I am building a RESTful API. When the client uses an unsupported method such as GET on a resource that does not supports it, I am returning a 405 with the Allow header which lists the allowed methods:
Response
Status Code: 405 Method Not Allowed
Allow: DELETE, PUT, POST
Connection: keep-alive
Date: Mon, 08 Apr 2013 00:19:26 GMT
Fortify display insecure HTTP method(s) on the web server.
How fortify determine insecure Http methods ?
Related
I am hosting an ASP.NET Web Api on WinSrv 2012 R2 and IIS 8.5.
The web api has one action in a controller that receives a json object - for the sake of discussion it looks like this:
[HttpPost, "api/action"]
ResponseModel GetIt(RequestModel requestData)
It works great except when I try to post data that's large. For example, when I try to post 8Mb of json (it includes base64 encoded image files).
How it fails is rather interesting. Basically, the action is called but model (RequestModel) is missing certain key properties. Leading me to believe that there's an error deserializing the object but I dont' see that. My Web API action immediately throws an exception because it's getting a few key null values.
I turned on FailedRequestTracking in IIS and I see the following:
The request comes in with these headers:
Cache-Control: no-store, no-cache
Connection: Keep-Alive
Content-Length: 12262199
Content-Type: application/json; charset=utf-8
Accept: application/json
Expect: 100-continue
In this case the object is ~12MB. The various handler matching starts and eventually IIS settles on the ManagedPipelineHandler to handle the request. It reads 16,384 bytes, then reads 16,384 bytes again, then reads 16,384 bytes one final time and you see the NOTIFY_MODULE_COMPLETION entry.
I see the AspNetHttpHandlerEnter event and after setting up the response header I see the 500 error from my exception. MODULE_SET_RESPONSE_ERROR_STATUS
Does anyone know why the ManagedPipelineHandler is only reading 48K? I need to be able to post up to 25Mb of data.
I create a web services and a ConsoleApplication to consume it. I am using fiddler to see the traffic, i was hoping that the request and response was SOAP but that's don't happend, only the request was SOAP, not the response.
How can i force to my service that respond using soap?
This is the raw http header obtained:
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Content-Encoding: gzip
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 17 Nov 2014 20:19:22 GMT
Content-Length: 311
The respond is in binary.
My web-service was created adding a Web Services item to ASP.NET Empty Web Application project, and i don't modified, later I published in IIS.
My consumer is very simple too. I just add the service reference and create an instance.
var binding = new BasicHttpBinding();
var endpointAddress = new EndpointAddress("http://172.20.48.59/web-services/MyWebService.asmx");
var serviceRefWithoutConfig = new ServiceReference1.MyWebServiceSoapClient(binding, endpointAddress);
Console.WriteLine(serviceRefWithoutConfig.HelloWorld());
The HTTP response in question is compressed with GZIP.
What happens after you click the big yellow bar in Fiddler that says Response is encoded and may require decoding before inspection. Click here to transform.?
If you are creating something new, I strongly suggest you look at using WebAPI for something like this.
It's much easier to control the output of your methods, and the resulting service will be easier to consume from mobile platforms, should the need arise in future.
It looks like ServiceStack only accepts session-based authentication. I was reading through https://github.com/ServiceStack/ServiceStack/wiki/Authentication-and-authorization and I couldn't find anything describing how to do what I want.
I also looked at http://enehana.nohea.com/general/customizing-iauthprovider-for-servicestack-net-step-by-step/ but that also is session-based.
What I would like to do, is very similar to how WebAPI works with Individual User Accounts.
I want to send this to the API:
POST http://localhost:49436/Token HTTP/1.1
User-Agent: Fiddler
Host: localhost:49436
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
grant_type=password&username=Alice&password=password123
Then, if the user is found in my custom authentication method, it returns this:
{
"access_token":"boQtj0SCGz2GFGz[...]",
"token_type":"bearer",
"expires_in":1209599,
"userName":"Alice",
".issued":"Mon, 14 Oct 2013 06:53:32 GMT",
".expires":"Mon, 28 Oct 2013 06:53:32 GMT"
}
Then, the client app can just send the access_token on subsequent requests by appending a value like this to the HTTP request:
Authorization: Bearer boQtj0SCGz2GFGz[...]
Is this possible in ServiceStack?
Edit: Implementation using .NET's WebAPI: http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
I'm developing a game on Facebook and having a problem to update the scores of the players.
The application receives HTTP ERROR 403 from Facebook as a response to the update score Graph API call. When I replay the same HTTP post request from other machines it passes without any error.
More information:
Players are requested for publish_actions during registration
The application is registered as a game
The admins of the application don't get the error from FB
The servers which run the applications are behind a load balance
This can't be networking issue since some update requests pass, this can't also be permission issue since the request is passed when executed from other machines.
Does anyone have an idea how to solve the problem or give me a direction to keep on investigating?
HTTP session as recorded by fiddler( XXX is replacing the application access token):
POST /100000868887295/scores/?score=1&access_token=XXX HTTP/1.1
User-Agent: Fiddler
Host: graph.facebook.com
HTTP/1.1 403 Forbidden
Access-Control-Allow-Origin: *
Cache-Control: no-store
Content-Type: text/javascript; charset=UTF-8
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
WWW-Authenticate: OAuth "Facebook Platform" "insufficient_scope" "(#200) User cannot access this application"
X-FB-Rev: 677653
X-FB-Debug: gxaao2ZoKOtcQNpLCO4Wh9kXigIhnGByugWQOlg0Y3Y=
Date: Sat, 24 Nov 2012 15:16:03 GMT
Connection: keep-alive
Content-Length: 101
{"error":{"message":"(#200) User cannot access this application","type":"OAuthException","code":200}}
Problem solved.
We had country restrictions defined in the Facebook application back office.
Since our server is not located in one of the allowed countries the requests sent from that server where rejected by Facebook.
Once we removed the country restrictions everything started to work.
The score api requires that you use an application access token to post the scores.
Is it okay if the server returns the API Key and Shared Secret Key when a client tries to login on the API using Basic Authentication? For example, if a user enter this link http://api.example.com/authorize?auth=some_encoded_Base64_string, the response will be:
Content-Type: application/xml
Date: Fri, 10 Nov 2006 20:04:45 GMT
Transfer-Encoding: chunked
Authorization: apiKey;secretKey
Will I have issues using this method? I wanted to be like this since the API core methods will only accept APIKey hashes and in order to obtain that they need to use the Basic Authentication as they're first step. I'm not gonna use OAuth here for now.
I'm trying out the new ASP.NET Web API for this project.
HTTP does not define an Authorization header in the response so if you need to define a custom header, use X- prefix.
Also from the design point, HTTP headers are to pass data which is orthogonal to the call. You seem to be trying to pass a piece of data which needs to be in the payload so I would refrain from using the headers.
I would pass this data in the payload.
If you use SSL and pass data in the URL, HTTP headers or payload it will be secure.