Einzelnen Beitrag anzeigen

Kas Ob.

Registriert seit: 3. Sep 2023
227 Beiträge
 
#3

AW: Javascript zum Download?

  Alt 4. Okt 2023, 16:33
I am not witnessing anything like that !

Performing cURL
Code:
curl -v https://www.bundesbank.de/statistic-rmi/StatisticDownload?tsId=BBEX3.M.JPY.EUR.BB.AC.A02
The result
Code:
* timeout on name lookup is not supported
* timeout on name lookup is not supported
* Hostname was NOT found in DNS cache
*   Trying 185.173.228.8...
* Connected to www.bundesbank.de (185.173.228.8) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: D:\Program Files\OpenSSL-Win64\bin\curl-ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
* Server certificate:
*        subject: C=DE; O=Deutsche Bundesbank; ST=Hessen; L=Frankfurt am Main; CN=bundesbank.de
*        start date: 2022-11-08 08:32:52 GMT
*        expire date: 2023-11-12 23:59:59 GMT
*        subjectAltName: www.bundesbank.de matched
*        issuer: C=DE; O=T-Systems International GmbH; OU=T-Systems Trust Center; ST=Nordrhein Westfalen; postalCode=57250; L=Netphen; street=Untere Industriestr. 20; CN=TeleSec ServerPass Class 2 CA
*        SSL certificate verify ok.
> GET /statistic-rmi/StatisticDownload?tsId=BBEX3.M.JPY.EUR.BB.AC.A02 HTTP/1.1
> User-Agent: curl/7.39.0
> Host: www.bundesbank.de
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Wed, 04 Oct 2023 15:19:22 GMT
< content-type: text/csv
< set-cookie: INGRESSCOOKIE_statapp=1696432763.756.39.843280|7175a3d964339b4fb3d12ae49777d122; Path=/statistic-rmi; HttpOnly; Secure
< content-disposition: attachment; fileName=BBEX3.M.JPY.EUR.BB.AC.A02.csv
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< pragma: no-cache
< expires: 0
< content-security-policy: default-src 'none';
< referrer-policy: same-origin
< set-cookie: SERVERID=ccb0110cb65faf6cfbfe4a89b6ff27d38eb2a14e; path=/; HttpOnly; Secure
< x-varnish: 47143146
< age: 0
< accept-ranges: bytes
< via: 1.1 Varnish
< content-length: 5228
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< x-permitted-cross-domain-policies: none
< strict-transport-security: max-age=31536000
<
&#1103;&#9559;&#9488;"";BBEX3.M.JPY.EUR.BB.AC.A02;BBEX3.M.JPY.EUR.BB.AC.A02_FLAGS
"";Euro-Referenzkurs der EZB / 1 EUR = ... JPY / Japan;
Einheit;JPY;
Dimension;Eins;
Stand vom;29.09.2023 16:12:08 Uhr;
1999-01;131,35;
1999-02;130,78;
1999-03;130,20;
1999-04;128,16;
1999-05;129,71;
1999-06;125,32;
1999-07;123,71;
1999-08;120,10;
1999-09;112,39;
1999-10;113,52;
1999-11;108,25;
.......
The request headers are minimal and does work and enough, no cookies, no hidden parameters and for sure no java script code manipulation or hashing or what so ever.
Code:
GET /statistic-rmi/StatisticDownload?tsId=BBEX3.M.JPY.EUR.BB.AC.A02 HTTP/1.1
User-Agent: curl/7.39.0
Host: www.bundesbank.de
Accept: */*
So you have to check HTTPS is used not falling back to HTTP, also check if the connection is not violating the security according to the bank site, which is very unlikely, but make sure the User-Agent is filled and not empty or blacklisted by the bank site server, in all cases compare check your request headers.
To check the header perform similar request to your own server, any web server will do and should be able to capture the headers, if you don't have a web server then use any web server example form any where you can put your hand on.
  Mit Zitat antworten Zitat