Intentional URL spoofing

Similar Messages

• Automatic configuration URL syntax in 4.01 is not recognizing the file:///// syntax which use to work in 3.6.18. Is this a bug or an intentional change?

  Hi, we noticed this difference today. We use a centralized PAC file located in a network share. This used to work for versions 3.5-3.6, it is not working for 4.01. Was this an intentional change or a bug?
  The workstation running firefox is running windows 7.

  thank you all.
  Billy and William - what is rellay going on is that we have one cantrel pipelined function - not many.
  we recently enctored a strange ora-600 that realte to it.
  as a workaround we decide to rewrite the function,
  and as a resolt to re-write some of the sql that use it.
  and by doing so i notice that. (one can use a column as an argument).
  i know that my last sql is invalid - i only though that the same must go
  for pipelined function and the whole script show this line of thought.
  SomeoneElse - you are right but it will give the same error even if i put data_numbers.id
  Elic and William - thank you very much. now i am happay.
  i search every document, expet from the sql manual (i looked at application dev, cartarige, etc).
  this goes to show that every day I learn something new.
  Amiel
  re-reading the whole thared i realized that i wasn'nt
  clear enough and the typo must have been confusing
  i know that either:
  select *
    from data_numbers,
         (select g.id column_value
            from data_numbers g
           where g.id = data_numbers)
  where id = column_value
     and id = 1;or
  select *
    from data_numbers,
         (select g.id column_value
            from data_numbers g
           where g.id = data_numbers.id)
  where id = column_value
     and id = 1;don't suppose to work
  (i ment to wrote the second sql...)
  i was only concluding that the same goes for pipelind function.
  Message was edited by:
  Amiel D.

• Prompt choice when opening an URL-based intent?

  I know that there's this (https://support.mozilla.org/en-US/questions/977330?esab=a&as=aaq) but it takes way too long for the actual website to load before I get to the little Android icon. Is there a way to make it so that it prompts me in the first place before loading the page?

  The Android Gingerbread and earlier browser did this if you did not set a default browser and it sucked. The intent dialog would appear for each clicked link and often several times due to redirects.
  If a site or intent gives Firefox a URI that it can load as a web page we treat it as such. Firefox is a web browser.

• How to get the URL of the request.

  I am trying to get the URL from where the request is coming to the servlet. If http://www.xx.com/ calls my servlet i want to know that the request is coming from http://www.xx.com/ URL. If i use request.getRequestURL() which is displaying my servlet URL. Please help me which is very urgent.

  You actually want the referrer? You can obtain it from the request headers as follows:String referrer = request.getHeader("referer"); // Yes, with the legendaric misspelling in there.Having said that, be aware that the client has full control over what he sends with the request headers. So the client can change/spoof/remove the referrer entry to his taste anytime. Your code should not rely that much on it, it should rather be used for statistics only.

• Web Cache 'Ping URL' not working.

  Hi,
  I have recently installed a Webcache clustered pair which sit in front of OHS which reverse proxys back to OUCM/Web Logic, my OWC version is 11.1.1.2 and am looking for some clarification of how the Ping URL actually works in Web Cache.
  When OHS is shutdown, Webcache detects the service is down and prevents it from servicing requests, however it will not mark the service as down when I intentionally set ping URL to a page that does not exist generating a 404, will Ping URL polling only mark a server as being down if a 500 error is generated?
  Something else I would like clarification of is 'Ping Interval', I have set this to be aggressive at '1' however I do not see any polling traffic or see any hits in OHS log that indicate polling of the Ping URL is taking place.
  Thanks in advance,
  Mark.

  Not sure I need any update to this now, I've just read through the help section 'help/edit_add_appserver.htm' and can see that a 404 is not considered a failure and also that the server only starts to poll when the failover threshold has been reached.
  This would explain why the server was not being marked as down, although I'm still not sure why I do not see the polling traffic in Apache logs but I can live with that :)
  Cheers,
  Mark.

• E-Recruiting - Recruiter URL works for one user and doesn't for another

  Hi
  I am new to e-Recruiting, so any help will be greatly appreciated.
  We are in the process of configuring the SAP e-recruiting module on  an existing HCM system.  It is only a demo system. 
  We started off with the IDES, with SAP sample data.
  We activated the BSPs via SICF.
  We generated the BSP URLs via program rcf_generate_urls.
  We picked two existing employees (PERNRS) in the system and linked test IDs (USERID1, USERID2) to them in infotype 105.  Both USERID1 and USERID2 have BASIS/Superuser authorizations.
  When USERID1 runs the recruiter startpage it displays the page correctly.  Pernr of USERID1 has a Candidate(NA Object) linked to it's CP object.
  When USERID2 runs the recruiter start page it gives an internal error.  This Id's pernr does not have a candidate object. 
  Should there be a NA object for every CP object?  Does any one have some business process guides that may help us understand the relationships between the objects?
  Please advise.
  Thank you
  Amina

  Hello Amina,
  not everyone should have a candidate (NA) object, every one MUST have a candidate object. No matter which role someone plays within the e-recruiting system (recruiter, manager, admin, internal candidate, external candidate, talent manager, ...) he needs a candidate to work with the system.
  Assuming you have an ERP2005 (= E-Recruiting 600) you can use report RCF_USER_CREATE to create users for test purposes. For the productive environment you have to set up HR -> E-recruiting integration and can run HRALXSYNC to create candidates for existing employees.
  I am not sure how much business process documentation there is in sap help. I have to admit I prefere learning from the system. Perhaps a very rough overview:
  e-rec brings the following objects:
  NA - Candidate
  NB - Requisition / Application Group
  NC - Posting
  ND - Application
  NE - Candidacy
  NF - Talent Group
  furthermore e-recruting uses some additional objects from the hr base and other components (P Employee, CP Central Person, US User, BP Business Partner, O OrgUnit, S Position, QK qualification group, Q qualification, VA/VB/VC Questionaire and its elements)
  NA - The candidate is the central representation of everyone in e-recruiting. A Candidate is always linked to a CP which is linked to a BP and a US. If the person is an employee the CP is linked to the P object, too. (Hint: for integrated systems the user for an employee is not linked in HRP1001 but retrieved from IT0105 directly, e-recruiting uses a standard function of HR here, the hr function modules for reading object releations virtualize this assingment as hrp1001 relation).
  NB - The NB object has currently 3 slightly different tasks. As requisition it is the internal view for an internal/external hiring request, it defines what you are looking for e.g. "ABAP programer, 40 hours/week, place of work London, ..". As application group it allows to accept applications for "areas" where you have currently no exact position to hire but regularely look for canditates. Application groups channalize unsolicited applications e.g. Interns, Engineers. Third usage is the requisition for succession planning - not really important.
  NC - Posting is supposed to be the outside view. It contains the texts for the requisition published in the different channels. as you might to use a different text for the different media a requisition can have several postings. A posting has one or more posting instances / publications. They are not an hr object type, they define the channel with publication duration and language where you publish your posting.
  ND - The application can be compared with the hardcover application. If a candidate applies he creates an application. The application is linked to the candidate of course and as the candidate applies through a certain channel the application is linked to the posting.
  NE - The candidacy is the assignment to a requisition. You could say it is the task / intention to check a candidate for the requisition so it is linked to the requisition and the candidate. As the candidate applies for the job described by the requisition (application group are treated the same here) an application is always linked to at least one candidacy. If a recruiter decides based on the candidates profile that he is interesting for another open positions he can add more candidacies to the application to check the candidate for these requisitions. There is also the posibilit that you create a candidacy w/o application. Every external who applied and every employee is in the system even if he has no active application. External candidates can even register to the system w/o applying. You can check this pool for suitable candidate an assign them to a requisition. This is a candidacy w/ an application. You can later request a candidate to apply to this requisition but it is theoretical possible to process the complete hiring just with a candidacy.
  NF The Talent group is used to structure the huge amount of candidates in the pool. E.g. you can form a talent group "High Potentials - Design Engineers". You can use these groups to easier find suitable known candidates if a matching requisition is opened. But they are also needed for pool development. For short applicant groups you can track them and try to stick with your company till you get the right opening for them.
  The other object are linked to this core. Qualifications are linked to requisitions as requirement and linked to candidates of course. OrgUnits and Positions can be linked to requisitions to link to OM. Questionaires are assigned to candidates at all for general appraisal or to candidacies to appraise the suitability for the requisition or to track interview, assessment results.
  There ore other "objects" in e-recruiting which are not represented by an OTYPE. One example is mentioned above the publication. Others are recruiting team and recruiting plan. If you need information to one of these just post another reply.
  Hope that gives some basic overview about the objects.
  Best Regards
  Roman Weise

• ISE & Switch URL redirect not working

  Dear team,
  I'm setting up Guest portal for Wired user. Everything seems to be okay, the PC is get MAB authz success, ISE push URL redirect to switch. The only problem is when I open browser, it is not redirected.
  Here is some output from my 3560C:
  Cisco IOS Software, C3560C Software (C3560c405-UNIVERSALK9-M), Version 12.2(55)EX3
  SW3560C-LAB#sh auth sess int f0/3
              Interface:  FastEthernet0/3
            MAC Address:  f0de.f180.13b8
             IP Address:  10.0.93.202
              User-Name:  F0-DE-F1-80-13-B8
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-domain
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect:  https://BYODISE.byod.com:8443/guestportal/gateway?sessionId=0A005DF40000000D0010E23A&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A005DF40000000D0010E23A
        Acct Session ID:  0x00000011
                 Handle:  0xD700000D
  Runnable methods list:
         Method   State
         mab      Authc Success
  SW3560C-LAB#sh epm sess summary
  EPM Session Information
  Total sessions seen so far : 10
  Total active sessions      : 1
  Interface            IP Address   MAC Address       Audit Session Id:
  FastEthernet0/3       10.0.93.202  f0de.f180.13b8    0A005DF40000000D0010E23A
  Could you please help to explore the problem? Thank you very much.

  With switch IOS version later than 15.0 the default interface ACL is not required. For url redirection the dACL is not required as this ACL is part of traffic restrict for "guest" users.
  In my experiece some users can not get the redirect correctly because anti-spoof ACL on management Vlan or stateful firewall blocks the TCP syn ack.
  It is rare in campus network access layer switches have user SVI configured so the redirect traffic has to be sent from the netman SVI, but trickly the TCP SYN ACK from the HTTP server will be sent back from the netman Vlan without source IP changed. (The switch is spoofing the source IP in my understanding with changing only the MAC address of the packet). In most of the cases there should be a basic ACL resides on the netman SVI on the first hop router, where the TCP SYN ACK may be dropped by the ACL.
  tips:
  1. "debug epm redirect" can make sure your traffic matches the redirect url and will get intercepted by the switch
  2. It will be an ACL or firewall issue if you can see epm is redirecting your http request but can not see the SYN ACK from the requested server.
  Which can win the race: increasing bandwidth with new technologies VS QoS?

• Absolute URLs  not working when file is on a remote server.

  My client has asked me to provide a template for an investor relations section of their website. The HTML page or template for this page will be at the service providers site, but all the images etc. for the page will be linked to files on my clients server. Everything looks fine, but the absolute URL's in the .swf file back to my clients site aren't working.
  This is what the service provider's guidlines say, but I'm not sure where the code is supposed to go:
  Similarly, newer versions of the Flash Media Player installed by most users have a high level of security enabled by default. This is done to prevent Flash movies from playing on web pages that are hosted on different domains than the movie itself (again, to combat “phishing” or “spoofing”).
  You do have the ability to overwrite this feature by proactively developing your Flash file so that it contains the following lines of code:
  System.security.allowDomain(“*”)
  stem.security.allowInsecureDomain(“*”)
  Sy
  You should also add the following line of HTML within the embedded Flash call in your HTML template:
  <param name=”AllowScriptAccess” value=”always” />
  This solution requires edits to the ActionScript of the pre-compiled Flash file, and is not something we can edit. For further guidance and more information, please speak with the developer of your Flash file.
  Thanks

  the easiest way to deal with security issues is to avoid them.  if all files are on the same server, use relative urls.
  otherwise, you may have to deal with security issues.  whether you do or not, and if you do, how you deal with them, depends on what you're trying to do.
  you may be able to use System properties but you may need cross-domain security files.

• Dreamwiever behaviors Go to URL (new blank or browser window)

  <script type="text/javascript">
  function MM_goToURL() { //v3.0
    var i, args=MM_goToURL.arguments; document.MM_returnValue = false;
    for (i=0; i<(args.length-1); i+=2) eval(args[i]+".location='"+args[i+1]+"'");
  </script>
  <a href="http://example.com" onmouseover="MM_goToURL('parent','http://example.com');return document.MM_returnValue">insurance</a>
  Hello,
  I cant I specify a new or blank browser window when usin dreamweaver's "Go
  To URL" behaivour?
  Help me please !

  What you are showing us will open TWO windows/tabs with example.com in each - is that your intention?
  Change this -
  <a href="http://example.com" onmouseover="MM_goToURL('parent','http://example.com');returndocument.MM_returnValue">insurance</a>
  to this -
  <a href="http://example.com" onmouseover="MM_goToURL('parent','http://example.com');returndocument.MM_returnValue" target="_blank">insurance</a>

• Securely calling stored procedure with APEX URL

  I have a web server that needs to call a stored procedure on an Oracle database (v10.2.0.4.0-64bit), and to do so without storing schema credentials on the web server it has been recommended to call the procedure using a URL to APEX, and granting execute privileges on the package storing the procedure to APEX_PUBLIC_USER.  However, this allows anyone on the network to call the procedure if they have the URL.  Is there any way to make sure that either Apex or the procedure only responds directly to requests from the web server?

  Nick,
  Assuming you are talking about application server ( not web server ).
  It is common practice to create new user on Oracle database (often called proxy user, so you don't have to use schema credentials). Grant this user privileges to call package you need. Then on application server store encrypted credentials for this new user.
  Application (java or .net) then connects to Oracle using new user credentials and executes packaged procedure.
  Using Apex is the same. You need to have Authentication enabled (hence to store user id and password). If not, it is not secure.
  Making any application (including Apex) to respond to request from specific IP  is possible by inspecting ip from request header (Apex : UTL_HTTP.GET_HEADER ).
  There are problems however:
  1.If connection is made by proxy, request ip can change.
  2.Hackers can use "ip spoofing" to emulate request from permitted server.
  Another option would be to set up proxy server rules, permitting traffic between selected servers only.
  HTH
  Thomas

• Firefox3 User-Agent spoofing

  Aka "How to use an online banking website by fooling them into using an unsupported browser".
  Natwest check the User-Agent string of the browser, and block ones they dislike.
  So, enter about:config in the firefox3 URL line, right-click on the list that appears, click on "New - String", enter general.useragent.override and for the string, enter one of the following common user agents:
  Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080213 Firefox/2.0.0.12
  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
  Then check the result.
  This method works with firefox 3.0b3-3.
  Edit: Modify Headers does the same thing and works with firefox3, but is not necessary.
  Last edited by brebs (2008-03-10 19:44:46)

  xsdnyd wrote:general.useragent.override
  Thanks, I've altered the first post to use that instead
  CNN seems OK with a spoofed user agent.
  Last edited by brebs (2008-03-10 20:11:46)

• Web Service URL length limits, LV2013 vs LV2012

  (* CROSS POST: http://lavag.org/topic/18435-web-service-url-length-limits-lv2013-vs-lv2012/ *)
  (* Please reply in this forum.  I have marked the other thread to put replies here. *)
  Has anyone noticed a reduction to the limit on URL length for Web Services between LV versions 2012 and 2013?
  Under LV2012, a RESTful web service appears to accept URL with lengths at least as long as 4096 characters.  With LV2013, the max URL length appears to be 511 characters for both RESTful and Project Item web services. Unfortunately for me the project I just converted trips over this issue. My goal with posting this query to here is to improve my understanding of this limitation before I decide how best to modify my code.  Certainly using POST rather than GET with a long URL is an option, but again, I'm looking to understand the change in limitation before I choose a solution.
  To illustrate I have attached three mostly identical projects which demonstrate the issue.  In each case the project contains a webservice consisting of a single VI, "ComputeLength", which takes a String as an input parameter and which outputs the length of the string.  The three projects are as follows.
  1. LV2012 RESTful web service.
  2. LV2013 RESTful web service.
  3. LV2013 Project item web service.
  The web service contains a single VI.  For the RESTful examples, the web service is started by selecting Deploy from the Build specification right click menu.  For the Project Item example, the web service is started by selecting Start from the MyComputer/WebService right click menu. The use of this example is demonstrated with the following URL: 
  (note that the port is 8080 for the two RESTful examples and is 8001 for the Project item web service if used in Debug mode, which is the default for the above instruction.)
  http://localhost:8080/webservice/computelength?string=1234567890
  And the output looks like this.
  <Response>
  <Terminal>
  <Name>StringLength</Name>
  <Value>10</Value>
  </Terminal>
  </Response>
  To see the issue, extend the string parameter such that the URL contains more than 511 characters beyond the port number.  For example something like this, http://localhost:8080/webservice/computelength?string=1234567890123456789012345678901234567890....(keep repeating)
  For the LV2012 example the string parameter may be at least as long as 4000 characters, which I've demonstrated using Chrome as my browser.  For both of the LV2013 examples the URL is limited to 511 characters after the localhost and the port number.
  Anyone know whether this is a bug or this is an intentional design change?  How about whether the URL length limit is configurable? 
  I am also consulting NI tech support and will report back their response.
  Any advice appreciated.
  Thanks,
    Martin
  Solved!
  Go to Solution.
  Attachments:
  mywebservice.LV2012.RESTful.zip ‏12 KB
  mywebservice.LV2013.RESTful.zip ‏12 KB
  mywebservice.LV2013.ProjectItem.zip ‏11 KB

  Solution found.  Apparently starting in LV 2013, there is a default limit of 512 to the URL length.  The default limit may be overridden as described below.
  Martin
  This is Brian in Applications Engineering from National Instruments. I am following up regarding the 511 character limit in your Web Service HTTP request following the port number. After some research I've figured out that the issue is related to a default web server setting called "LimitUri," which limits the maximum length of a URL. The default setting is 512 characters which is why we are seeing this issue.
  There are multiple ways of changing the URL length limit depending on how you are using your web service. If you are publishing the web service using the Application Web Server then modify "C:\Program Files (x86)\National Instruments\Shared\NI WebServer\NIWebAppServer.conf" and add "LimitUri 4096" to the end of the file without the quotes.
  If you are running the Debug Web Server by just clicking start on the web service then modify "C:\Program Files (x86)\National Instruments\LabVIEW 2013\resource\webserver\niwsdebugserver.conf" and add "LimitUri 4096" to the end of the file without the quotes.

• Using apex url to link to a page in another application

  hi all.
  i have 5 applications based on same schema in a single workspace. now i intent to have a single page with 5 button from where i will call all those 5 applications' home pages.
  i used following syntax for URL Target on a button to check it but it didnt work.
            f?p=102:101:&APP_SESSION.
    i can very easily to a page in same application (offcourse) but i want to ask that can we link to a page which is in another application in same workspace
  bundles of thanks in advance.

  Check out this link
  http://apps2fusion.com/at/64-kr/413-maintaining-authentication-between-apex-applications

• Web links (URLs) are being parsed in the conversation feed - disable this?

  I noticed that some of recent updates in skype for mac started to be too clever with links I post in conversations - it tries to fetch the content, parse it and present some small excerpt if it in the conversation.  But I mostly message links to closed sites - like Google Docs or internal knowledge base - and they require logging in. So, I know mostly see in my conversations with collegues something like this. How can I disable this behavior? I want to see plain links, I do not need this supersmart parsing.  

  Well, I want to see IMAGES in the chat (i.e. someone transmits actual image data), but I don't want to see WEB PREVIEWS (previews of web pages, or the picture an image URL points to) in the chat. Data is data, and a link is a link. Data should be displayed, and links should remain links. If someone wants me to see a web page, they should make a screen grab to their local computer, and then send me the picture as an image. Otherwise they should send me a link, which then I can peruse at my own convenience (which usually includes first scrubbing the link of any identifying trailing garbage.)
  As a matter of fact, I don't want Microsoft/Skype to PARSE ANYTHING that I transmit.
  Just as automatic loading of remote images in HTML e-mail messages constitutes a major security risk and privacy breach, so does this web preview function.
  I have absolutely no intention to disclose who I'm conversing with and what we talk about, but if someone sends me a link that hasn't been properly "cleaned up", then the site will know who sent me the link, who received it, what the conversation might have been about etc. and that information is sent without my consent.
  I have ZERO tolerance for Microsoft's lack of sensitivity to privacy, and where we users are being stripped naked to prying eyes, all in the guise of some "neat features".
  I don't need no "neat features". If you want web links to work the way they are supposed to work on the Mac, then allow for a right-click with a QuickLook option, but display the link in it's full length with all the "garbage" that will be transmitted to the site when the link is clicked upon, no "user friendly URL" version, that makes a link look like it were a harmless, state-free static link, while in fact it's a 900 character long monster with encoded state and personal details. One might think that's part of the PRISM program...

• Web links (URLs) are being parsed in the conversat...

  I noticed that some of recent updates in skype for mac started to be too clever with links I post in conversations - it tries to fetch the content, parse it and present some small excerpt if it in the conversation. 
  But I mostly message links to closed sites - like Google Docs or internal knowledge base - and they require logging in. So, I know mostly see in my conversations with collegues something like this.
  How can I disable this behavior? I want to see plain links, I do not need this supersmart parsing. 

  Well, I want to see IMAGES in the chat (i.e. someone transmits actual image data), but I don't want to see WEB PREVIEWS (previews of web pages, or the picture an image URL points to) in the chat. Data is data, and a link is a link. Data should be displayed, and links should remain links. If someone wants me to see a web page, they should make a screen grab to their local computer, and then send me the picture as an image. Otherwise they should send me a link, which then I can peruse at my own convenience (which usually includes first scrubbing the link of any identifying trailing garbage.)
  As a matter of fact, I don't want Microsoft/Skype to PARSE ANYTHING that I transmit.
  Just as automatic loading of remote images in HTML e-mail messages constitutes a major security risk and privacy breach, so does this web preview function.
  I have absolutely no intention to disclose who I'm conversing with and what we talk about, but if someone sends me a link that hasn't been properly "cleaned up", then the site will know who sent me the link, who received it, what the conversation might have been about etc. and that information is sent without my consent.
  I have ZERO tolerance for Microsoft's lack of sensitivity to privacy, and where we users are being stripped naked to prying eyes, all in the guise of some "neat features".
  I don't need no "neat features". If you want web links to work the way they are supposed to work on the Mac, then allow for a right-click with a QuickLook option, but display the link in it's full length with all the "garbage" that will be transmitted to the site when the link is clicked upon, no "user friendly URL" version, that makes a link look like it were a harmless, state-free static link, while in fact it's a 900 character long monster with encoded state and personal details.
  One might think that's part of the PRISM program...