fun with http handlers - miguel a. castro
DESCRIPTION
TRANSCRIPT
![Page 2: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/2.jpg)
ineta
.NET Architect, Developer, & Trainer Microsoft MVP ASP Insider Member of the INETA Speakers Bureau Conference Speaker Creator of CodeBreeze In IT business since 1986
Your Speaker
ineta
.NET Architect, Developer, & Trainer Microsoft MVP ASP Insider Member of the INETA Speakers Bureau Conference Speaker Creator of CodeBreeze In IT business since 1986
![Page 3: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/3.jpg)
Agenda
• Identifying the Problem
• Methods of securing
• Setting up a Bulletproof Technique
• More about Handlers
• Summary
![Page 4: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/4.jpg)
Identifying The Problem
• Reasons:• User has not purchased your product• You want to track downloads (even on
freeware)• You want to hide file locations on your site
Require the ability to prevent unauthorized downloading of
files from your web site.
![Page 5: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/5.jpg)
Common Protection
• Zip-file Password Protection• Zip file can be spread but cannot be unlocked
• If password gets out, you’re SOL
• Emails• Sending user file link in an email
• Provide download for limited time
• Insufficient for client account with download list
• Usually accompanied by a temporary file name
![Page 6: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/6.jpg)
Common Protection
• Temporary / Cryptic File Names• Usually GUID-based• Sometimes cryptic URLs are used, then
rewritten• Usually accompanied by a download time
limitation
![Page 7: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/7.jpg)
All of these areCrackable
orAbusable
![Page 8: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/8.jpg)
ASP.NET’s Request Line (brief)Browser makes request
(may also be made from within a page)
Requested extension is located in registeredextensions in IIS
Appropriate DLL handles the file
Default.aspx
*.aspx, *.asmx, *.ashx, *.html, *.config, etc.
aspnet_isapi.dll
ASP.NET
Extension is located in <httpHandlers>
section of the Config file chain.
The proper handler is loaded and request is
sent into it for processing.
Processing result may be sent to browser (html) or rerouted
elsewhere.
During the Pipeline Processing
![Page 9: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/9.jpg)
Show IIS Configuration and
machine.configHTTP Handlers
![Page 10: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/10.jpg)
Bulletproof Technique (step 1)
• Add “zip” extension to IIS for specified application.• Will cause all “zip” files to be routed through
standard ASP.NET channels where they can be dealt with under controlled environment.
![Page 11: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/11.jpg)
IIS6 Registration
![Page 12: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/12.jpg)
IIS6 Registration
![Page 13: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/13.jpg)
IIS7 Registration
13
![Page 14: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/14.jpg)
IIS7 Registration
14
![Page 15: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/15.jpg)
IIS7 Registration
15
Note:IIS 7 stores its registrations in the <system.webServer> section of appropriate config file.
![Page 16: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/16.jpg)
Bulletproof Technique (step 2)
• Develop HTTP Handler that simply redirects to an “Access Denied” page.
• Install handler in web.config and assign it to any *.zip path.• Will cause all direct navigation to zip files to
be denied.• *.config extensions use this technique with
System.Web.HttpForbiddenHandler
![Page 17: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/17.jpg)
ASHX Files
• Navigating to an ASPX file causes the PageHandlerFactory class to invoke a “Page” handler and start the events in the page lifecycle.
• ASHX files are HTTP Handlers exposed as direct ASP.NET navigation points.• They are intercepted by the
SimpleHandlerFactory class.
![Page 18: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/18.jpg)
Bulletproof Technique (step 3)
• Develop ASHX handler to be used to download files.• Receive product ID in query string variable.• Confirm authenticated user.• Check user products for product requested.• Download product by streaming the file.
•Cannot redirect to it because of previous security.
![Page 19: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/19.jpg)
Other Uses For Handlers
• URL Rewriting• A must for good search engine incorporation• ASP.NET 4.0 includes routing engine
• Image Watermarking• Intercepting all images and embedding
watermark
• RSS Syndication• ASHX useful in image paths for resource
extraction
![Page 20: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/20.jpg)
More About Handlers
• Handler Factories• IHttpHandlerFactory interface
•Can serve different handlers based on conditioning.•Installs in config EXACTLY the same as a handler.
• Asynchronous Handlers• IHttpAsyncHandler interface• Uses familiar Begin/End pattern for
asynchronous processing.
![Page 21: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/21.jpg)
Summary
• Secure technique against unauthorized file downloading.
• Can be combined with additional techniques.
• Lets you track downloads, even if they’re free.
• Handlers are a great tool for intercepting requests for advanced manipulation.
• IIS7’s a pain-in-the-butt.
![Page 22: Fun With Http Handlers - Miguel A. Castro](https://reader030.vdocuments.mx/reader030/viewer/2022020803/547bd8605806b5ea3f8b469f/html5/thumbnails/22.jpg)
References
www.dotnetdude.comwww.steelbluesolutions.com
• Programming Microsoft ASP.NET {and} Advanced Topics
• Dino Esposito – Microsoft Press• Essential ASP.NET 2.0
• Fritz Onion – Addison-Wesley
• ASP.NET Architecture• http://www.code-magazine.com/Article.aspx?quickid=
0511061• Rick Strahl, et.al. – CoDe Magazine