
open ~/Applications/Google\ Chrome.app/ –args –disable-web-security
For Ubuntu, Open a terminal window and run this form command line:
open /usr/bin/ and execute ./google-chrome --disable-web-security
There is extension for chrome that does the work:
Allow-Control-Allow-Origin.
If you want to active it when the browser started, you have to press on the icon.