Beanstream errorType values - beanstream

According to their API documentation, the field of errorType can return either N, S, or U. I assume N = None because that's returned upon success.
What do S and U mean?

From a Beanstream integration document:
The errorType response variable will indicate “U” if a form field error
occurs. The errorFields variable will contain a list of fields that failed validation. errorMessage will contain descriptive text that may be displayed to customers if desired.
And:
System generated errors can be identified in a Server to Server integration by a response message “errorType=S” in the Beanstream response string. If a system generated error occurs, validate your integration and website setup.

Related

web2py-sqlform can't check unique=True that use with requires=IS_LENGTH()

sqlform don't show error message when data have same value it accepted then error appear
error1
detail
ps. my goal is to create a field that contain 13 figure number which not same as other
i try delete requires=IS_LENGTH(maxsize=13,minsize=13) then the sqlform work fine but which these method i can't check either string is equal 13 or not
db.define_table('person',
Field('h_id_card',unique=True,requires=IS_LENGTH(maxsize=13,minsize=13))
)
def add():
form = SQLFORM(db.person).process()
return locals()
i expected sqlform will show error message instead of accepted
this is what i expect
From the book:
Notice that requires=... is enforced at the level of forms, required=True is enforced at the level of the DAL (insert), while notnull, unique and ondelete are enforced at the level of the database. While they sometimes may seem redundant, it is important to maintain the distinction when programming with the DAL.
Because unique=True translates to the UNIQUE SQL statement, when an insert/update violates the uniqueness constraint, you simply get an error from the database, which generates an exception in the database driver, which ultimately generates an exception in your app code if you don't catch it.
If you instead want to enable form validation for the uniqueness requirement, you should use the IS_NOT_IN_DB validator:
Field('h_id_card',
requires=[IS_LENGTH(maxsize=13, minsize=13), IS_NOT_IN_DB(db, 'person.h_id_card')])

Customizing Validate Node Error Message in OSB 12c

When we add the Validate Node in the OSB 12c for validating the incoming request against XSD, and if the validation fails ,
in some fault messages the field name that is causing the validation error is displayed. But only for decimal values , fault message is just saying Invalid decimal Value and no mention about the field from where the error is thrown. Can we overcome this issue
I am not sure this is direct solution. But there is a workaround which may suit your need
Create an XQuery which validates the payload and throws custom error messages
eg: for xml element which should contain decimal value abc
if ($a instance of xs:long)
then ()
else (fn:error(xs:QName('Your error code'), 'your error message'))
This is a suitable method if the payload is small.
https://gibaholms.wordpress.com/2013/09/24/osb-throw-exception-in-xquery1
If the payload is large
identify the fields which are supposed to have these type of issues.
Create an XQuery for validating these fields with error messages.
Use validate node inside a stage and use a stage error handler
Validate the payload using xquery inside stage error handler

Loopback 3 discards error information on multiple validation errors, turning 422 to 500, how can I solve that?

I'm migrating from Loopback 2 tot 3.
I currently have an issue with validation errors and strong-error-handler
When I post a bulk create which results in multiple validation errors, those get returned as an array of ValidationErrors.
Those errors get grouped by strong-error handler in a 500 internal server error, which is how it was before, but the details of the errors get discarded, when debug is set to false.
In my example I upload an array of tags, but for each tag, a uniqueness validation is executed. When 2 or more tags are already in the database, I have an array of errors, instead of a single validation error
I need a way to determine why the validation failed on the client side, but the details of the errors are discarded now.
Am I doing something wrong here, or should this be considered as a bug?
From the strongloop error handler documentation in loopback,
In production mode, strong-error-handler omits details from error responses to prevent leaking sensitive information:
More information
For 5xx errors, the output contains only the status code and the status name from the HTTP specification.
For 4xx errors, the output contains the full error message (error.message) and the contents of the details property (error.details) that ValidationError typically uses to provide machine-readable details about validation problems. It also includes error.code to allow a machine-readable error code to be passed through which could be used, for example, for translation.
Am I doing something wrong here, or should this be considered as a bug?
No this is the intended behaviour
Safe error fields
You can set the stack trace as "safe-error-field" so that it will be displayed in production.
For example, the stack field is not displayed by default if you run the loopback in production mode.
If you still want to display the stack field, then change the config json in the server/middleware.json
"final:after": {
"strong-error-handler": {
"params": {
"safeFields": ["stack"]
}
}
}

BizTalk: Getting error in Promoted Property

I am getting below error when I run the Orchestration and try to assign value to a promoted property by reading the value of another promoted property.
Error in Suspended Orchestration:
Inner exception: There is no value associated with the property BankProcesses.Schemas.Internal_ID' in the message.
Detail:
I have 2 XSD schemas, 1 for calling a stored procedure and reading its response and another to write it into a flat file. The internal ID returned in the response from SP needs to be passed to a node in another XSD schema to write to a flat file format.
I have promoted an element from the response schema and also promoted an element from the schema to write to flat file. I am assigning the value to promoted propeties as below:
strInternalId = msgCallHeaderSP_Response(BankProcesses.Schemas.Internal_ID);
msgCallSP(BankProcesses.Schemas.Header_Internal_ID) = strInternalId;
But when I run the orchestration I get the error as mentioned above. I have checked the reponse from stored procedure and the reponse XML does contain some value but I am unable to assign that value to another schema. Please advice
Thanks,
Mayur
You can use exists to check the existence of property.
if(BankProcesses.Schemas.Internal_ID exists msgCallHeaderSP_Response)
{
strInternalId = msgCallHeaderSP_Response(BankProcesses.Schemas.Internal_ID);
msgCallSP(BankProcesses.Schemas.Header_Internal_ID) = strInternalId;
}
One scenario that might cause this error is that there is no Header_Internal_ID element in the message you are trying to modify. Can you inspect the message before modification to ensure that there is an element whose value should be changed - drop the message out to a file location, maybe.
If this is the case, then just ensure that you create this element when you instantiate you r message for the first time - even if you initially set it to an empty element.
HTH
To check if the property exists, you can use this syntax:
BMWFS.LS.BizTalk.CFS.BankProcesses.Schemas.Internal_ID exists msgCallHeaderSP_Response
However, if the case is that the source field would always be there, you have to work backwards to find out why the Property is not appearing on the Context.
If it's coming from a Port, is the message passign through an XmlDisassembler Component? If it's coming from another Orchestration, are you actually setting the Property?
The easiest way to look at the Context is to route the Message, msgCallHeaderSP_Response, to a Stopped Send Port. You can then view the Context in BizTalk Administrator.

How can I automate testing a website for sql injection vulnerabilities

Here's a basic plan. I'm happy to produce anything resembling success, it's a Uni project. Pseudo code is great.
Spider the site.
Search for forms on each page.
Submit each form without filling in the details to elicit a guaranteed fail.
Fill in the first field on the form with '-- .
Submit the form and compare the response to the fail (elicited by 3).
If response (elicited by 5) is different (than fail) then assume vulnerability.
If same (response = fail) then return to 4. but move to the next field.
If no more fields remain, move to another page.
...
However, 6. is clearly both the critical part of the application and wrong. For example, a page might respond like this
Error: '-- is not a valid user name.
Where in stage 4. the response was
Error: is not a valid user name.
Or
Error: username must be a minimum of 6 characters.
It seems like at (4), you want to try sending some benign values first so you can see what type of page is returned under normal conditions.
For example, generate a random three-letter "user name" and submit it. You'll probably get a response like "Error: bfw is not a valid user name". or "Error: username too short".
Once you've done that, you can send your string attempting SQL injection and see if the result is qualitatively different. So if you send '-- and get the same result as you did when you sent your random benign "username", it's probably not vulnerable. On the other hand, if you get a response back that's different and includes text like "Warning, you have an error in your SQL at line 1..." then it's probably vulnerable. (It doesn't have to spit out warnings for you to conclude it's vulnerable, though. Even a generic error page might indicate vulnerability if it's substantially different to the response you got from your benign data.)
"SQL Injection Attacks and Defense" by Justin Clarke.
Offers a number of tests to discover and confirm SQL injection vulnerabilities, here's my summary of page 65.
Error triggering
"Send ' or '-- and expect to receive an error."
An error message or 500 server error indicates vulnerability. Responses tidily containing ' or '-- (as in user ' or '-- is not available with that password...) probably aren't vulnerable unless its a stack-trace.
Always true condition
"Send 1' or '1'='1 or 1') or ('1'='1 and expect to receive every entry in the database."
A site can be assumed to be vulnerable when the response code is 200 and the attack string is not received in the response. Pages containing the word 'error' or the attack string indicate resistance, as does a 500.
No condition
"Send value' or '1'='2 or value') or ('1'='2 and expect a vulnerable app to respond as though it had only received value."
Always false condition
"1' and '1'='2 or 1') and ('1'='2. If successful, it returns no rows from the table."
Microsoft SQL Server concatenation
"1' or 'ab'='a'+'b or 1') or ('ab'='a'+'b. If successful, it returns the same
information as an always true condition"
MySQL concatenation
"1' or 'ab'='a' 'b or 1') or ('ab'='a' 'b. If successful, it returns the same
information as an always true condition"
Oracle concatenation
"1' or 'ab'='a'||'b or 1') or ('ab'='a'||'b. If successful, it returns the same
information as an always true condition"
Further examples are included throughout the book.

Resources