I am trying to use curl command , but I keep on getting Authentication required error time and again.The part of reponse is shown below :-
"Authentication Required" response (307)
I am working on a network which is behind a proxy server. So have tried to provide the proxy authentication during the request too. But have not been successfull.
Please suggest a solution.
if the URL you are trying to access is behind a login wall, you need to supply the HTTP Header "Authorization".
for example, if the server accepts basic authorization:
header=Authorization, value="Basic user:password".
replace user and password with your account credentials.
see related answer: Setting authorization using CURL
Good Luck!
Related
We recently failed a pen test due to our implementation of Identity Server 4 not preventing a replay attack.
I have uploaded a simplified version of our setup to github to demonstrate what is going wrong.
https://github.com/adriver-kwiboo/id4-replay-attack-demo
Here are the steps to replicate:
Clone github repo
In VS start multiple projects (IdentityServer + API)
In VS Code navigate to Bebop.WebApp
npm install
npm start
Get a trial version of BurpSuite Pro: https://portswigger.net/burp/pro
Start a new temp project
Proxy
Options
Make sure Intercept Server response is ticked
On the Intercept tab
Click open browser
Navigate to http://localhost:3000
Click Login button
In Burpsuite click the "Intercept is off" to turn it on:
Input "alice" as username and password
In Burpsuite, Forward the first response
You should get a 302 as the second response:
Copy this response to Notepad
Turn off Intercept, and it will continue you back into localhost:3000
Click the Sign out button
Navigate back to http://localhost:3000
Click the Sign in button
Turn on Intercept back in Burpsuite.
Input an invalid username / password
Forward the first response
On the 200 response, where it displays the invalid username / password. Replace the response, with the text you previously copied into Notepad
Turn off Intercept
You will get an error page
Navigate to http://localhost:3000
Click the Sign in button
You will see that you are not prompted for the username / password, but instead logged straight in.
Is there something I am missing in my implementation? Or is this a limitation of Identity Server?
My expectation would be that if you tried to login with a previous response, it would validate that the response did not match the request and prevent logging in.
The oidc-client.js is checking something, as it throws the error about no matching state.
Should the front-end then inform the backend of the failure and remove the successful token from ID server? This feels like it could be intercepted as well, and ignored.
A big thank you to Brock Allen, he has helped me diagnose this.
Basically the response that I'm intercepting and replacing has the header to set the auth cookie.
Set-Cookie: idsrv.session=XXXX; path=/; secure; samesite=none
Set-Cookie: .AspNetCore.Identity.Application=XXXX
ID Server using ASP.NET Core's cookie authentication handler checks the cookie to make sure it hasn't expired, and the claim for the user's unique ID is read from it. That's how IdentityServer knows who the user is so it can issue tokens for them.
Brock has suggested I look into the profile service in ID server to see how I can use that to confirm the user is valid on the 2nd attempt.
I am trying build a winform app with openfin that has https authentication requirements.
I was able to bring up the embeddedView URl sites that don't have require login information.
To enable sso/login authentication and authorization,
I have tried passing cookie information as custom request Headers by adding them to the request.
Dictionary headers = Dictionary<object,object>();
and Add cookies and setting the "Set-Cookie" header to headers
I essentially do the following after
_appOptions.MainWindowOptions.CustomRequestHeaders.Add(headers);
subsequently, I initialize EmbeddedView with the following
embeddedView.Initialize(_runtimeOptions,_appOptions)
this however doesn't send any cookies to the app server. Can someone help to confirm if this is the right approach. How may I send cookies/authentication as part of requests for openfin forms/windows?
thanks
I started working on nodeJS token authentication and I encountered a weird issue. Is there any way I can make a link to the restricted page such that user sends Auth token to the server but without encoding it as a GET parameter in the request?
The only way I could solve it is to put the token into the session, but this solution kinda defeats the whole purpose of the token auth.
Any ideas?
Regardless of the technology (i.e. node), you want to send it as a header. In CURL, this is as simple as:
curl --header "token: ASDFASDFASJKDFLKL" http://www.example.com/protected
Depending on what you're using in node, you'll likely have a request (or req depending on how it's defined) parameter. Your header would be stored in request.headers
How do I send a request in curl via proxy which requires basic authentication? I've skimmed through the documentation of curl and found the options -p and --proxy-basic but how exactly I could use them I couldn't figure out.
Note I don't want to apply the proxy setting system wide, I only want to send a particular request via proxy.
Found the anwser myself after some more digging:
http://curl.haxx.se/docs/manual.html states
NOTE! According to the URL specification, HTTP URLs can not contain a user and password, so that style will not work when using curl via a proxy, even though curl allows it at other times. When using a proxy, you must use the -u style for user and password.
So I was doing it the wrong way :)
Answer:
https://unix.stackexchange.com/questions/119410/using-curl-to-access-basic-auth-protected-website-via-proxy-polipo
I need to call a SOAP webservice using curl..
The service needs a username(user1) but does not need a password..When I execute the below, its asking for password and when I click ENTER it throws an "404" error. The same request passes successfully on SOAPUI tool.
curl -v -H "Content-Type: application/octet-stream; charset=utf-8" \
-H "SOAPAction:" \
-d #soap.csv \
-X POST https://s.net/sotest/FileAttachmentService?wsdl \
-u user1
curl's -u parameter specifies the user/password for HTTP authentication.
All HTTP authentication schemes have a userid and a password, of some kind.
Your claim that you only need to provide a username suggests that username is really a parameter of your SOAP call, rather than used for HTTP authentication.
Another potential problem I can see is that SOAP is really just XML over HTTP, and most SOAP services typically use either text/xml or application/xml MIME content type, rather than application/octet-stream.
So, talk to whoever runs your SOAP service. Find out whether you are expected to use HTTP authentication or include a username parameter in your SOAP request, as well as the MIME type of your SOAP request.
I dont think that the problem is related to the user/pass as you'd get a 403 (permision denied) and not a 404 (not found) in case there is something wrong with the authentication information. It must be related to the URL. Are you sure that the complete URL is correct? You should take the "?wsdl" out of the URL-path, because this points to the location of the WSDL and not to the Webservice endpoint.