I am wondering how I can see exactly what webrequests I am receiving from Facebook?
Lets say that we are on Facebook event and I want to invite all my 1000 friends.
I start clicking all my friends one by one and at some point Facebook sets a limit of 498 and then I continue to do all the clicks until I reach 498 and then it says you cant invite anyone else.
Facebook to do this at some point sends back an ajax.php page as a packet and sets this limit. This ajax php page i'm trying to find somehow.
I've tried some ajax jQuery capture Chrome extensions but I dont quite understand them much.
Do you have any idea of how I can track any ajax php request from Facebook to my browser to set this limit?
I am using Chrome Extension Live HTTP Headers
and this shows me anything that Facebook webrequest is "POST" in my browser.
But i dont think its actually all of them.
Because its only loading the photos of the chat
and some thread updates.
Here is a video of what limitation is showing in my frame of friends invite in facebook.
Youtube Video Here.
Press F12 and find the network requests section of your browser's dev tools.
http://www.devtoolsecrets.com/secret/general-finding-the-development-tools.html
I think you are misunderstanding the process. Web servers don't send requests to web browsers. They only respond to requests sent from the web browser.
When you click to invite friends you are sending an ajax request to Facebooks server. That ajax request passes the information about the event, you and your friend to a method on the server. Part of that method is to check and see if the limit on invitations has been exceeded. If not it sends your invitation and sends a response to your ajax request showing this person was invited. However if the limit has been reached the invitation is not sent and the response comes back from your ajax request stating that the limit has been exceeded.
If you know what your doing, you use Chrome or Firefox developers tools to debug javascript and follow the ajax request to the server and the response from the server. But this is difficult with the minified javascript. There are tools to deminify the javascript making it easier.
However, if you're looking for a way around the invitation limit. It's not going to happen. This all occurs on the Facebook servers to which you do not have access.
Try to use Fiddler (http://www.telerik.com/fiddler). With Fiddler you can see all requests (also HTTPS requests with an intermediate certificate), modify those or simply replay requests. It's worth a try and a must have for each web developer
Related
I am working with an API (I am noob at API's) and after some time I got this error "Request was throttled. Expected available in 82248 seconds." This is a really important project I am working on and I didn't know there was a possibility for this to happen (lesson learned ). I can't wait that long to make a request again, is there another way to regain access to the API? Maybe activating a VPN or something like that? Thank you in advance for your response.
HTTP error 429 means that sent too many requests within a minute to the server, and the server assumes you either do not know what you are doing and/or doing a DOS attack. Servers usually do this to make sure it can continue to work with other clients. See more details here
To solve your problem, just stop sending request on the server for couple of seconds (may be a minute depending how much you sent in the past minute. And it will work again. Rate limit may be implemented on the server globally, on a specific endpoint, or on a resource - check the API documentation for more details, here is a facebook example.
Let's say, I'm a logged-in user in google.
Now I'd like to send one ajax request there WITHOUT sending any cookies.
(But naturally, I want to keep those cookies for the future).
How is that possible?
i'm interested in solution for ajaxing INSIDE chrome extension
important edit: I'm talking about intercepting requests sent FROM the extension itself! There the beforeHeadersSend don't work...
I am trying to ping some web server and want to know information of replying web server.If some proxy is in between then it should return information of that web proxy.For example ping server is- http://www.google.com and consider following two scenario
1:-In normal scenario it should give information http://www.google.com or its ip- address
2:-In case of airport ie some proxy involved it should return airport.com or its ip instead of http://www.google.com
For this i have tried Ajax call but not able to figure out which one is returning response because in header none field of this type information present.By doing Ajax call i am able to figure out whether http://www.google.com is alive or dead.
Please suggest some alternative for browser and chrome app.
Note - It is not a duplicate of that question. The concerns are different. I don't want to disable that firebug let it be open let the user to use all functionality provided by firebug, I only want firebug not to show service calls.
I may be wrong but I want to ask when browser developer tools like firebug displays service calls and their request response Is it not a security threat? If not why so?
IF it is, Is there any way by which we can hide the display of service calls after build deployment in firebug or developer tools?
You can see a get request shown by firebug in Mozilla firefox.
I have searched for this but not getting anything fruitful and I am also not able to find any post related to this concern on stackoverflow. If any one has any information please share it.
No, this is not a security issue on any properly designed web site / service. The browser, and requests performed by the browser, should all be considered to be under the user's control. (Indeed, from a security perspective, the browser should be considered an extension of the user, rather than something separate from them.) As such, the user viewing something that's under the user's control is not a risk at all.
If your web site is sending data that the user shouldn't be allowed to see in HTTP(S) requests, you've done something wrong. That data should never leave the server at all if it's that sensitive - move the logic that needs it off of the client (e.g, Javascript) and back onto the server side.
If your web application follows security through obscurity then it would be harmful.
But as long as you make your web application secure with common vulnerabilities like CSRF, XSS taken care of then anyone seeing the request made / response received doesn't matter.
I am creating an internal corporate tool which is entirely client driven and utilizes web services to update, insert, and delete data. While creating the application, I was able to use Chrome Debugger to send any type of request to the server in order to test various scenarios.
I would change objects from the debugger and execute AJAX requests right from the console and there were no issues, the web service would call and execute just fine.
This raised a concern for me in that, a majority of my company employees are developers and i worry that they may "play around" with the code to either change, or invalidate the data going to the database.
Is it possible to secure an AJAX request to the server so that users will not be able to change items in their browser debugger and post those changes to the server?