Is there any way to hide the parameter that I send via post method using the Encoding or any other methods. Because Its roughly show my password in console and If I use Firebug with console Export It send my console log to any server we want show my password can leak through this.
Firebug can't do this, but you can use the console.clear(); after ajax is completed for an empty console.
Also you can use a way to encrypt the password that you sent like md5() function.
As far as I know, Firebug can't do this. However, there is a very useful Firefox extension, in the spirit of Firebug, called Tamper Data. This should be able to do what you want.
No.
It would be up to you to process the output of ConsoleExport when it is received on the target server, to mask sensitive information (passwords and others). (Also it would make sense to connect to that server using SSL.)
A filtering feature in ConsoleExport might be a good idea but there is no such option at present.
Related
I faced few problems while using Chrome dev tool. Just want to know whether it's possible and if yes - how. Suggest I have a really massive client side, with hundred of responses per page.
How to find endpoint which handle the response? I mean the first place in js code where the response come in.
How to find the response by it content? For instance, I want to know in which response I've got 45902309509902 value from the table.
How to find endpoint which handle the response?
On the Network tab, you can see where the request was originated, it's the column labelled "Initiator:"
That has a link that will show you the code originating the ajax call (I assume by "response" you're talking about an ajax response). From there, you should be able to find the callback that request is associated with. A lot of times, if you use a library like jQuery, you'll be shown the jQuery code doing the request rather than yours. You can still find what you need, though, by using the un-minified version of the libray, setting a breakpoint on that code (perhaps even a conditional one on, say, the URL being requested), and then when the breakpoint is hit using the call stack to find out where in your code the call actually originates.
How to find the response by it content?
This will be slightly more difficult. Again in the Network tab, you can click each ajax request and see (and search through) the text of there response under the Response sub-tab.
Where do I start debugging a jQuery/Javascript function, that calls an API on my server, when it works perfectly well locally - but when uploaded to the server, just returns an HTTP500 error?
I've tried fiddler, but it shows nothing in JSON/XML - the only thing it does show is in the Auth section:
The server Event Logs show nothing around the times I'm trying to test this.
Does the Fiddler response suggest anything is wrong, or can anyone sugget what I may need to turn on in the Event Viewer to capture whatever these 500 errors may be?
Thanks for any help,
Mark
Try adding some console.log() messages which surround the javascript call and are within the callback functions. Doing so will let you know where the failure is occurring. When debugging javascript I typically stick to the Network tab within Chrome Developer Tools and Firebug. By using these tools you get proper output from your console.log() messages.
Specifically, in your jquery result handler I would add the following:
console.log(resultObject);
This will output the entire object tree so that you can drill down into the meat from within Firebug or Chrome Developer Tools... if you need to.
If, for whatever reason, you are opposed to littering your code with log messages then check to see that the call is actually happening when you are testing from your server. You should see whether or not javascript is sending the HTTP request by looking at your network traffic either in Fiddler or browser based tools. If the request is not happening then your code is breaking prior to the call which, in your case, probably means environmental differences.
Is everything referenced and configured properly? Check for null values due to improper configuration or bad references.
500 is a "server error", which basically means something (could be almost anything) broke at the server side.
I would recommend:
Investigate your options for exception handling: http://www.asp.net/web-api/overview/web-api-routing-and-actions/exception-handling
Consider setting the IncludeErrorDetailPolicy to Always, though note that this is a setting that shouldn't be left in-use on a production environment - Error messages returned from Web API method are omitted in non-dev environment
Examine server-side error logging. I'm a big fan of ELMAH. You'll need a little extra effort to get it working properly in Web API - http://blogs.msdn.com/b/webdev/archive/2012/11/16/capturing-unhandled-exceptions-in-asp-net-web-api-s-with-elmah.aspx
I mean, there are some developer/other tools that let change variables in Javascript enviroment and so on. Consider I have an AJAX request. So could user, for instance, manipulate variables I send with AJAX request so that they see something they are not used to see? Or, for instance, manipulate value of <select> so that it is other, not like in options given. I hope you understand what I mean.
But how to implement AJAX in this case? Can client create his own request? So just send error back if request was not like it should be?
I send with AJAX request so that they see something they are not used to see?
YES!
You can't rely on client side scripting for security!
Check out:
Fiddler
Firebug
After your edit:
Can client create his own request?
Yes.
So just send error back if request was not like it should be?
Yes.
It's not "your" Javascript code. It's a bunch of characters you send to the client in the hopes that it will do something useful with it.
Javascript doesn't "work" by default. Everything that happens happens because the client did it. So yes, the client affects everything about the workings of your Javascript code.
Ok here's my problem. I'm working on this little site called 10winstreak and I'm trying to detect if a stream is live or not with javascript because our server that we run the site off of cant handle processing every single request with PHP. The basis of detecting if a stream is live or not is you go to their XML file and in one of their tags (if it's live) it will say something along the lines of true and often time the XML file on their site will be empty if a particular stream isn't live. for example if you have a twitch.tv stream for gamespot you go to http://api.justin.tv/api/stream/list.xml?channel=gamespot and if it's got stuff in it then it's live if not then it's not.
so basically my code looks like this:
function check (URL, term){
$.get(URL , function(data){
console.log(data);
//data is whatever the server returns from the request, do whatever is needed with it to show who is live.
var number = data.search(term);
if (number > -1)
{
document.write("Live");
}
else
{
document.write("Offline");
}
});
}
and URL is a url that gets passed in and term is the term to search for in the xml file (usually "true" or "True"). but before anything happens I end up with "XMLHttpRequest cannot load http://api.own3d.tv/liveCheck.php?live_id=6815. Origin (my server's URL) is not allowed by Access-Control-Allow-Origin."
I've looked into it all over the net and i dont seem to be able to find anything that I can use. there's alot of theory stuff but not enough actual code and i dont understand the theory stuff to be able to start typing code out. from what i've seen you have 2 ways to go, use JSONP or add a line somewhere in your sever to allow for cross-domain accessing. neither of which i understand fully nor know how or what to do. It would be alot of help for someone to show me what needs to be done to get rid of this error. of course if you can explain it to a non-coder like me it would be even more awesome but at my current point, as long as the code works for all I care it might as well be magic lol.
You can solve it :)
Take a look at xReader
<script src="http://kincrew.github.com/xReader/xReader.full.js"></script>
<script type="text/javascript">
xReader("http://api.own3d.tv/liveCheck.php?live_id=6815", function(data) {
alert(data.content);
})
</script>
I think you need cacheburst option. but you can be banned from YQL.
I think its because the path is not relative. You may be calling this from a different domain/sub-domain. You can potentially allow other origins to access, which may open up a security hole or you can create a proxy locally.
In PHP creating a proxy is easy: http://blog.proxybonanza.com/programming/php-curl-with-proxy/
Now, instead of directing your request straight to that URL send the request from jQuery to your own local url and have it access it on the server side.
Another option would be to use YQL: http://www.parrisstudios.com/?p=333 (I wrote an article about this a while ago)... In that way you can turn the response into JSON, which can be accessed cross-domain (as can javascript).
You could ask for the API responses to all be returned using a JSONP server and in JSON.
You aren't going to be able to do this via client-side javascript unless they've enabled some way to retrieve their data cross-domain (CORS, JSONP, some flash widgety thing getting read permissions from crossdomain.xml file(s) located on their server...)
Short answer: unless 10winstreak offers a JSONP service, you'll have to do things on the server-side.
Slightly longer answer:
For security reasons browsers won't let you make AJAX requests from www.example.com to www.example2.com (or any other domain except www.example.com). There isn't much you can do about this except use JSONP (and you can only do that if the remote webservice offers it).
Therefore, what you end up needing to do is ask your server "hey what's on that other server?" and (since it's not limited the way a browser is) it can go get the XML from that other server. There are various ways of doing this, either with code or Apache config; not sure what's right for you, but hopefully now you understand the general principle.
P.S. See this question: Wouldn't have been simpler to just discard cookies for cross-domain XHR? if you are curious why browsers do this.
* EDIT *
I just checked out JustinTV's site, and it appears that they already have a PHP library for you to use:
https://github.com/jtvapi/jtv_php_api
This is very likely your best bet (if you want to keep using PHP that is; if not they have libraries for other languages: http://www.justin.tv/p/api).
Is it possible HTTP Accept headers using only javascript? I know using PHP I would do something like this $_SERVER['HTTP_ACCEPT'], but as far as I can tell javascript doesn't have this.
Perhaps I could do something with an XmlHttpRequest?
Any help would be awesome!
Thanks,
Mike
RE: "The headers sent to the server."
You could echo them back out in the server's response, and get them that way.
IE.) On a web-page you could make a hidden form field with the value, or pop the value into the javascript that gets emited from the page.
From a web service, you could include the value of the incoming header in part of the outgoing XML or JSON.
If you're using XmlHttpRequest, you could send a header back to the client with this value.
Possibilities are endless.
I'm dubious of why this would ever be useful though. The client should know what it's expecting before it requests it.
Are you looking for headers sent from the server or to?
If you're using Firefox and want to look at or alter headers going from the browser to the server, you might look at the sources for the Modify Headers plugin. It's not pure javascript, but it may help shake something loose.