Invalid Request

84 views
Skip to first unread message

Frauke Vilandre

unread,
Aug 3, 2024, 10:37:15 AM8/3/24
to ciakaalamo

I am trying to send a POST request via python using the built in requests library, I got the request through Burpsuite and I am now trying to convert the POST request to python code, this is what i have written up so far:

I solved it turns out the data I was sending in the request body has to be correctly formatted to JSON. The data variable in my code is a dictionary, so you I can use the json parameter instead of data to automatically convert it to JSON.So in order to fix the problem all I had to do was replace the post request line with this updated code snippet:

The HTTP 400 Bad Request client error response status code indicates that the server would not process the request due to something the server considered to be a client error. The reason for a 400 response is typically due to malformed request syntax, invalid request message framing, or deceptive request routing.

If the payload is sent in a valid format, we would expect a 201 Created response or another success message, but instead the server responds with a 400 and the response body includes a message field with some context so the client can retry the action with a properly-formed request:

\n The HTTP 400 Bad Request client error response status code indicates that the server would not process the request due to something the server considered to be a client error.\n The reason for a 400 response is typically due to malformed request syntax, invalid request message framing, or deceptive request routing.\n

I managed to get the content-type thing to work even without the querystring method by putting it in two different places but the body of my request call gets completely broken and sends messed up data (even though it technically works)

I have 4 firewalls grouped into 2 HA pairs. The first pair had certificates which expired on August 18 and have failed to be renewed. The last fetched message says "Failed to renew device certificate. Invalid request. Authentication failed". I tried going through the OTP process to redeploy the certificate but under Device > Setup > Management > Device Certificate the "Get Certificate" button is no longer there. I also cannot deploy through Panorama as the devices are no longer connected (which I believe is due to the failed certificate request.

AppSheet Database is currently a preview feature and under active development. Preview features are not yet suitable for use in important apps. Until it has achieved greater stability, I recommend against using this preview feature except for testing and to help the AppSheet developers in their efforts. To follow the progress of and contribute to the development effort, please visit this dedicated Community topic:

I got the same error "unable to update row in table "invalid request provided to Appsheet database". After verification I realised that Data Rows with duplicate values in Key RESOLVED - Column were not syncing. Duplicate values in Key Column got created because I directly copy pasted rows in 'Appsheet Database' (it didn't restrict duplicate creation).
I changed the Duplicate Values in Key Column to unique values and thereafter the above sync error got resolved.

I have a similar problem, unable to add row via sync on iphone, but works fine in the preview app editor. I have already gone deep in making the app in the database, but am thinking to bail back to sheets.

I'm using the ebay app on android. Every time I try to sign in with my confimed working username/email and password I get some "Invalid token" or "Invalid request". WHY? WHY CAN'T I LOGIN? It was working fine before. I can't even take a screenshot and post it because the stupid app stops me. Why the hell is this such a nightmare?

Same here, app broken, won't display homepage, get exclamation point tap reload to try again. Trying to sign in, get either invalid token, invalid request message. Can login on browser just fine though.

It's the Sign In screen of the Android app. The error is "invalid token". It does the same thing whether I use my nickname or my email address . Disabling VPN makes no difference. WiFi or phone data makes no difference. I will try re-installing the app but other people have obviously tried that.

I still question why this happened in the first place. The eBay app worked untouched for years -- the only re-installs and fresh logins happened when I changed devices -- then one day a couple months ago suddenly forced me off and wouldn't let me back on until I re-installed it.

I believe I figured out what the problem is in most of these issues... I had to reset my phone to factory specs after it became corrupted... When I installed the eBay app afterword, I got the, "invalid response" message when trying to log in through the app... Am able to log in fine through Google chrome on the phone... Contacted eBay, they had no idea... Started troubleshooting on my own...

I have another phone that the app is working fine with, so I started comparing OS, eBay app version, etc... The Android version on my working phone is 7.0.0, and the eBay app version is 5.28.1.1... I checked the other, non-working phone, and the OS is Android 4.4.0 with eBay app version 5.10.0.11 (which was released in 2017... I tried installing eBay app version 5.28.1.1 on the Android 4.4.0 phone , which failed and gave me a parsing error each time... So I believe Google play store installs the eBay app version which is compatible with the OS version of your phone, in my case the 2017 version eBay app, which is no longer compatible with eBay servers.

I also have the same problem.
eBay thinking only how to make a profit from the seller and eBay doesn't care about any problems with the customers.
For example, I have many problems with my account and I was connected by phone eBay more of 150 times for the last year and still, no one from eBay cannot solve my problems...or they do not want to do.

The Request-Line is the HTTP command that is sent to the server to either request a page or send some data. It is the GET, POST, HEAD, OPTIONS, etc. part of the command. There is something incorrect in the programming of the website.

There is not much you can do besides placing an exception for that web site url in the HTTP proxy so that it does not check the format of the commands. Obviously, if you do not have complete trust in the content of that site, it could be a significant security risk (e.g.- if there is a browser exploit that depends upon this malformed request, like a cross-site forgery request.)

Thanks a lot Bojan Zajc.
Yes you are right!!!
I can see that try to display an advertisement first. I found your notice with Inspect Element feature of browser.
Yes i use Webblocker with Advertisements blocked.
I really need this site, video content. I support an Advertising Media Company and it is part of their daily job.

The request token is for protection against CSRF attacks. It is a hash over the session id, a given keyword and the secret encryption as specified in the settings. So, if the request token is invalid, then one of the three components must have changed.

I haven't changed any keys or any components that I can think of in the last few days so I'm not sure why this is kicking back all the sudden.
Any thoughts?
Thanks.
-Running SeedDMS 5.1.7 on a linux dedicated server

Well- I don't know what happened.... I just reuploaded the conf/settings.xml file (which was literally EXACTLY the same as the one on the server- I ran a diff check on it) and now it's working again.
Soooo..... ??

I am trying to get a token using OAuth2 from a web app. I am able to do it using the /authorize endpoint if using response_type=token. However, this returns the token in plan text in the redirect url which I find a bit low security. I guess it is in the user's own browser, so perhaps not that big a deal.

Is there something I am missing in the /token request? One thing I find odd is you do not need to specify if is plain or S256 in the /token request. The /token post call is within milliseconds of the initial /authorize request so nothing could have expired.

Sorry @JoeHershman I'm a little bit late, but I'm taking the opportunity that I'm preparing a session about authentication in ArcGIS for the DevSummit Europe next month and I have solved this using PKCE and SHA256.

The first step in the PKCE modified workflow is having the application create a code verifier. The code verifier is a cryptographical string using alphanumeric characters (A-Z, a-z, 0-9) and punctuation characters (hyphen, period, underscore, and tilde). A code verifier string should be between 43 to 128 characters long.

My issue was that I was putting S256 not plain when I was generating the authorization code. I guess I misunderstand what one needs to do for using the S256 setting. My initial challenge was created with an SH256 encryption (as yours was), but I guess am supposed to encrypt something being sent back when defining as S256

I need it to successfully get the certs so when I load the traefik web interface the https certs show up as valid. Currently, when I go to to the traefik interface, the https certs are shown as invalid. I.e. I appear to be getting the default treafik cert.

But, again, I'm not using this token ... as you can see in my config in my docker-compose.yml. (it's commented out). I orginally chose the API_key route because when I first tried with the API-token, my local traefik web interface wasn't showing the login challenge for some reason.

c80f0f1006
Reply all
Reply to author
Forward
0 new messages