Is there a way to check if flash is installed in Firefox from C# code on the server? For instance when the client browser is IE, you can check
Request.Headers["accept"].Contains ("application/x-shockwave-flash")
but a Firefox request doesnt contain the same header.
Given you've tagged this as "server-side" and talk about the client's machine, then you may well be disappointed.
The only way to check this is with code running on the host you're checking (i.e. the client) - of course, you could do this and transmit the answer to the server (to store in the session, for example)
Edit: It's also worth remembering that any headers you receive (or rely on receiving) may be removed by intermediate proxies, or just plain lying (could be a bot)
Related
I'm accessing Dynamics 365 Business Central OData API in C# application, and when accessing data in my local system is good and when we deployed the application to client server, randomly (50%) they are getting the error "The server committed a protocol violation. Section=ResponseStatusLine".
I have checked the article https://techcommunity.microsoft.com/t5/iis-support-blog/protocol-violation-section-responsestatusline/ba-p/1227792 and applied all the 3 suggestions, but none of them worked.
I'm able to access the client Business Central API integration application in my local system without any issues.
Assuming that this is client Firewall or load balancer issue. But not able to find the solution.
There are many case behind this issue, avoiding the problem rather than actually fixing it. One of the most common cause of this error is the corrupt or missing headers in the request.
Solution:
The server responds with a 100 continue in an incorrect way. Setting expect 100 continue to false and reducing the socket idle time to two seconds
HttpRequestObj.ServicePoint.Expect100Continue = false;
HttpRequestObj.ServicePoint.MaxServicePointIdleTime = 2000;
Ignore corrupted/missing headers. Ref: Link
Stop skype if it is running on the machine.
If a webserver uses UTF-8 that outputs the byte-order-marker (BOM). For example, the default constant Encoding.UTF8 outputs the BOM, and it is easy to forget this. The webpages will work correctly in Firefox and Chrome but HttpWebRequest will bomb. A quick fix is to change the webserver to use the UTF-8 encoding that doesn't output the BOM.
Check the end point of your request server. ex:https or http.
So, I have an API running in Visual Studio 2019, and I can make a request by typing in a url in the browser, like
https://192.168.1.192:44327/api/pickslips
But when I try to make such a call from code, like for instance:
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var responseMessage = await httpClient.GetAsync(#"https://192.168.1.192:44327/api/pickslips");
var jsonResult = await responseMessage.Content.ReadAsStringAsync();
var slips = JsonConvert.DeserializeObject<IEnumerable<PickSlip>>(jsonResult);
return slips.ToList();
The application stops and exits at await GetAsync, without an error, and doesn't get to anything beyond it. However, the code works when I try to make a call to other APIs like some of the test ones you can find on the internet.
By the way, one of the reasons why it's not running on localhost is because I need it for Xamarin.
So how can I make this work?
The application is unable to reach the IP address specific, throw an HTTP error, and the app crashes. To troubleshoot that you want to start with try/catch and read the error details. Most likely you are hitting one of two issues:
Your device/sim is unable to reach the given IP Address
You are trying to access your local HTTP server which doesn't allow remote connections
In the first case, you want to verify that your device on the same network and can reach the IP address specified, in the case of sim you want to make it can access the network interface. Similar issues were answered here (for Android).
In the second case, you want to make sure your local HTTP server configured to allow remote connections. The fact you can access it from a browser is great, try to access it from a browser on another computer in the same network. A similar issue was answered here.
If it's an emulator I don't think every emulator accesses the host through it's router's IP address, i.e. you should check to see for the emulator in question if it is in a sort of a VPN with your host machine and accesses it through an IP that's in a different class (usually 10.x.x.x if I remember) but it shouldn't work from the browser (on an emulator or device in question) so if that's the case, could you provide more info like is it an android or iOS, are you certainly accessing it through httpS and not http as you need to enable http on those recent mobile OS versions though the app's manifest?
Also if remote requests i.e. from other devices or emulator even are being blocked and just working locally then for a quick check try disabling your firewall, make sure it's not the problem, and enable it back on.
Hope something helps.
I am not sure of what it is called, but what happens is that my POST method request can be captured by a tool like (burp suite) and change the POST to GET.
Afterwards the process would still continue, but now it shows the parameters and its value in the URL.
How do I defend against this kind of attack?
The website is on ASP.NET C#.
Burp suite is a "man in the middle" (MITM) proxy with injection/manipulation capability. If your site is on http (not https), then yes: you are completely at the mercy of every intermediary that the traffic passes through. Change your site immediately to use https with a valid certificate.
For this to work on https, you need to deliberately break your machine, by installing a dodgy root certificate authority that will issue fake certificates for the sites it wants to MITM. This only passes your browser's security system because you broke your machine.
An attack that depends on the client already having been compromised is not an interesting attack from a server perspective. All you can reasonably do is protect intact clients. By using https and disabling http (non-TLS). You can do things like reject GET if you're expecting POST - but this doesn't change that the GET will have happened. But note:
the MITM proxy can already read the POST variables without needing to change them to GET: it is in complete control of the data
other intermediaries between the MITM proxy and your server cannot read the data regardless of whether it is GET or POST, as long as it is https (which is why you need to disable http, not just enable https)
the only thing you're changing with GET vs POST here is what appears in your own server logs... and it doesn't matter how you respond to the request at that point: it has already been logged, even if you return 404 or 500 or whatever
Here's the situation.
.Net c# App has not changed, IT group did "a lot of stuff" (new san, new routers & switches software, etc) app works fine, except all Jquery Ajax calls never return.
So obviously they changed something... In Dev tools in Chrome, I see the request go out, but it never receives a reply.
the server gets crippled by the pile up of hung threads, performance suffers horribly.
after 10k connections they have to bounce the server.
So of course now they want us to help them figure out what they did wrong.
What should I be looking for? My best guess is the wireshark the process and see where the last communications takes place.
after that I'm at a loss; what can cause this behavior?
If the server configuration has not changed, then I would look at firewall settings. Wireshark is an excellent tool - can the server send data out over port 80? Can the server send ANYTHING out over the wire? The server is receiving something obviously otherwise you wouldn't have all these connections. I know for Sonicwall firewalls, outbound access is wide open by default but I believe that Cisco ASAs require explicit permission (not positive on this). Are you using VLANs? If so, is the server blocked from the outside world while being tucked in its own lonely VLAN? Also, run netstat -a on the server to check the connections to help with troubleshooting.
How do I detect when a new computer has logged into my website?
The public IP address can be the same since you can share more than 1 computer via 1 internet connection.
I could use cookies but this will only detect a new browser not a new computer! 1 computer can have IE, firefox, chrome! Etc.
I expect (and hope) that this is impossible. If my browser is transmitting information that identifies my machine, then I want a new browser. Likewise, you should probably not be expecting to be able to receive such information.
Update
Seems like I have to update my expectations: https://panopticlick.eff.org/
You can use browser finger printing to do a pretty darn good job of distinguishing between computers that visit your site. It won't be 100% perfect but not far short.
There is no unique way to identify visitors to your website. All types of cookies get deleted at some point. You might be tempted to use flash cookies, since they don't depend on the browser but I strongly recommend against it since there is a huge legal debate on them.
Your only solution is to use a heuristic based on all the information you can gather on your visitor. This is called browser fingerprinting. Check out http://panopticlick.eff.org/ for the latest research on this topic.
You can check for the HTTP_X_FORWARDED_FOR header which should contain the machines Class C address (eg: 192.168.0.10) provided it was forwarded by a proxy.
you can set a cookie on client and check it in session_start ,its not 100% solution but can be a solution