req.body returning "Forbidden" - node.js

In my node.js express app I'm submitting a form, to an action on a controller.
All this controller does is:
send(req.body)
(I'm using RailwayJS (but that's not all that important to this question I don't think)
I'm doing this is to get the values in the form
However, it comes back as 'Forbidden'
If I restart node, and refresh the page (confirming i want to post back) then I get the desired result...
Any idea how to get the values of the form without restarting?

I think this is related to 'protect from forgery' beforeFilter. Do you pass authencity_token to your post?
Possible solution: skipBeforeFiler('protect from forgery'); -- it disables CSRF protection
Better solution: use form_for helper, or pass authencity_token manually. Check apidocs to learn more about CSRF protection: http://jsdoc.info/1602/express-on-railway/helpers.html#instance/csrf_tag

Related

how to extract token generated by js script (challenge.flood.io)

I am currently studying Gatling for performance testing, I am new to both. Making the task, I have stuck on the step when I need to get a token to pass it to parameter to get to the other page.
The difficulty for me is that the token is absent in the body, it is generated by a script, so I cannot get it with ...check(css(... or check(regex(...
I tryed to get the token by css and regex, getting empty result
.exec(
http("Step 5 page")
.get("${redirection}")
.check(status.is(200))
.check(substring("Step 5"))
.check(css("input[name='challenger[step_id]']", "value").find.saveAs("step_id"))
.check(css("input[name='challenger[step_number]']", "value").find.saveAs("step_number"))
.check(css("input[name='commit']", "value").find.saveAs("commit"))
.check(css("span.token").find.saveAs("one_time_token")))
How can I get the token?
It's pretty clear from this code that this page is performing an extra ajax request to the /code url to fetch the token and then display it in the page.
You'll find the value in there (you can see this HTTP request a few lines below in the Network tab).
Note: in order to learn Gatling you should probably check the Gatling Academy.

Prevent showing the UI5 app internal page without successful authentication

OpenUI5 version: 1.86
Browser/version (+device/version): Chrome Dev
Upon the authentication I validate the user session:
if (isUserSessionValid) {
const oRouter = UIComponent.getRouterFor(this);
oRouter.navTo("overview");
} else {
this.getOwnerComponent().openAuthDialog();
}
If isUserSessionValid is true, then I forward an user to the internal page, otherwise I show the login dialog.
The problem is, however, that an user can change the value of isUserSessionValid in DevTools and then getting forwarded to the UI5 app internal page. Of course, due to a lack of a valid session, no piece of the business data will be displayed, just an empty UI5 app template, but I would like to prevent even such screen.
If it would be a classical webapp, I would just send an appropriate server response with a redirect to the login page (e.g. res.redirect(403, "/login");). But, if I understand it correctly, since I'm sending am asynchronous request, a plain res.redirect won't work out and I'm required to implement a redirection logic on the UI5-client, which can be manipulated and bypassed by user.
How to prevent a manipulation of a view navigation in UI5 and ensure that unauthorized user can't get any piece of the UI5-app code?
The answer from SAP:
If you want to prevent an unauthorized user from accessing the client-side code (e.g. view/controller) you need to enforce
authorization on the server also for those static files. When bundling
the application code you also need to ensure that those files are
separate from the "public" files. One approach would be to have 2
separate components, one for the public page/auth dialog and one for
the actual application.

How to access "current logged-in user" in remote methods?

recently in one of my applications I needed to access currently logged-in user data for saving in another model (something like the author of a book or owner of a book). in my googling, I encountered these references but none of them was useful.
https://github.com/strongloop/loopback/issues/1495
https://docs.strongloop.com/display/public/LB/Using+current+context
...
all of them have this problem about accessing context or req object. after three days I decided to switch to afterRemote remote hook and add Owner or Author on that stage.
but something was wrong with this solution.
in strongloop's documentations (https://docs.strongloop.com/display/public/LB/Remote+hooks) there is a variable as ctx.req.accessToken that saves current logged-in user access token. but in the application this variable is undefined.
instead, I found accessToken in ctx.req.query.access_token and it was currently access_token variable that is sent to the server.
here is my problem:
is this variable (ctx.req.query.access_token) always available or
it's just because loopback-explorer send access_token as GET
variable?
in production mode do applications need to send access_token as
GET variable or it should be sent as Authorization in the header?
why ctx.req.accessToken is undefined?
could these things change over time? cause most of users encounter this problem due to deprecation of app.getCurrentContext()
Is this variable (ctx.req.query.access_token) always available or
it's just because loopback-explorer send access_token as GET
variable?
Well if your application always sends in the querystring, then it'll be always available for you, but it also sent in the header, or cookie or in the request body, but I don't suggest using it because it if the user logged in and the access token is valid and ctx.req.accessToken should be available and you can use it.
In production mode do applications need to send access_token as
GET variable or it should be sent as Authorization in the header?
I believe Authorization header is preferred, as if you send it in a GET variable, well it'll be visible in the logs and someone with the access to the logs can access the session(well unless you trust everyone), other than this it's fine to have it in a GET variable. Though I believe loopback client SDKs(Angular, Android, iOS) all send it via Authorization header by default, so you might have to configure them(maybe not possible).
Why ctx.req.accessToken is undefined?
Sometimes the context is lost thanks to the database drivers connection pooling, or the context req is lost(ctx.req) and they are null.
Assuming ctx.req is defined(because sometimes it's not), then probably that means the user is not logged it, or it's access token wasn't valid(expired or not in database). Also it could be a bug(maybe misconfiguration on your side), which also means for you that you will authentication problems.
Could these things change over time? cause most of users encounter this problem due to deprecation of app.getCurrentContext()
app.getCurrentContext is risky to use and I don't suggest unless you have no other solution. If you use it and it works, it might stop working if the database driver changes or in some corner cases that you haven't tested it, it might not work.
In the updated doc https://loopback.io/doc/en/lb3/Using-current-context.html
add this in your remoting metadata
"accepts": [
{"arg": "options", "type": "object", "http": "optionsFromRequest"}
]
then
MyModel.methodName = function(options) {
const token = options && options.accessToken;
const userId = token.userId
}
but it says
In LoopBack 2.x, this feature is disabled by default for compatibility reasons. To enable, add "injectOptionsFromRemoteContext": true to your model JSON file.
so add "injectOptionsFromRemoteContext": true on your model.json file

Rails 4 path traversal possible?

The app I'm working on has a controller that issues templates to the front end (single page app). It's very basic, and simply consists of
#path = params[:path]
render template: "templates/#{#path}", layout: nil
Here my concern however is the direct use of the users input. Everything about this to me feels like it can be attacked with something as simple as path traversal. The route for this is
get "/templates/:path.html" => "templates#file", constraints: { path: /.+/ }, defaults: { format: 'html' }
I've tried multiple things to attempt a path traversal attack, such as
request /templates/path/to/../somewhere/else.html
request /templates?path=/path/to/../../something.rb
request /templates/index.html?path=/path/to/../../config/something.html
request /templates/path/../../../file.html
Fortunately, I haven't had any success with this. The requests that just start with /templates and don't specify anything after it, don't match the route thanks to the constraint so that is good.
It seems as though when that route is matched, rails doesn't allow you to override the path parameter through a url parameter, so I don't seem to be able to inject it there.
The ones that interest are the first and last examples above, where rails seems to internally be changing the requested URL before invoking the routes file. When I request /templates/path/to/../somewhere/else.html, my console output shows a request for /templates/path/somewhere/else.html. When I make a request for /templates/path/../../../file.html, the log shows a request for /file.html.
Am I missing something somewhere that will leave the app open to security issues, or is this just rails being sensible and protecting itself for me?
UPDATE
I've done some more digging, and if I try doing some URL encoding then I can cause the server to simply not respond at all. If I request /templates/%2e%2e%2f%2e%2e%2f%2e%2e%2ffresult.html then I just get an empty response with a connection: close header.
I assume that the parameter parser higher up in the rack is checking all urls for this type of attack? Regardless, my original question still stands. Am I missing something here?

Cross-site request forgery Yii ,PHP

I am trying to implement CSRF validation in yii . I have written my own class and everything works fine except the fact that my post variable(for the form) does not consist of the token . Am I supposed to set the token myself in the post variable ? Yii documentation states that the post variable is set by a hidden field in every form . Does it require further implementation in the forms as well ? I know the token is not there as I saw the Post variables by dumping them .
I guess everything you need is enable CSRF validation in your config and use CHtml for forms (Yii Guide). Here what you need in config:
'components'=>array(
'request'=>array(
'enableCsrfValidation'=>true,
),
),
In addition to enabling CSRF validation, you need to put the Yii CSRF token in your form. One of the easiest ways I've run into to put it in is to use CHtml beginForm, which puts it in as part of producing your form tag. More info here: http://www.yiiframework.com/doc/api/1.1/CHtml#beginForm-detail

Resources