I was wondering about some possible ideas on how I can implement an error detection algorithm for a URL. My url can work as follows:
http://changes.html?Type=Production&Item=Tires&Type=Winter
My Url can have the following forms:
http://changes.html?Type=Production //which gets you to the base page
http://changes.html?Type=Production&Item=Tires //which gives you all the tire options
http://changes.html?Type=Production&Item=Tires&Type=Winter //which gives you a specific tire
My question here is that say I spelled Type=Production wrong in a way such that I spelled it as Tzxpe=Poductaion then I may think of having a default page. Also if say everything is correct until Type such that you have the following URL:
http://changes.html?Type=Production&Item=Tires&TZAe=Wter then I am thinking of just cutting off the string at Tires until where its correct and programming a page re-direct to that working part. My solutions seem a bit odd and inefficient. Is there a better way to perhaps have the URL fix itself, or yet even a better implementation of my idea, or just a completely different way of approaching this problem? Error checking is a must for this project so just receiving a bad url message is not going to cut it!
Maybe I am misunderstanding your question but what you could do would be to split the URL you receive on the back end on ? = and & and then check the values for Type against possible correct values (an enum class or just an array of predefined possibilities) and the same with Item. This is dependent on how you are dealing with your service calls though.
I don't know that regex is entirely a good idea. You are looking to make sure things are spelled right which doesn't really fit regex in my experience.
Related
I am trying to create a scenario that will work every time but I do not know how to deal with the uniquely hashed javascript and CSS. I could not find any answer in the documentation about that.
What I want specifically is the ability to pass a regex into my get but that is not possible since it only takes a string.
.get("/dist/precache-manifest.3efd6185a8d8559962673d45aed7ae98.js")
.headers(headers_0)
I expect a way to be able to somehow get the URL with a regex and then use it in my get above. Is there a way to do that in a Gatling scenario.
I found a way but its a hack and it takes a lot of time I am answering this because someone might want to use this way. However this could be considered a bug.
.get("").queryParam("", _ =>regex("""\/dist\/precache-manifest.[A-Za-z0-9]+.js"""))
.headers(headers_0),
First, I want to start off that I am really new with stackoverflow. I'm normally a viewer and this is my first time to ask here. Second, please do excuse me if there are terminologies, which I might later use incorrectly or if I am asking in the wrong place. Lastly, I would appreciate it if everyone would use less, or possibly, no negative comments or statements, and if there are less links (to answer my question) and instead more explanation.
So, I've been working on a system. However I'm having trouble with giving request to a wsdl. Normally, I get enough namespaces for me to provide the needed information to get the proper response. However, in my case with this specific wsdl, I'm getting a lot of namespaces. I've tried using soapUI to see if I would get a response, but the problem here is that, it works if I remove enough number of namespaces.
Here is a sample:
<qr2:Envelope
xmlns:qr1="http://qr1/sample"
xmlns:qr2="http://qr2/sample"
xmlns:qr3="http://qr3/sample"
xmlns:qr4="http://qr4/sample"
xmlns:qr5="http://qr5/sample"
xmlns:qr6="http://qr6/sample">
xmlns:qr7="http://qr7/sample">
xmlns:qr8="http://qr8/sample">
xmlns:qr9="http://qr9/sample">
xmlns:qr10="http://qr10/sample">
xmlns:qr11="http://qr11/sample">
<qr2:Header>
</qr2:Header>
<qr2:Body>
</qr2:Body>
</qr2:Envelope>
What I want to happen is to lessen the number of namespaces. In my sample above, instead of getting eleven namespaces, I want it to have, say five, as so:
<qr2:Envelope
xmlns:qr1="http://qr1/sample"
xmlns:qr2="http://qr2/sample"
xmlns:qr3="http://qr3/sample"
xmlns:qr4="http://qr4/sample"
xmlns:qr5="http://qr5/sample">
<qr2:Header>
</qr2:Header>
<qr2:Body>
</qr2:Body>
</qr2:Envelope>
Is there a way for me to do this using node.js?
I'm already at this point of my code:
soap.createClient(https://sampleLinkOf.wsdl, wsdlOptions, function(err, client) {
}
I'd appreciate an answer instead of a workaround (deleting files, downloading files, etc).
So I decided to use GET in my form element, point it to my cshtml page, and found (as expected) that it automatically URL encodes any passed form values.
I then, however, decided to test if it encodes angle brackets and surprisingly found that it did not when the WebMatrix validator threw a server error warning me about a potentially dangerous value being passed.
I said to myself, "Okay, then I guess I'll use Request.Unvalidated["searchText"] instead of Request.QueryString["searchText"]. Then, as any smart developer who uses Request.Unvalidated does, I tried to make sure that I was being extra careful, but I honestly don't know much about inserting JavaScript into URLs so I am not sure if I should worry about this or not. I have noticed that it encodes apostrophes, quotations, parenthesis, and many other JavaScript special characters (actually, I'm not even sure if an angle bracket even has special meaning in JavaScript OR URLs, but it probably does in one, if not both. I know it helps denote a List in C#, but in any event you can write script tags with it if you could find a way to get it on the HTML page, so I guess that's why WebMatrix's validator screams at me when it sees them).
Should I find another way to submit this form, whereas I can intercept and encode the user data myself, or is it okay to use Request.Unvalidated in this instance without any sense of worry?
Please note, as you have probably already noticed, my question comes from a WebMatrix C#.net environment.
Bonus question (if you feel like saving me some time and you already know the answer off the top of your head): If I use Request.Unvalidated will I have to URL-decode the value, or does it do that automatically like Request.QueryString does?
---------------------------UPDATE----------------------------
Since I know I want neither a YSOD nor a custom error page to appear simply because a user included angle brackets in their "searchText", I know I have to use Request.Unvalidated either way, and I know I can encode whatever I want once the value reaches the cshtml page.
So I guess the question really becomes: Should I worry about possible XSS attacks (or any other threat for that matter) inside the URL based on angle brackets alone?
Also, in case this is relevant:
Actually, the value I am using (i.e. "searchText") goes straight to a cshtml page where the value is ran through a (rather complex) SQL query that queries many tables in a database (using both JOINS and UNIONS, as well as Aliases and function-based calculations) to determine the number of matches found against "searchText" in each applicable field. Then I remember the page locations of all of these matches, determine a search results order based on relevance (determined by type and number of matches found) and finally use C# to write the search results (as links, of course) to a page.
And I guess it is important to note that the database values could easily contain angle brackets. I know it's safe so far (thanks to HTML encoding), but I suppose it may not be necessary to actually "search" against them. I am confused as to how to proceed to maximum security and functional expecations, but if I choose one way or the other, I may not know I chose the wrong decision until it is much too late...
URL and special caracters
The url http://test.com/?param="><script>alert('xss')</script> is "benign" until it is read and ..
print in a template : Hello #param. (Potential reflected/persisted XSS)
or use in Javascript : divContent.innerHTML = '<a href="' + window.location.href + ... (Potential DOM XSS)
Otherwise, the browser doesn't evaluate the query string as html/script.
Request.Unvalidated/Request.QueryString
You should use Request.Unvalidated["searchText"] if you are expecting to receive special caracters.
For example : <b>User content</b><p>Some text...</p>
If your application is working as expected with QueryString["searchText"], you should keep it since it validate for potential XSS.
Ref: http://msdn.microsoft.com/en-us/library/system.web.httprequest.unvalidated.aspx
I want to be able to validate a form field called promotional codes, without using a data base.
There are two valid codes and the forms field needs to match either one of these. They are codes like this 'VK2012'.
I've tried the equalto with a hidden form field but this doesn't quite work.
Any suggestions greatly appreciated.
First, the comments are right. You should do this on the server side. Client side validation of this sort really ought to be reserved for the case where you can safely assume that your users are acting in good faith (and as soon as you're talking about things like promotional codes, you cannot assume that). As far as a non-database solution goes, it's ugly and maintains poorly, but you could always hardwire the strings to compare to into the code on the server side. Alternately, for a somewhat less ugly (but somewhat more involved) version, you could put them into config files, which would let you change the codes without recompiling.
I'm working on finding a variable for a PollDaddy poll. The API says that the hash is attributed to the variable PDV_h[PollID] (check "Voting" part of API). I've been looking all around this poll here but can't seem to find it. Can anyone help me figure out the hash and tell me how you were able to find it?
The hash doesn't seem to be used in the link you gave me here.
But on what I assume is your site, here, there's a variable PDV_h5547018, which gives you the hash you need to make the request.
This is what I got back, but this will be invalidated, of course:
PDV_n0='f5a9a0cf08b733a0e1738e271c9303d6';PD_vote0(0);
I would track down where it was made but there are so many script references. I assume you are using a script request from them, which is why they say it's in the JavaScript.