Question on authentication in curl command - security

When I run the below curl command with --negotiate option I get the following error. Any idea why?
[Aug05 5:03am] pradeep#localhost:/tmp/pradeep> curl --negotiate -u : -k --verbose --head "http://something.domain.com/something/soething.action"
About to connect() to something.domain.com port 80 (#0)
Trying ip-address ... connected
Connected to something.domain.com (ip-address) port 80 (#0)
HEAD /something.action HTTP/1.1
User-Agent: curl/7.21.6 (i386-pc-solaris2.10) libcurl/7.21.6 OpenSSL/0.9.8j zlib/1.2.3
Host: something.domain.com
Accept: */*
< HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
< Date: Fri, 05 Aug 2011 09:04:45 GMT
Date: Fri, 05 Aug 2011 09:04:45 GMT
< Server: Apache-Coyote/1.1
Server: Apache-Coyote/1.1
* gss_init_sec_context() failed: : KDC policy rejects requestWWW-Authenticate: Negotiate
WWW-Authenticate: Negotiate
< Set-Cookie: JSESSIONID=0E94E134D7401632EBB4D042B8934DCD; Path=/
Set-Cookie: JSESSIONID=0E94E134D7401632EBB4D042B8934DCD; Path=/
< Content-Type: text/plain
Content-Type: text/plain
* no chunk, no close, no size. Assume close to signal end
I am able to open the site normally from the browser etc. Why I am I not able to authenticate here? Can someone help me understand

Two things you can try:
Remove --head. You seem to want to send a GET request, not a HEAD request.
Don't forget to provide the credentials as with this example: -u pierre:secret

Related

How to get Authorization Bearer Token with curl or other unix tool

I have a problem with getting Authorization Bearer Token value with unix tool like curl from site.
The problem is that I don't know how to get only this value 7FA733D2E75A962D1FED6D26989550BD. The value is different every time when i make a request (I mean it is not constant value).
I have necessary information for this request and when i try with some browser with cookie manager and put by hand cookie value it is work and get valid token.
Cookie value is:
mac=00%3A1A%3A79%3A40%3A07%3AFF
stb_lang=en
timezone=Europe%2FParis
Request URL is:
http://livegopanel.club:8080/portal.php?type=stb&action=handshake&token=&JsHttpRequest=1-xml
If I try to automate this job from linux console I am not able to get this token.
When I capture the tcp flow with wireshark get following information from process of getting valid token.
This is the request to site:
GET /portal.php?type=stb&action=handshake&token=&JsHttpRequest=1-xml HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (QtEmbedded; U; Linux; C) AppleWebKit/533.3 (KHTML, like Gecko) MAG200 stbapp ver: 4 rev: 2721 Mobile Safari/533.3
Referer: http://livegopanel.club:8080/c/
Accept-Language: en-US,*
Accept-Charset: UTF-8,*;q=0.8
X-User-Agent: Model: MAG254; Link: Ethernet
Host: livegopanel.club:8080
Cookie: mac=00%3A1A%3A79%3A40%3A07%3AFF; stb_lang=en; timezone=Europe%2FParis
Connection: Keep-Alive
And this is the response from site:
HTTP/1.1 200 OK
Date: Sat, 22 Feb 2020 09:22:53 GMT
Content-Type: text/javascript;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d538fd5b5e457f16e217ec8cf092ea2de1582363373; expires=Mon, 23-Mar-20 09:22:53 GMT; path=/; domain=.livegopanel.club; HttpOnly; SameSite=Lax
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 568fe5eebe337ea4-BUD
{"js":{"token":"7FA733D2E75A962D1FED6D26989550BD"}}
I try many variation with curl but not able to get the value. How to build the curl request or have is other way (script written on bash, perl, etc.) to do this?
If you have jq installed:
curl -s http://livegopanel.club:8080/portal.php\?type\=stb\&action\=handshake\&token\=\&JsHttpRequest\=1-xml | jq -r '.js.token'
jq is a swiss army knife for JSON, if you're going to be working with JSON on the command line, I recommend getting acquainted with jq. You can use https://jqplay.org to test your jq filters live.
Otherwise using sed:
curl -s http://livegopanel.club:8080/portal.php\?type\=stb\&action\=handshake\&token\=\&JsHttpRequest\=1-xml | sed 's/.*token":"\(.*\)".*/\1/g'

Need to by pass Location while running curl command

While running the curl command using both (credentials & without) I always get location output which is correct & due to this I get
HTTP/1.1 302 Found this output but in reality application is down.
any idea/help how to by pass or check the correct output.
[root#VDCLP3213 ~]# curl -Ik http://grid-net.gs.ec.ge.com/GestionHeures --user (username:Password)
HTTP/1.1 302 Found
Date: Tue, 23 Jan 2018 10:14:52 GMT
Expires: Wed, 01 Jan 1997 12:00:00 GMT
Cache-Control: private,no-store,no-cache,max-age=0
Location: https://fss.gecompany.com/fss/idp/SSO.saml2?SAMLRequest=fZHBbsIwEER%2FJfI9cRJCQRaJlMKhSLSghvbQS%2BU4S7Dk2KnXKeXva6BV6YWrPfN2ZneGvFM9Kwe318%2FwMQC64KtTGtn5IyeD1cxwlMg07wCZE6wqH1csjWLWW%2BOMMIoEJSJYJ42eG41DB7YC%2BykFvDyvcrJ3rkdGaWtlE2pwUYsRiKiFSJiOVntZ10aB20eIhp7gKd2sqy0JFj6N1PzE%2FaPsEL3VO3uuj2eCf6Gy6WlVraNT6pQEy0VO3rPxpG5EPJnuGj6eTtLdiIsk4TGI%2BI5Ps8zLEAdYanRcu5ykcTIN4yRMR9skZknGxukbCTY%2FJe%2BlbqRub2%2BkvoiQPWy3m%2FDS4hUsnht4ASlmp4TsPNhebfo2lv%2BulxQthl4fHkD56hD2xjouVdjbZkav0Jc5PXvyrOViY5QUx6BUyhzmFriDnCSEFhfL%2F%2FMX3w%3D%3D&RelayState=ss%3Amem%3A7871d5ec2f67dc36f0c796d589df7cc5f38664a8a79eb7daa3d8f80059eb8259
Connection: close
Content-Type: text/html; charset=iso-8859-1
Please help
Use the -L or --location option to follow redirects.
Note that this will still show the headers for all the intermediate sites, you'll need to parse out the last HTTP/1.1 line and its following headers to get the headers from the final target.
$ curl -s -I -L online.bridgebase.com/purchase/pay.php
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.2
Date: Tue, 23 Jan 2018 11:04:23 GMT
Content-Type: text/html
Content-Length: 160
Connection: close
Location: https://www.bridgebase.com/purchase/pay.php
Set-Cookie: SRV=www2.dal06.sl; path=/; domain=.bridgebase.com
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Tue, 23 Jan 2018 11:04:23 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.4.45-0+deb7u11
Set-Cookie: PHPSESSID=og3dirjhdi4lhtm17iav8kgm67; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: SRV=www1.dal09.sl; path=/; domain=.bridgebase.com
imac:barmar $ curl --version
curl 7.54.0 (x86_64-apple-darwin14.5.0) libcurl/7.54.0 OpenSSL/1.0.2k zlib/1.2.5 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets HTTPS-proxy

HTTP GET request forbidden 403 error while using netcat

So, I have to get http://www.rssweather.com/wx/in/kanpur/wx.php with using netcat.
My code goes like this.
nc -v rssweather.com 80
GET http://www.rssweather.com/wx/in/kanpur/wx.php HTTP/1.0
GET http://www.rssweather.com/wx/in/kanpur/wx.php HTTP/1.1
Connection: close
And, the result-
HTTP/1.1 403 Forbidden
Date: Thu, 03 Sep 2015 12:41:08 GMT
Server: Apache
Connection: close
Content-Type: text/html
charset=iso-8859-1
You don't have permission to access /wx/in/kanpur/wx.php
on this server.
Is there any way to overcome this Forbidden 403 error? What am I doing wrong?
You've already connected to the webserver at rssweather.com so you must not specify the full URL in the GET request, just the path:
nc -v rssweather.com 80
GET /wx/in/kanpur/wx.php HTTP/1.0
<blank line with return>

HTTP 406 Error While Logging In To DocuSign API

I have a prototype WinForms application that uses open-source DocuSign.Integrations.Client library. It was working correctly until a couple of days ago. Now every attempt to login results in HTTP 406 error. No code has changed on my side, and my user name and password are valid (verified on https://appdemo.docusign.com). Any help is appreciated!
Below is the raw request with masked credentials:
GET http://demo.docusign.net/restapi/v2/login_information?api_password=true&include_account_id_guid=true
HTTP/1.1 Accept: application/json
Content-Type: application/json
X-DocuSign-Authentication: <DocuSignCredentials><Username>______</Username><Password>______</Password><IntegratorKey>____-________-___-___-___-____________</IntegratorKey></DocuSignCredentials>
Host: demo.docusign.net
Connection: Keep-Alive
In response, I get a 302 redirect:
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: https://demo.docusign.net
Connection: close
And then receive a 406 error:
HTTP/1.1 406 Not Acceptable
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 09 May 2015 19:16:52 GMT
Content-Length: 1346
Connection: close
This is incorrect:
http://demo.docusign.net/restapi/v2/login_information?
api_password=true&include_account_id_guid=true
It should use HTTPS, not HTTP in your GET URL call:
https://demo.docusign.net/restapi/v2/login_information?
api_password=true&include_account_id_guid=true
Also your error is actually describes what is wrong
HTTP/1.1 406 Not Acceptable
Your request headers should be this:
Accept: application/json
Content-Type: application/json
X-DocuSign-Authentication: <DocuSignCredentials><Username>______</Username><Password>______</Password><IntegratorKey>____-________-___-___-___-____________</IntegratorKey></DocuSignCredentials>

Data attached to POST request is gone during redirection to GET with CURL

I wrote followed command to send POST with JSON data to server. The server must redirect my request and send GET with the same data:
curl -L -i -XPOST \
-d 'id=105' \
-d 'json={"orderBy":0,"maxResults":50}' http://mysite.com/ctlClient/
I get response:
HTTP/1.1 302 Found
Date: Thu, 04 Jul 2013 13:12:08 GMT
Server: Apache
X-Powered-By: PHP/5.3.19
Set-Cookie: PHPSESSID=1hn0g8d7gtfl4nghjvab63btmk2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
location: http://mysite.com/fwf/online/
Content-Length: 0
Connection: close
Content-Type: text/html
HTTP/1.1 200 OK
Date: Thu, 04 Jul 2013 13:12:08 GMT
Server: Apache
X-Powered-By: PHP/5.3.19
Set-Cookie: PHPSESSID=16akc7kdcoet71ipjflk9o9cnm5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1
Connection: close
Content-Type: text/html
From access-log I see:
"POST /ctlClient/ HTTP/1.1" 302 - "-" "Apache-HttpClient/4.1 (java 1.5)"
"GET /fwf/online/ HTTP/1.1" 200 1 "-" "Apache-HttpClient/4.1 (java 1.5)"
So far so good,
The problem is that GET doesn't receives my data added to post. Sounds like during redirect my data dismissed somehow. From Android client it works, therefore its not Server side problem.
What I need to do to pass POST data to GET request?
Thank you very much,
[EDIT]
#nif offerd to upgrade CURL, i did , to 7.28.0.
Still get the same problem
[INFO]
1st time i go to http://mysite.com/ctlClient/index.php where:
case 105: // id=105
session_unset();
session_start();
foreach($_POST as $key => $value){$_SESSION[$key] = $value;}
ctlGotoSameDomain("/fwf/online/"); // <- aka redirect
return true;
after redirect i go to /fwf/online/index.php and there my request is empty:
public function __construct() {
$this->json = isset($_SESSION['json']) ? $_SESSION['json'] : null;
msqLogFile("fwf/post", Array('post' => 'Request: '.$this->json));
}
http://mysite.com/ctlClient/index.php get 2 parameters properly: id and json
From curl's manpage:
When curl follows a redirect and the request is not a plain GET (for example POST or PUT), it will do the following request with a GET if the HTTP response was 301, 302, or 303. If the response code was any other 3xx code, curl will re-send the following request using the same unmodified method.
Edit
I did some research and found out, that it might be a problem with your curl version. Newer version will honour the -XPOST option and will POST to the redirected location as well. But older versions had an own option for this, i.e. --post301 and --post302. According to their manpage:
--post301
Tells curl to respect RFC 2616/10.3.2 and not convert POST requests into GET
requests when following a 301 redirection. The non-RFC behaviour is ubiquitous
in web browsers, so curl does the conversion by default to maintain
consistency. However, a server may require a POST to remain a POST after such
a redirection. This option is meaningful only when using -L, --location
(Added in 7.17.1)
--post302
Tells curl to respect RFC 2616/10.3.2 and not convert POST requests into GET
requests when following a 302 redirection. The non-RFC behaviour is ubiquitous
in web browsers, so curl does the conversion by default to maintain
consistency. However, a server may require a POST to remain a POST after such
a redirection. This option is meaningful only when using -L, --location
(Added in 7.19.1)
References:
Following redirects with curl
HTTP RFC
I need to add -b to my script to enable the cookies. CURL by default doesn't use them and this issue caused to session ID change. Therefore no data transferred.
curl -b -L -i -X POST \
-d 'id=105' \
-d 'json={"orderBy":0,"maxResults":50}' http://mysite.com/ctlClient/
Now its working

Resources