Oracle 19c express manager not loading, listener will not register https port after exec dbms_xdb_config.gethttpsport()

We just set up a new oracle 19c install on a VM Windows Server 2020. I have been struggling trying to get the Express Manager working. At the end of the installation Oracle notified me that I can access the Express Manager at https://%localhost%:5500/em But upon visiting the website in chrome the connection is refused. I disabled the firewall and receive the same message. I went through the oracle documentation and ensured that dbms_xdb_config.gethttpsport() outputs 5500.

After running lsnrctl status I noticed that under listeners I am missing port 5500. I searched other users with the same issue they all have an entry for port 5500 like the following.

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=HOSTNAME.domain)(PORT=5500))(Security=(my_wallet_directory=C:\ORACLE\admin\ecoomdb\xdb_wallet))(Presentation=HTTP)(Session=RAW))     Services Summary...  

According to Oracle documentation when I run the command dbms_xdb_config.gethttpsport(5500) the listener should register the port. But after running the command muliple times this is not happening.

WordPress rewrites my link with custom URL scheme to http(s)

I have a page that only users of my native iOS app will find, which should open the app. This works (on any other HTML page anyway) by linking to "myapp://path/inside/app".

WordPress keeps "fixing" this to "https://path/inside/app", which doesn’t work of course. I didn’t find a setting to stop it from doing this. Is this possible?

htaccess force https not working if there is an URI

I’ve never worked with Apache, so I’m a completely newbie.

I have a multihosting account on a provider website, where 3 domain are used. I want to force https connection on a domain, let’s say example.com, which is not the main domain of the hosting plan. What I did is to add an .htaccess file in the path examplecom/public_html, the folder where there are all the file of the website. In the .htaccess I have copy-pasted this strings from the provider guide:

RewriteEngine on RewriteBase / RewriteCond %{HTTPS} !on RewriteRule (.*) https://www.example.com%{REQUEST_URI} [L,R=301] 

The website works correctly if I go to a page with an non-empty URI, but it doesn’t on the main page. In example: http://example.com/anypage is correctly redirected to https://www.example.com/anypage, while http://example.com/ is redirected to https://www.example.com/public_html, and can’t understand why.

Can a webpage differ in content if ‘http’ is changed to ‘https’ or if ‘www.’ is added after ‘http://’ (or ‘https://’)?

When I use the Python package newspaper3k package and run the code

import newspaper paper = newspaper.build('http://abcnews.com', memoize_articles=False) for url in paper.article_urls():     print(url) 

I get a list of URLs for articles that I can download, in which both these URLs exist

  • http://abcnews.go.com/Health/coronavirus-transferred-animals-humans-scientists-answer/story?id=73055380
  • https://abcnews.go.com/Health/coronavirus-transferred-animals-humans-scientists-answer/story?id=73055380

As can be seen, the only difference between the two URLs is the s in https.

The question is, can the webpage content differ simply because an s is added to http? If I scrape a news source (in this case http://abcnews.com), do I need to download both articles to be sure I don’t miss any article, or are they guaranteed to have the same content so that I can download only one of them?

I have also noticed that some URLs also are duplicated by adding www. after the http:// (or https://). I have the same question here: Can this small change cause the webpage content to differ, and is this something I should take into account or can I simply ignore one of these two URLs?

Redirecting domains on https without creating a certificate for them?

I own, say, 100 domains. I want to add redirect for each of them to a new domain. And not only to a domain, but a custom query string. For instance

domain1.example/url1 -> domain11.example/url2 domain2.example/url1/url4 -> domain15.example/fdsafds/url33/url555  # and so on......., 100 domains with 100+ URLs each 

All the original URLs and the new ones are known beforehand. And there’re hundreds of URLs for each domain.

Requirement: there has to be an intermediate "domain-redirector" via which the domains will be redirected, and that’ll do all the job:

domain1.example/url1 -> my_redirector.example/url1 -> domain11.example/url2 domain2.example/url1/url4 -> my_redirector.example/url1/url4 -> domain15.example/fdsafds/url33/url555  # and so on....... 

This way I’d create A record for each of the domains pointing to my_redirector.example. And at my_redirector.example I’d be able to extract a) original query string from the URL b) original domain

Note that it needs to work with both http and https.

Question 1: will original domain and URL or query path be accessible at my_redirector.example?

Question 2: will I have to create a SSL certificate for each of the original domains domain1-domain100 at my_redirector.example, in order to be able to redirect https requests?

P.S. I’m a developer, therefore I’m capable of writting a custom utility to facilitate redirects at my_redirector.example

Https injecting javascript, steal crtificate

I have a question which came to my mind regarding ssl security. Ssl encrypts data with a public key and decrypts with a private key. So in the figure

client->public key to private key-> server

Does also the server uses the same public key to encrypt before sending? The server associates each client with a public key and saves it?

So in reverse,

server->public key to private key-> client

If this is the case

A person who is arp spoofing and can edit the data passing through the network could use this public key to inject javascript code in middle of the content since most likely it will html page being rendered..? So without the need of seeing the data, can we inject with only using the decryption?

Second question is,

When the client first connects to a website if the arp spoofing is implemented in the same network, on the first hand shake, can the sniffer some how steal the private key or the ssl signed certificate? If there already exists one, tell the server or the user somehow that it is expired to obtain the new plain data one?

For example,

The ssl request The client -> the sniffer -> the webserver is being told the client does not have a valid ssl or the current one is expired and new one is requested, 

Can it intercept the plain certificate data to steal the private key the second way?

 The server(oh here take it) -> sniffer (hehe ihave the new certificate) - > the client, use this, this the new cert old one doesnt work anymore``` 

SFTP access from a page on HTTPS site

I intend to embed an SFTP server into a web page on an HTTPS site. The HTTPS site acts as an ordering portal (essentially I have just set it up as a private eCommerce site.)

I currently use a SolarWinds SFTP server with the desktop client to access files on each end. Is it possible to have a page on the website an access point to the SFTP server where individuals can login, upload and download files? Additionally how would I go about completing this?

The files to be transferred are considered protected, therefore SFTP is the only non-paper method of transfer accepted by the recipient.

Arp poisoning doesn’t work with HTTPS navigation

I’m trying to do an ARP poisoning attack in my LAN. I use Ettercap and I place my attacker computer between my routers and target Windows computer.

Despite the target ARP table changing, when I use this computer to visit an HTTPS website, the browser (Chrome) stops the connection. Is there a method to make an ARP poisoning attack and allow the HTTPS navigation in the victim’s computer?

BREACH attack in HTTPS

Ref: http://www.breachattack.com/

This attack is old and works against HTTP compression like gzip. This is possible when an attacker can find a secret in HTTP response when the server accepts a query parameter and reflect back in response, and calculating gzip size.

But, how can the attacker calculate the size? Can domain a.com raise a request to b.com and measure the size of gzip response when same origin policy is in place?

If the attacker has to calculate the gzip size by doing MITM, then the TLS in HTTPS will prevent that. What am I missing here?

Solution to User Initial HTTP Requests Unencrypted Despite HTTPS Redirection?

It is my understanding that requests from a client browser to a webserver will initially follow the specified protocol e.g, HTTPS, and default to HTTP if not specified (Firefox Tested). On the server side it is desired to enforce a strict type HTTPS for all connections for the privacy of request headers and as a result HTTPS redirections are used. The problem is that any initial request where the client does not explicitly request HTTPS will be sent unencrypted. For example, client instructs browser with the below URL command.

google.com/search?q=unencrypted-get

google.com will redirect the client browser to use HTTPS but the initial HTTP request and GET parameters were already sent unencrypted possibly compromising the privacy of the client. Obviously there is nothing full-proof that can be done by the server to mitigate this vulnerability but:

  1. Could this misuse compromise the subsequent TLS security possibly through a known-plaintext
    attack (KPA)?
  2. Are there any less obvious measures that can be done to mitigate this possibly through some DNS protocol solution?
  3. Would it be sensible for a future client standard to always initially attempt with HTTPS as the default?