CODEWITHSUNDEEP
http
ca9163d9
ca9163d9

Reputation: 29159

Where are these requests come from?

I'm using fiddler to analysis the requests of a site. The following GET

GET https://tss.sfs.db.com/websso/sso_FallThrough.sso?Xe47eKuUc4rm2LW9V1BHSzU1....

returns 

HTTP/1.1 302 Found
Date: Wed, 06 Jul 2016 16:13:19 GMT
Server: dweb
Set-Cookie: CTSESSION=AAAAAQABAHid6vs1jduDPC1Q9ItYbjKC6Ih4bImKPTYYA6fOLowLvtT%2FsUj%2F2o7kl4ovRmo8qfOQjQgx%2B%2BQL6%2F6sspncrVYJOc62ijGMQ67Z9L%2FaklW42jLwx6BzfN2BUAiw5fU4lemLzDDlX0pGSNY1kXVCaqOS5UlOX8z62hA%3D; domain=tss.sfs.db.com; path=/; Secure; HttpOnly
Location: /investauthenticated/servlet/web/Web?document=index
Content-Length: 235
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="/investauthenticated/servlet/web/Web?document=index">here</a>.</p>
</body></html>

The Location header redirects it to

GET https://tss.sfs.db.com/investauthenticated/servlet/web/Web?document=index

And the response is 

HTTP/1.1 200 OK
Date: Wed, 06 Jul 2016 16:13:19 GMT
Server: dweb
Content-Length: 1500
Set-Cookie: JSESSIONID=r73A_C0735ZlDXOeMyM7w9hSgnkMUHloIm3qIdgMKkHZ3KSPi30f!-828505221; path=/; HttpOnly
DB-Nickname: VTJGc2RHVmtYMStCbW4yYnlaQ2Ywei9pRHlENzd3aHFQYlhVNWZSbXFJUT0=
X-DB-NAR: 26564-1
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0" encoding="ISO-8859-1"?><?xml-stylesheet type='text/xsl' href='/stylesheets/application_internet.xsl'?><application servleturi="/investauthenticated/servlet/web/Web">
<menu href="Web?document=menu"/>
<clock href="/html/invest/clock.html"/>
<main href="Web?document=viewPortfolio&amp;portfolio=my">View All</main>
<headerlink class="blue_11" href="https://www.tss.db.com" style="margin-left:196px" target="root">TSS Home</headerlink>
<headerlink class="blue_11" href="http://www.db.com/index_e.htm" target="root">DB Home</headerlink>
<headerlink class="blue_11" href="Web?document=home" target="main">Home</headerlink>
<headerlink class="blue_11" href="Web?document=Contact" target="main">Contacts</headerlink>
<headerlink class="blue_11" href="/html/invest/FAQS.html" target="main">FAQs</headerlink>
<headerlink class="blue_11" href="logout" target="">Logout</headerlink>
<subheaderlink class="horizontal_navi first" href="https://www.tss.db.com" target="root">Trust &amp; Securities Services</subheaderlink>
<subheaderlink class="horizontal_navi" href="Web?document=home" target="main">Home</subheaderlink>
<search class="white_11">Search by:</search>
<search checked="true" class="blue_11_bold" id="r1">CUSIP</search>
<search class="blue_11_bold" id="r2">ISIN</search>
<search class="blue_11_bold" id="r3">Issuer</search>
<parameters>
<parameter name="document">index</parameter>
<parameter name="release.build.name">4.3.15 2016-05-26   </parameter>
</parameters>
</application>

However, there are the following requests after it. Where are they come from? There is no Location, meta or client side Javascript to redirect?

GET https://tss.sfs.db.com/investauthenticated/servlet/web/Web?document=index&frame=topbar&OWASP_CSRFTOKEN= HTTP/1.1
GET https://tss.sfs.db.com/investauthenticated/servlet/web/Web?document=index&frame=content&OWASP_CSRFTOKEN= HTTP/1.1
GET https://tss.sfs.db.com/investauthenticated/servlet/web/Web?document=index&frame=bottombar&OWASP_CSRFTOKEN= HTTP/1.1

Upvotes: 0

Views: 136

Answers (1)

gudok
gudok

Reputation: 4179

The XML document has a stylesheet assigned to it:

<?xml-stylesheet type='text/xsl' href='/stylesheets/application_internet.xsl'?>

That stylesheet makes a web browser convert the XML to HTML, and that HTML contains three <frame> tags:

<frameset frameborder="no" framespacing="0">
    <xsl:attribute name="rows">134,*,35</xsl:attribute>
    <!-- always have a topbar -->
    <frame noresize="noresize" name="topbar" marginwidth="0" marginheight="0" scrolling="no">
        <xsl:attribute name="src"><xsl:value-of select="$uri"/>?document=<xsl:value-of select="$document"/>&amp;frame=topbar&amp;OWASP_CSRFTOKEN=<xsl:value-of select="$owasp_csrftoken"/></xsl:attribute>
    </frame>                
    <!-- always have a content row -->
    <frame noresize="noresize" name="content" marginwidth="0" marginheight="0" scrolling="no">
        <xsl:attribute name="src"><xsl:value-of select="$uri"/>?document=<xsl:value-of select="$document"/>&amp;frame=content&amp;OWASP_CSRFTOKEN=<xsl:value-of select="$owasp_csrftoken"/></xsl:attribute>
    </frame>
    <!-- always have a bottombar -->
    <frame noresize="noresize" name="bottombar" marginwidth="0" marginheight="0" scrolling="no">
        <xsl:attribute name="src"><xsl:value-of select="$uri"/>?document=<xsl:value-of select="$document"/>&amp;frame=bottombar&amp;OWASP_CSRFTOKEN=<xsl:value-of select="$owasp_csrftoken"/></xsl:attribute>
    </frame>                
</frameset>

Where:

  • $uri is https://tss.sfs.db.com/investauthenticated/servlet/web/Web.

  • $document is index.

  • $owasp_csrftoken is blank.

Thus producing this HTML:

<frameset frameborder="no" framespacing="0" rows="134,*,35">
    <!-- always have a topbar -->
    <frame noresize="noresize" name="topbar" marginwidth="0" marginheight="0" scrolling="no" src="https://tss.sfs.db.com/investauthenticated/servlet/web/Web?document=index&frame=topbar&OWASP_CSRFTOKEN="/>
    <!-- always have a content row -->
    <frame noresize="noresize" name="content" marginwidth="0" marginheight="0" scrolling="no" src="https://tss.sfs.db.com/investauthenticated/servlet/web/Web?document=index&frame=content&OWASP_CSRFTOKEN="/>
    <!-- always have a bottombar -->
    <frame noresize="noresize" name="bottombar" marginwidth="0" marginheight="0" scrolling="no" src="https://tss.sfs.db.com/investauthenticated/servlet/web/Web?document=index&frame=bottombar&OWASP_CSRFTOKEN="/>
</frameset>

Which are the three URLs you are seeing.

Upvotes: 2

Related Questions