DataPower

Hello,

Capability related Question:

I am looking to know the capability of DataPower with respect to if DataPower support sending or receiving HTTP GET requests with a body. Thanks

Hi Asim, DataPower will block any attempt to send a GET request with payload. The HTTP specification does not really forbid GET requests with payload but it says "A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported." (see https://www.rfc-editor.org/rfc/rfc9110.html#name-get).

On the other hand, the specification does not stipulate that a GET with data must be supported. IMHO there exists a common agreement that a GET request should not contain any payload (see also https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET).

------------------------------
Pierce Shah

Original Message:
Sent: Thu July 18, 2024 10:14 AM
From: Asim Khan
Subject: Does DataPower support HTTP GET requests with a body

Hello,

Capability related Question:

I am looking to know the capability of DataPower with respect to if DataPower support sending or receiving HTTP GET requests with a body. Thanks

------------------------------
Asim Khan
------------------------------

> DataPower will block any attempt to send a GET request with payload
>
I just tested, and this is the error message DataPower will log:
... Request processing failed: Get Or Head with Content-Length, the malformed header is (Content-Length: 6), ...

I tested that using this GatewayScript which reports method and payload length:
$ cat method_payload.js 
var hm = require('header-metadata');
var sm = require('service-metadata');

session.input.readAsBuffer(function (readAsBufferError, data) {
  session.output.write(sm.protocolMethod+" "+data.length);
});
$ 

Then I did packet capture and follow TCP stream and copied the POST request into a file.
That file had all CRLF replaced by LF as I am working under Linux.
So I executed unix2dos to get the needed CRLFs back.

The captured POST request works fine when sent with netcat, see attached screenshot.

But not the modified GET request, that results in above logged error.

P.S:
I got victim of forum security measurements, I was not able to post with the command in attached screenshot in clear. 
Funny that screenshot allows me to transport same information but not getting stopped by forum ;-)

P.P.S:
The "6" above the "POST 6" line and the "0" below that line in screenshot below are the chunk lengths in chunked HTTP response.

------------------------------
Hermann Stamm-Wilbrandt
Compiler Level 3 support, IBM DataPower Gateways
IBM
Boeblingen

Original Message:
Sent: Fri July 19, 2024 05:03 AM
From: Pierce Shah
Subject: Does DataPower support HTTP GET requests with a body

Hi Asim, DataPower will block any attempt to send a GET request with payload. The HTTP specification does not really forbid GET requests with payload but it says "A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported." (see https://www.rfc-editor.org/rfc/rfc9110.html#name-get).

On the other hand, the specification does not stipulate that a GET with data must be supported. IMHO there exists a common agreement that a GET request should not contain any payload (see also https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET).

------------------------------
Pierce Shah

Original Message:
Sent: Thu July 18, 2024 10:14 AM
From: Asim Khan
Subject: Does DataPower support HTTP GET requests with a body

Hello,

Capability related Question:

I am looking to know the capability of DataPower with respect to if DataPower support sending or receiving HTTP GET requests with a body. Thanks

------------------------------
Asim Khan
------------------------------

Thanks Hermann/Pierce. So technically it's not even possible.

------------------------------
Asim Khan

Original Message:
Sent: Tue July 23, 2024 05:42 AM
From: Hermann Stamm-Wilbrandt
Subject: Does DataPower support HTTP GET requests with a body

> DataPower will block any attempt to send a GET request with payload
>
I just tested, and this is the error message DataPower will log:
... Request processing failed: Get Or Head with Content-Length, the malformed header is (Content-Length: 6), ...

I tested that using this GatewayScript which reports method and payload length:
$ cat method_payload.js 
var hm = require('header-metadata');
var sm = require('service-metadata');

session.input.readAsBuffer(function (readAsBufferError, data) {
  session.output.write(sm.protocolMethod+" "+data.length);
});
$ 

Then I did packet capture and follow TCP stream and copied the POST request into a file.
That file had all CRLF replaced by LF as I am working under Linux.
So I executed unix2dos to get the needed CRLFs back.

The captured POST request works fine when sent with netcat, see attached screenshot.

But not the modified GET request, that results in above logged error.

P.S:
I got victim of forum security measurements, I was not able to post with the command in attached screenshot in clear. 
Funny that screenshot allows me to transport same information but not getting stopped by forum ;-)

P.P.S:
The "6" above the "POST 6" line and the "0" below that line in screenshot below are the chunk lengths in chunked HTTP response.

------------------------------
Hermann Stamm-Wilbrandt
Compiler Level 3 support, IBM DataPower Gateways
IBM
Boeblingen

Original Message:
Sent: Fri July 19, 2024 05:03 AM
From: Pierce Shah
Subject: Does DataPower support HTTP GET requests with a body

Hi Asim, DataPower will block any attempt to send a GET request with payload. The HTTP specification does not really forbid GET requests with payload but it says "A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported." (see https://www.rfc-editor.org/rfc/rfc9110.html#name-get).

On the other hand, the specification does not stipulate that a GET with data must be supported. IMHO there exists a common agreement that a GET request should not contain any payload (see also https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET).

------------------------------
Pierce Shah

Original Message:
Sent: Thu July 18, 2024 10:14 AM
From: Asim Khan
Subject: Does DataPower support HTTP GET requests with a body

Hello,

Capability related Question:

I am looking to know the capability of DataPower with respect to if DataPower support sending or receiving HTTP GET requests with a body. Thanks

------------------------------
Asim Khan
------------------------------

Incase you want to send a GET request to datapower with body  ensure that the request header to the Front side handler does not contain Content-Length field for its being validated.

Thanks Hermann/Pierce. So technically it's not even possible.

------------------------------
Asim Khan

Original Message:
Sent: Tue July 23, 2024 05:42 AM
From: Hermann Stamm-Wilbrandt
Subject: Does DataPower support HTTP GET requests with a body

> DataPower will block any attempt to send a GET request with payload
>
I just tested, and this is the error message DataPower will log:
... Request processing failed: Get Or Head with Content-Length, the malformed header is (Content-Length: 6), ...

I tested that using this GatewayScript which reports method and payload length:
$ cat method_payload.js 
var hm = require('header-metadata');
var sm = require('service-metadata');

session.input.readAsBuffer(function (readAsBufferError, data) {
  session.output.write(sm.protocolMethod+" "+data.length);
});
$ 

Then I did packet capture and follow TCP stream and copied the POST request into a file.
That file had all CRLF replaced by LF as I am working under Linux.
So I executed unix2dos to get the needed CRLFs back.

The captured POST request works fine when sent with netcat, see attached screenshot.

But not the modified GET request, that results in above logged error.

P.S:
I got victim of forum security measurements, I was not able to post with the command in attached screenshot in clear. 
Funny that screenshot allows me to transport same information but not getting stopped by forum ;-)

P.P.S:
The "6" above the "POST 6" line and the "0" below that line in screenshot below are the chunk lengths in chunked HTTP response.

------------------------------
Hermann Stamm-Wilbrandt
Compiler Level 3 support, IBM DataPower Gateways
IBM
Boeblingen

Original Message:
Sent: Fri July 19, 2024 05:03 AM
From: Pierce Shah
Subject: Does DataPower support HTTP GET requests with a body

Hi Asim, DataPower will block any attempt to send a GET request with payload. The HTTP specification does not really forbid GET requests with payload but it says "A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported." (see https://www.rfc-editor.org/rfc/rfc9110.html#name-get).

On the other hand, the specification does not stipulate that a GET with data must be supported. IMHO there exists a common agreement that a GET request should not contain any payload (see also https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET).

------------------------------
Pierce Shah

Original Message:
Sent: Thu July 18, 2024 10:14 AM
From: Asim Khan
Subject: Does DataPower support HTTP GET requests with a body

Hello,

Capability related Question:

I am looking to know the capability of DataPower with respect to if DataPower support sending or receiving HTTP GET requests with a body. Thanks

------------------------------
Asim Khan
------------------------------

If you supply no content-length or set it to 0 then we won't parse the body, means we only read the GET headers and ignore the body message completely (That is why this would "work").

Simply put, use a POST or PUT, there is no good reason to be using a GET request to post a body message.  Most web servers don't like this either and it is not implicitly stated that this should be supported in the HTTP specification (Despite not being disallowed, it is considered a bad practice).

Incase you want to send a GET request to datapower with body  ensure that the request header to the Front side handler does not contain Content-Length field for its being validated.

Thanks Hermann/Pierce. So technically it's not even possible.

------------------------------
Asim Khan

Original Message:
Sent: Tue July 23, 2024 05:42 AM
From: Hermann Stamm-Wilbrandt
Subject: Does DataPower support HTTP GET requests with a body

> DataPower will block any attempt to send a GET request with payload
>
I just tested, and this is the error message DataPower will log:
... Request processing failed: Get Or Head with Content-Length, the malformed header is (Content-Length: 6), ...

I tested that using this GatewayScript which reports method and payload length:
$ cat method_payload.js 
var hm = require('header-metadata');
var sm = require('service-metadata');

session.input.readAsBuffer(function (readAsBufferError, data) {
  session.output.write(sm.protocolMethod+" "+data.length);
});
$ 

Then I did packet capture and follow TCP stream and copied the POST request into a file.
That file had all CRLF replaced by LF as I am working under Linux.
So I executed unix2dos to get the needed CRLFs back.

The captured POST request works fine when sent with netcat, see attached screenshot.

But not the modified GET request, that results in above logged error.

P.S:
I got victim of forum security measurements, I was not able to post with the command in attached screenshot in clear. 
Funny that screenshot allows me to transport same information but not getting stopped by forum ;-)

P.P.S:
The "6" above the "POST 6" line and the "0" below that line in screenshot below are the chunk lengths in chunked HTTP response.

------------------------------
Hermann Stamm-Wilbrandt
Compiler Level 3 support, IBM DataPower Gateways
IBM
Boeblingen

Original Message:
Sent: Fri July 19, 2024 05:03 AM
From: Pierce Shah
Subject: Does DataPower support HTTP GET requests with a body

Hi Asim, DataPower will block any attempt to send a GET request with payload. The HTTP specification does not really forbid GET requests with payload but it says "A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported." (see https://www.rfc-editor.org/rfc/rfc9110.html#name-get).

On the other hand, the specification does not stipulate that a GET with data must be supported. IMHO there exists a common agreement that a GET request should not contain any payload (see also https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET).

------------------------------
Pierce Shah

Original Message:
Sent: Thu July 18, 2024 10:14 AM
From: Asim Khan
Subject: Does DataPower support HTTP GET requests with a body

Hello,

Capability related Question:

I am looking to know the capability of DataPower with respect to if DataPower support sending or receiving HTTP GET requests with a body. Thanks

------------------------------
Asim Khan
------------------------------

Hi DOMINIC MICALE

i have been able to overcome the challenge myself and i have seen the body being parsed to the backend and a valid response returned.I agree with you that its not best practice to use GET function with a body but some systems that i have interacted with have this flaw and we need ways to achieve the objective of securing our apis with datapower.

If you supply no content-length or set it to 0 then we won't parse the body, means we only read the GET headers and ignore the body message completely (That is why this would "work").

Simply put, use a POST or PUT, there is no good reason to be using a GET request to post a body message.  Most web servers don't like this either and it is not implicitly stated that this should be supported in the HTTP specification (Despite not being disallowed, it is considered a bad practice).

Incase you want to send a GET request to datapower with body  ensure that the request header to the Front side handler does not contain Content-Length field for its being validated.

Thanks Hermann/Pierce. So technically it's not even possible.

------------------------------
Asim Khan

Original Message:
Sent: Tue July 23, 2024 05:42 AM
From: Hermann Stamm-Wilbrandt
Subject: Does DataPower support HTTP GET requests with a body

> DataPower will block any attempt to send a GET request with payload
>
I just tested, and this is the error message DataPower will log:
... Request processing failed: Get Or Head with Content-Length, the malformed header is (Content-Length: 6), ...

I tested that using this GatewayScript which reports method and payload length:
$ cat method_payload.js 
var hm = require('header-metadata');
var sm = require('service-metadata');

session.input.readAsBuffer(function (readAsBufferError, data) {
  session.output.write(sm.protocolMethod+" "+data.length);
});
$ 

Then I did packet capture and follow TCP stream and copied the POST request into a file.
That file had all CRLF replaced by LF as I am working under Linux.
So I executed unix2dos to get the needed CRLFs back.

The captured POST request works fine when sent with netcat, see attached screenshot.

But not the modified GET request, that results in above logged error.

P.S:
I got victim of forum security measurements, I was not able to post with the command in attached screenshot in clear. 
Funny that screenshot allows me to transport same information but not getting stopped by forum ;-)

P.P.S:
The "6" above the "POST 6" line and the "0" below that line in screenshot below are the chunk lengths in chunked HTTP response.

------------------------------
Hermann Stamm-Wilbrandt
Compiler Level 3 support, IBM DataPower Gateways
IBM
Boeblingen

Original Message:
Sent: Fri July 19, 2024 05:03 AM
From: Pierce Shah
Subject: Does DataPower support HTTP GET requests with a body

Hi Asim, DataPower will block any attempt to send a GET request with payload. The HTTP specification does not really forbid GET requests with payload but it says "A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported." (see https://www.rfc-editor.org/rfc/rfc9110.html#name-get).

On the other hand, the specification does not stipulate that a GET with data must be supported. IMHO there exists a common agreement that a GET request should not contain any payload (see also https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET).

------------------------------
Pierce Shah

Original Message:
Sent: Thu July 18, 2024 10:14 AM
From: Asim Khan
Subject: Does DataPower support HTTP GET requests with a body

Hello,

Capability related Question:

I am looking to know the capability of DataPower with respect to if DataPower support sending or receiving HTTP GET requests with a body. Thanks

------------------------------
Asim Khan
------------------------------