Is it advisable to configure a URL with both post and get? - security

I have a link on my page that redirects to another page but the request is sent through POST method. Now when the user refreshes the new page the request is sent through GET method. The URL is just used to display a page. My question is, is it advisable to use both POST and GET for the same URL call or will it cause problems related to security or any other? If so please do explain how.

No. Use POST if the link is executing an unsafe action (e.g. logout, change password) or it is sending sensitive data you do not want displayed in the URL (URLs are logged by default in the browser history and by many appliances, proxies and web servers). POST can also be used when a large amount of information is to be sent.
Otherwise use GET.

Related

How to implement logic based on external redirects?

I'm building a website for a client (real estate), and on the website are links to a different website (adverts for properties). My client routinely activates and deactivates these adverts when he rents out a certain property.
The hrefs on my links look something like this:
<a href="https://domain.xx/estate/idxx/des-crip-tion-xx-xx-x-xx/">. If the advert is indeed active, it just takes them to the advert. If it is not active, however, the website in question redirects the user to https://domain.xx/estate-for-rent/city/, effectively sending the users to my client's competition.
I wish to implement some logic where, before handing the users over to the other website, the server checks to see if it is redirected to https://domain.xx/estate-for-rent/city/, or some similar logic, and if so, uses preventDefault, or something, and notifies the user that the advert is not available instead of sending them to the other website.
I wonder if I can use the fact that only if the advert is active does the resulting url in the users browser window (after they've been directed to the other website) match the url in my href. Can i somehow get the server to try to access the url in my href, and have it see where it gets redirected, and then do something based on that? On the back-end, I'm running NodeJS with Express by the way, and if it matters, I'm relying heavily on EJS for templating. Thanks in advance for any help!
This sounds more like a problem you could solve on the client as opposed to the server. For example, at a high level here's how I would do it:
Handle the click event for each link (really simple to do a catch-all with jQuery)
Fire off a HEAD request via AJAX to the destination URL (this would be much more efficient than a GET but depends on the external service supporting this verb)
Use the status code to determine what to do next (e.g. 2xx allow redirect, 3xx pop a message and block)

Node.js / Express Passing Data Between Pages Without Messing Up RESTful Routing

I have an Express app, where the landing page invites people to enter their email address and then click on "Sign Up" or "Log In", depending on whether they have an account yet or not.
The user is then taken to "/signup" or "/login", via a POST request so that the email address they entered can be passed along.
But now that I've used POST for both of these routes, I have to POST to another URL to process their sign up data or log in credentials, like app.POST("/register") and app.POST("/enter"). This feels pretty sloppy, and definitely messes with the RESTful routing that I'd like to stick to.
I know I can pass the data through the URL via a GET request, but I don't really like that solution either.
What's the best approach to take in this situation? Should I just use GET requests and stop being so fussy? Or is there another way I haven't though of yet?
Thank you kind peoples!
I can see why you feel this messes with the RESTful approach, and an alternative method would be to store the email address client-side and not POSTing it to the server - until they actually sign up.
You could use the LocalStorage Web API to store the email address in the client browser, and then load it when the user hits the /signup route.
let email = document.querySelector('input[name="email"]').value
localStorage.set('email', email)
then later on when the user hits the /signup route you would do:
let email = localStorage.get('email')
document.querySelector('input[name="email"]').value = email
This would have to be in a <script> tag for the two routes.
You could also use sessionStorage which gets cleared when the user closes their browser, while localStorage is a permanent storage solution.
You can use /signup and /login GET request for rendering UI. And /signup and /login POST requests for processing

How can I create an authenticated scraper for Amazon product detail in Node.js?

I'm creating a script that grabs all the shipped items from Amazon and notifies me.
Authentication is needed to see the products though.
I've already tried sending a post request through "request" which returns an error because of the cookies and extra parameters needed.
It would be easy using cheerio afterwards to get the data if the authentication works.
Does anyone have any idea on how we can authenticate successfully?
The link from the email is: https://www.amazon.com/ap/signin/185-3199906-8918341?_encoding=UTF8&accountStatusPolicy=P1&openid.assoc_handle=usflex&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.pape=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.pape.max_auth_age=0&openid.return_to=https%3A%2F%2Fwww.amazon.com%2Fgp%2Fyour-account%2Forder-details%2F185-3199906-8918341%3Fie%3DUTF8%26eoid%3D1%253A1%253Arv%252FYwjiYmnOZY9MYltVnDyf2l6p5pMkMx9deoUeiiw%252FKpPrtZrWqs5l1GGQPVb%2520qaJqHXyCkPEpLZnmDZamKkVDWhtu3dKlW5Gx7Uvxtzs0xlPJ25vduijJrPpHt79P%2520RRZHopOtAyOP4s82VLoeeiDQgq%2520FCP540H%2520UYAV7goZQxB29WObWAVh8VveTwEeWenY3sTx8ZI9%252FBLM2BSqS3IUIURW8mzMnAB9t7wglUiAcoR%252FcUhSIx%25201eNV4MspVAp7fLkeANag72BxgmsjFfRhnsxfji1VhZXLawqFeK9SBnvbUfkNWUC%2520IXWh6VcuoStBG3x%2520ZUkzGHw1ORi4J%2520Hg%253D%253D%26orderID%3D105-6914722-5422613%26ref_%3DTE_simp_on_T1&pageId=webcs-yourorder&showRmrMe=1
You cannot guarantee any of the form input values of the sign in page. So you must also scrape the login form.
Here is the process:
In your server, make Request to the URL in your question
Using Cheerio parse the DOM and grab all of the form fields from "#ap_signin_form".
Add in your data (Username/Pass) then make a POST request to the form action "https://www.amazon.com/ap/signin" (This should also be scraped)
Hopefully that will get you past the login screen. You will need to ensure all future requests pass the cookies set from login.
Now this kind of thing is clearly against most TOS's so I would urge caution in doing this kind of thing often.

What is Google Analytics' __utm.gif used for?

What is Google Analytics' __utm.gif used for (You know that 1px × 1px gif image that loads on every page with Google Analytics)?
I see my screen resolution and other stuff in the URL. Is that how they send all the site's data back to their servers? With a get request on an image? Cause that's kinda uber clever!
it is a web beacon. Read this: https://en.wikipedia.org/wiki/Web_beacon
The image is dynamically generated and the URL is linked to your account.
When you request the image, Google knows your IP address and some other basic info and can deduce your location, the time of the request, your browser, etc.
The main reason, though, is cross-site-scripting. Requesting an image is easier and completely cross-browser, as you'd have to use JSON to send a request with that information back to Google.
Is that how they send all the site's data back to their servers?
Yes.
Yes, you are correct. This request is used to send Google details about a particular page request, namely:
URL pageview information
Campaign information
Ecommerce data
Browser properties
Visitor IDs

Is it possible to tell browser not to POST again (w/o redirect)?

If F5 is pressed after a POST request has been issued, browser will ask, whether the user wants to resubmit the post data. However, if redirect follows the POST request, no dialog appears. Is it possible to disable that dialog for a single page without redirecting the user?
No, this is built in behavior of the browser and can't be overridden.
Redirecting after the post is the easiest option to avoid the effects of reposting, there are other options to avoid issues with reposting but if it is to the same URL, you will still get the browser dialog.

Resources