oAuth2 web request works in browser but not in app - azure

I have the following code sample with which I'm trying to authenticate an Azure active directory user within a Xamarin forms app
The URL (I've removed the actual client ID) works fine in a browser but fails when trying to send the http request
The error message says 'the response type must include client_id'
string URL = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?"
+ "client_id=xxxx-xxxxx-xxxxx-xxxxx-xxx"
+ "&response_type=code"
+ "&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient"
+ "&response_mode=query"
+ "&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read"
+ "&state=12345";
var webRequest = System.Net.WebRequest.Create(URL) as HttpWebRequest;
System.Console.WriteLine(URL);
if (webRequest != null)
{
webRequest.Method = "POST";
webRequest.ServicePoint.Expect100Continue = false;
webRequest.Timeout = 20000;
webRequest.ContentType = "text/html";
//POST the data.
using (requestWriter = new StreamWriter(webRequest.GetRequestStream()))
{
requestWriter.Write(postData);
}
}
HttpWebResponse resp = (HttpWebResponse)webRequest.GetResponse();
Stream resStream = resp.GetResponseStream();
StreamReader reader = new StreamReader(resStream);
ret = reader.ReadToEnd();

You put parameters in the URL, so you need to use GET method, instead of POST (like your browser does when you paste the URL in its address bar).
So, replace:
webRequest.Method = "POST";
by:
webRequest.Method = "GET";
and remove:
//POST the data.
using (requestWriter = new StreamWriter(webRequest.GetRequestStream()))
{
requestWriter.Write(postData);
}

Related

Create Purchase Receipt from REST API

I'm trying to use the new OpenAPI 2.0 setup in Acumatia 21R1 to create a PO Receipt. I've tested creating several other types of records (eg: StockItems) and virtually the same code works perfectly. This instance of Acumatica has several tenants but no branches.
I've also used this same code put pointed it to an instance of Acumatica that has one tenant and multiple branches, and as long as I set the branch it works fine.
When I run it I get "curyid can not be null". This leads me to believe that somehow it's not figuring out the branch or tenant correctly, but if I use the same login code I can pull data from those tenants just fine. I've also tried passing the json directly and including the curyid set to USD, but that has the same effect.
Any thoughts on what I am doing wrong?
private createPOR()
{
string baseURL = "https://acumatica.[good url goes here].com/AcumaticaPWS";
string strLogin = baseURL + "/entity/auth/login";
var client = new RestClient(strLogin);
var request = new RestRequest(Method.POST);
request.AddHeader("Accept", "application/json");
request.AddHeader("Content-Type", "application/json");
string strBody = "{ \"name\": \"admin\", \"password\": \"[proper password]\", \"tenant\": \"PWS Milwaukee\", \"branch\": \"\"}";
request.AddJsonBody(strBody);
IRestResponse response = client.Execute(request);
txtResults.Text = response.Cookies.SingleOrDefault(x => x.Name == ".ASPXAUTH").Value.ToString();
RestResponseCookie sessionCookie = response.Cookies.SingleOrDefault(x => x.Name == ".ASPXAUTH");
// Create the new one for send the data.
string strItems = baseURL + "/entity/Default/20.200.001/PurchaseReceipt";
client = new RestClient(strItems);
request = new RestRequest(Method.PUT);
request.AddCookie(sessionCookie.Name, sessionCookie.Value);
request.AddHeader("Accept", "application/json");
request.AddHeader("Content-Type", "application/json");
PurchaseReceipt theRec = new PurchaseReceipt{ Type = new StringValue { Value = "Receipt" },
VendorID = new StringValue { Value = "V1002" }
};
// BaseCurrencyID = new StringValue { Value = "USD" },
// CurrencyID = new StringValue { Value = "USD" }
request.AddJsonBody(JsonConvert.SerializeObject(theRec));
response = client.Execute(request);
txtResults.Text += Environment.NewLine + "Response" + response.StatusCode.ToString();
// Setup to log out.
string strLogout = baseURL + "/entity/auth/logout";
client = new RestClient(strLogout);
request = new RestRequest(Method.POST);
request.AddHeader("Accept", "application/json");
request.AddHeader("Content-Type", "application/json");
response = client.Execute(request);
txtResults.Text += Environment.NewLine + response.StatusCode.ToString();
}
Like Samvel mentioned in the comments this issue is usually the result of not having provided the Branch during the login.
But once the Branch has been provided it still needs to be provided as a cookie for the other request down the line.
That cookie should have the name "UserBranch" with its value being an integer that should be returned from the login request.

How to configure the user_token of Damn Vulnerable Web Application within CSRF field while Script based authentication using ZAP?

I had been following the documentation of Script Based Authentication for Damn Vulnerable Web Application using ZAP. I have navigated to http://localhost/dvwa/login.php through Manual Explore which opens up the DVWA application on my localhost as follows:
and adds the URL to the Default Context.
I've also created the dvwa script with the following configuration:
and modified the dvwa script:
Now when I try Configure Context Authentication, dvwa script does gets loaded but the CSRF field doesn't shows up.
Additionally, POST Data doesn't even shows up but Extra POST Data is shown.
Am I missing something in the steps? Can someone help me out?
The modified script within the documentation of Script Based Authentication section for Damn Vulnerable Web Application using ZAP
seems incomplete.
The complete script is available at Setting up ZAP to Test Damn Vulnerable Web App (DVWA) which is as follows:
function authenticate(helper, paramsValues, credentials) {
var loginUrl = paramsValues.get("Login URL");
var csrfTokenName = paramsValues.get("CSRF Field");
var csrfTokenValue = extractInputFieldValue(getPageContent(helper, loginUrl), csrfTokenName);
var postData = paramsValues.get("POST Data");
postData = postData.replace('{%username%}', encodeURIComponent(credentials.getParam("Username")));
postData = postData.replace('{%password%}', encodeURIComponent(credentials.getParam("Password")));
postData = postData.replace('{%' + csrfTokenName + '%}', encodeURIComponent(csrfTokenValue));
var msg = sendAndReceive(helper, loginUrl, postData);
return msg;
}
function getRequiredParamsNames() {
return [ "Login URL", "CSRF Field", "POST Data" ];
}
function getOptionalParamsNames() {
return [];
}
function getCredentialsParamsNames() {
return [ "Username", "Password" ];
}
function getPageContent(helper, url) {
var msg = sendAndReceive(helper, url);
return msg.getResponseBody().toString();
}
function sendAndReceive(helper, url, postData) {
var msg = helper.prepareMessage();
var method = "GET";
if (postData) {
method = "POST";
msg.setRequestBody(postData);
}
var requestUri = new org.apache.commons.httpclient.URI(url, true);
var requestHeader = new org.parosproxy.paros.network.HttpRequestHeader(method, requestUri, "HTTP/1.0");
msg.setRequestHeader(requestHeader);
helper.sendAndReceive(msg);
return msg;
}
function extractInputFieldValue(page, fieldName) {
// Rhino:
var src = new net.htmlparser.jericho.Source(page);
// Nashorn:
// var Source = Java.type("net.htmlparser.jericho.Source");
// var src = new Source(page);
var it = src.getAllElements('input').iterator();
while (it.hasNext()) {
var element = it.next();
if (element.getAttributeValue('name') == fieldName) {
return element.getAttributeValue('value');
}
}
return '';
}
Using this script, CSRF Field and POST Data field shows up just perfect.

Trying to get all records of a generic list using Sharepoint and Microsoft Graph api

When trying to get records of a list in SharePoint i keep getting Response like:
{"#odata.context":"https://graph.microsoft.com/beta/$metadata#users('123')/sharepoint/sites('456')/lists('789')/items","value":[]}
I was able to run through all sites and lists but still fail on items. The list has the GenericList template. However on another list with the template DesignCatalog i were able to get all items. Is "/items" the wrong way to get records of a generic list?
Here is a snippet of my current Code:
const string serviceEndpoint = "https://graph.microsoft.com/beta/";
HttpClient client = new HttpClient();
var token = await _authenticationHelper.GetTokenAsync();
client.DefaultRequestHeaders.Add("Authorization", "Bearer " + token);
// get the site
HttpResponseMessage responseGetSites = await client.GetAsync(new Uri(serviceEndpoint + "sharePoint:/Intranet"));
if (responseGetSites.IsSuccessStatusCode)
{
string responseContent = await responseGetSites.Content.ReadAsStringAsync();
var jResult = JObject.Parse(responseContent);
siteItem = JsonConvert.DeserializeObject<SiteItemModel>(jResult.ToString());
// get all lists with the given site id
HttpResponseMessage responseGetLists = await client.GetAsync(new Uri(serviceEndpoint + "sharepoint/sites/" + siteItem.SiteId + "/lists"));
if (responseGetLists.IsSuccessStatusCode)
{
string responseContent2 = await responseGetLists.Content.ReadAsStringAsync();
var jResult2 = JObject.Parse(responseContent2);
foreach (JObject listresponse in jResult2["value"])
{
ListItemModel desiralizedItemModel = JsonConvert.DeserializeObject<ListItemModel>(listresponse.ToString());
listItemCollection.Add(desiralizedItemModel);
}
// find a specific list
string listId = listItemCollection.Where(w => w.listName == "MyTestlist").First().listId;
// get all records with of the given list
HttpResponseMessage responseGetItems = await client.GetAsync(new Uri(serviceEndpoint + "sharepoint/sites/" + siteItem.SiteId + "/lists/" + listId + "/items"));
if (responseGetItems.IsSuccessStatusCode)
{
string responseContent3 = await responseGetItems.Content.ReadAsStringAsync();
var jResult3 = JObject.Parse(responseContent3);
I had the same problem. I had to add "Sites.ReadWrite.All" permission under MS Graph, not under sharepoint (I was writing to the list as well, but "Sites.Read.All" should work).

HTTP Request from plugin - One or more erros occured

I have been trying to make a HTTP POST request from plugin without lucky.
I have the same code working fine in my console appication however in plugin I get the following error: "One or more erros occured". I tried to run it asynchronously but it did not work as well.
I really appreciate any idea, thank you!
var client = new HttpClient();
var queryString = HttpUtility.ParseQueryString(string.Empty);
// Request headers
client.DefaultRequestHeaders.Add("Ocp-Apim-Subscription-Key", "KEY");
// Request parameters
queryString["chave"] = "key2";
queryString["codigo_obra"] = codigoObra;
queryString["codigo_bloco"] = codigoBloco;
queryString["codigo_unidade"] = codigoUnidade;
queryString["codigo_planta"] = codigoPlanta;
var uri = "http://test?" + queryString;
HttpResponseMessage response;
// Request body
byte[] byteData = Encoding.UTF8.GetBytes("");
using (var content = new ByteArrayContent(byteData))
{
content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
//This line gives me the error.
response = client.PostAsync(uri, content).Result;
}

Windows Azure Cloud App - Could not create SSL/TLS secure channel

I am trying to pull JSON from a customer's website, but I get this error.
The code works my local machine.
For other sites, both on my local machine and on the server, the code works.
The site is https://www.vapedepot.ca/wc-api/v1
Does he have a special SSL cert where I need to change my code? Here is my code:
string GetJson(string url)
{
string resultData = string.Empty;
HttpWebRequest myHttpWebRequest = (HttpWebRequest)WebRequest.Create(url);
myHttpWebRequest.Accept = "application/json";
myHttpWebRequest.Timeout = 6000;
//myHttpWebRequest.ContentType = "application/x-www-form-urlencoded";
string userP = m_UserName + ":" + m_Password;
byte[] authBytes = Encoding.UTF8.GetBytes(userP).ToArray();
myHttpWebRequest.Headers.Add("Authorization", "Basic " + Convert.ToBase64String(authBytes));
WebResponse httpResponse = myHttpWebRequest.GetResponse();
Stream responseStream = httpResponse.GetResponseStream();
StreamReader reader = new StreamReader(responseStream);
resultData = reader.ReadToEnd();
responseStream.Close();
httpResponse.Close();
return resultData;
}
He is using CloudFlare and the SSL uses ecdsa.
I had the same issue. I swapped to using RestSharp to make my secure web requests and it resolved my issue.

Resources