Questions tagged [curl]
An open source command line utility for transferring data using URL syntax with support for many protocols including FTP, HTTP, HTTPS, various mail protocols (including IMAP, POP3, and SMTP) and others
66 questions
1
vote
1
answer
99
views
I'm calling the API of a third party, and have to pass the credentials as parameters in a HTTPS URL. Is that safe?
Basically I am doing a GET on this URL from SAP:
https://www.thirdparty.be/webservices.php?m=get_private_information&o=json&u=username&p=password
The third party webservice does use IP-...
2
votes
0
answers
99
views
Trying to send a POST request using curl to a HTB machine
I`m trying to perform a SSRF attack on a Hack The Box machine (editorial.htb). I'm trying to send a POST request using curl with the command
curl --data "hckyou.txt" -X POST http://...
- 21
0
votes
1
answer
187
views
cURL not returning status 302 after correct login for Hack the Box Machine 'Crocodile'
cURL is returning a 200 status code after correct login. The common response code after user login should be 302. Why am I not receiving this status code? All information is provided below.
#!/usr/bin/...
user303027
0
votes
0
answers
667
views
How to properly use cURL --data-binary to send a request payload
This question is out of pure curiosity. I know I can send multipart formposts using curl's --form/-F option. However, I was curious to see if the same can be done with the --data-binary option? For ...
user303027
0
votes
1
answer
175
views
Issue uploading a file with cURL to WebSecurityAcademy Lab on PortSwigger.com
I want to solve an apprentice-level lab on PortSwigger.com focused on file upload vulnerabilities; the lab is called Remote code execution via web shell upload. The labs on PortSwigger.com encourage ...
user303027
0
votes
2
answers
289
views
Post Exploitation in Oracle web logic server 10.35 (Oracle Linux Server 3.8)
Web Server : Oracle WebLogic 10.35
Machine : Oracle Linux Server 3.8
I was able to partially exploit this CVE. I can execute any command on server using HTTP request and redirecting its output to a ...
- 15
1
vote
3
answers
3k
views
How to block a POST curl request
My WordPress website received a couple of fake subscriptions to the newsletter. I identified the logs, most of them with the same form as below:
xx.xx.xx.xx example.com - [04/Feb/2023:06:01:42 +0100] &...
- 13
1
vote
1
answer
5k
views
is it necessary for cURL to check for CRL in Windows?
I'm trying to set up cURL to get data from remote server at any sitaution. I use --tlsv1.3 --tls13-ciphers TLS_CHACHA20_POLY1305_SHA256 --http2 to make it as secure as I can think of, using Windows 11....
user286246
1
vote
1
answer
135
views
Validate HTTPS traffic at later time [duplicate]
I want to capture HTTPS traffic, save it, and validate it at a later time. I want to ensure that at a later time I'm able to validate the HTTPS traffic using the certificate which was presented at the ...
user278005
1
vote
1
answer
1k
views
Url only works from the browser it is generated from. Copying it into a Curl Command fails, and gives a 403 error. How can I fix this?
I am doing some web scraping for streaming files, .m3u8 mime type. In this particular instance, I can't create a functional request that does not end up with a 403 Forbidden error.
How to reproduce:
...
0
votes
1
answer
591
views
Does using the "-k" flag with curl disable only the certificate verification?
I'm writing an API which is running on my own web server written in Go. I have a local environment set up to run it all under HTTS using a self signed cert and it all works great. It all works and I ...
- 103
1
vote
1
answer
4k
views
SSL error when using curl with only trusted root certificate but server is already returning full certificate chain
My SSL server uses the following certificate setup: leaf -> intermediate -> root (trusted ca). I have verified using openssl that it's returning both leaf and intermediate certificate (at least ...
- 113
0
votes
0
answers
4k
views
Certificate subject name 'xxx' does not match target host name 'yyy' [duplicate]
I have golang app that works as server which a single client accesses by the IP hostname (aaa.bbb.ccc.ddd). Trying to implement mTLS.
Since I have only one client, its cert/key pair (myclient.crt/...
0
votes
1
answer
2k
views
Does copying cookies allow attackers to view pages that should be visible only after login?
TLDR;
Copying the request from ChromeDevTools along with all cookies allows me to view pages that I should not be able to view after logging in.
Have I been pwned ?
I just found a terrifyingly easy ...
- 275
1
vote
1
answer
428
views
Why if a server response contain both Public: TRACE and Allow: TRACE then responds with 405 NOT allowed?
SCENARIO:
I'm testing a web application. To test if TRACE is enabled I used both
nmap --script http-methods target.com
and
curl -k -i -X OPTIONS target.com
After running the former I get
443/tcp ...
- 597