I have the need to redirect back to the current page minus any query arguments.
I just found Request.Url.AbsolutePath, which looks like it provides just the ticket to pass to Response.Redirect().
It seems to work on my dev machine okay. Does anyone know of any potential problems redirecting to the value of this property? It's hard to confirm it's "safe" in all cases.
It could be a problem if you "re-written" the URL internally. For example, the user request "/team.aspx" but internally you transfer execution or rewrite the url as "/page.aspx?id=137".
Personally, I prefer to use the Request.RawUrl (which is always local) and you can strip the query-string.
Getting rid of the host part of a request is not an issue because HTTP Redirect can be path on Absolute Paths ("/foo/bar") and the browser will preserve the protocol, port and hostname.
I would use Request.Url.OriginalString.
Absolute path gets rid of the host part of the URL.
Take a look at this: http://wdevs.blogspot.com/2009/03/url-properties-of-request-to-aspnet.html
Related
We recently has a security scan done, and it turns out our application is susceptible to XSS via the ResolveUrl cookieless state problem described here.
Now I am looking for a way to properly fix the issue in a global way for our application. Not using ResolveUrl is not really an option, because we literally use it in over a 1000 places. I find it strange that there is no way in ASP.NET (that I know of) to disable the cookieless state url parsing altogether, since we are not using cookieless state.
I've tried to implement a check in the BeginRequest, to drop requests that have a path segment in the url that starts with (.( (. begin any character). This would work, because not actual url in our application has a path segment that starts with this. However, the problem is, that the url we can read from the request doesn't have this path segment anymore. It seems to be filtered out by the runtime before the execution of our code starts.
What other options do I have?
Eventually I went with a rule using the UrlRewrite module, to simply block all requests using the same regex as in my original question. This module runs before .net removes the cookieless session id from the request url, so I can block the request
Here is the regex pattern we are using in a UrlRewrite rule
.*/\([a-zA-Z]\(.*
With an action type of Abort Request, this matches and blocks URLs described in the article such as
(A(XXXXXXXXXXX))
(S(XXXXXXXXXXX))
(F(XXXXXXXXXXX))
We are working on the conversion of an ASP site to ASP.Net and are running into problems with redirects and resource locations. Our issues are coming from a peculiarity of our set-up. Our site can be accessed in two ways:
Directly by URL: http://www.mysite.com - in this case everything works fine
Via a proxy server with a URL like: http://www.proxy.com/mysite_proxy/proxy/
In #2 "mysite_proxy" is a mapping on proxy.com that directs the request behind the scenes to www.mysite.com, "proxy" is a virtual sub-website that just redirects the request to the root of www.mysite.com. It essntially is meant to give us a convenient way of knowing if a request is hitting the site from the proxy or not.
We are running into two problems with this setup:
Using Response.Redirect either with the "~" or a plain relative path (Default.aspx) generates a 302 response with a location of "/proxy/rest_of_the_path.aspx." This causes the browser to request http://www.proxy.com/proxy/rest_of_the_path.aspx which isn't anything and doesn't even hit our server so we couldn't do an after the fact re-write.
Using "~" based URLs in our pages for links, images, style-sheets, etc. creates the same kind of path: "/proxy/path_to_resources.css." We could probably solve some of these by using relative paths for all these resources though that would be a lot of work and it would do nothing to address similar resource links generated by the framework and 3rd party components.
Ideally I want to find a global fix that will make these problems transparent to the developers working on the site. I have a few ideas at this point:
Getting rid of the proxy, it is not really needed and is there for administrative and not technical reasons. Easiest to accomplish technically, the hardest to accomplish in the real world.
Hand the problem off to the group that runs the proxy and say it is their problem they need to fix it.
Use a Response filter to modify the raw html before it is sent to the client. I know this could fix my resource links, but I am not certain about the headers (need to test it out) and there would be a performance hit to having to parse every response looking for and re-writing urls.
All of these solutions have big negatives in my mind and I was hoping someone might have another idea. So any thoughts?
Aside: there are a lot of posts up already that deal with the reverse of this issue: I have a relative URL, how do I may it absolute, but I didn't come across anything that fit the bill for the other direction.
As a fix, I'd go with a small detection routine at Global.asax:Session_Start (since i imagine that the proxy doesn't actually starts another application instance), set a session variable with the correct path, and use it instead of '~'.
In the case a different application instance is used, then use Application_Start instead of Session_Start and a static Global variable instead of a Session variable.
I am trying to do this:
http://somehost.net/edit.php?url=http://www.youtube.com/watch?v=EgHY53dOZ-U
Forbidden
You don't have permission to access edit.php on this server.
Is there a way to fix this through javascript(jquery), cause I am passing argument through ajax call.
I have tried it this way but without success:
$('#videofrm').load('edit.php?url='+encodeURI($(this).siblings('a').attr('href'))
You should fix the chmoding issues on the server.
Edit
What your edit.php doing ? If it redirecting to somewhere else ? then echo the result url before redirecting.
You can follow Tomalak Geret'kal if you want/can rewrite the .htaccess. otherwise you need to pass the url without the http:// part and prepend an http:// on edit.php
If you don't have permission to access edit.php, then it doesn't matter how many different ways you try to request it: you don't have permission.
Fix the permissions on the server, likely using chmod if the server is on Linux.
Update
You have a server configuration issue. I can only replicate the problem when passing the string :// inside the querystring.
Try writing AllowEncodedSlashes On in your httpd config, as per this question/answer.
You will then need to make sure you encode your URI properly:
http://somehost.net/edit.php?url=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv=EgHY53dOZ-U
(it looks like your encodeURI call should take care of that part)
AllowEncodedSlashes allows slashes to be present in the query string as long as they're encoded which, for some reason, is not the case by default. The docs say that failure produces a 404, not a 403, but I still think that this is the cause.
If you are not able to manipulate configuration options for your webserver, workarounds include:
Choosing a stand-in term for http:// like http!!! that you will programmatically revert in the PHP script;
If you always use http:// (as opposed to, say, ftp:// or some local path), just leave it off the query string entirely and prepend it to the input in your PHP script (preferred workaround).
Hope that helps.
I want to change first line of the HTTP header of my request, modifying the method and/or URL.
The (excellent) Tamperdata firefox plugin allows a developer to modify the headers of a request, but not the URL itself. This latter part is what I want to be able to do.
So something like...
GET http://foo.com/?foo=foo HTTP/1.1
... could become ...
GET http://bar.com/?bar=bar HTTP/1.1
For context, I need to tamper with (make correct) an erroneous request from Flash, to see if an error can be corrected by fixing the url.
Any ideas? Sounds like something that may need to be done on a proxy level. In which case, suggestions?
Check out Charles Proxy (multiplatform) and/or Fiddler2 (Windows only) for more client-side solutions - both of these run as a proxy and can modify requests before they get sent out to the server.
If you have access to the webserver and it's running Apache, you can set up some rewrite rules that will modify the URL before it gets processed by the main HTTP engine.
For those coming to this page from a search engine, I would also recommend the Burp Proxy suite: http://www.portswigger.net/burp/proxy.html
Although more specifically targeted towards security testing, it's still an invaluable tool.
If you're trying to intercept the HTTP packets and modify them on the way out, then Tamperdata may be route you want to take.
However, if you want minute control over these things, you'd be much better off simulating the entire browser session using a utility such as curl
Curl: http://curl.haxx.se/
I have a site that is hosted in shared hosting environment. They use a wildcard subdomain setup and suggest using Response.Redirect to achieve the illusion of a subdomain.
Is there a way of doing this such that the "switch" takes place on the server rather than bouncing back down to the browser first?
Server.Transfer only works if I transfer to an actual resource. So redirecting from sub1.mydomain.com to www.mydomain.com/public/ does not work. I'd have to redirect to www.mydomain.com/public/mypage.aspx instead which i dont want to do.
To ensure that the "switch" takes place on the server, you could create a simple HTTP Module to intercept each request, inspect the requested URL and then forward them as needed . All your module has to do is handle the OnBeginRequest event, and then forward the request. In this way you could really have unlimited sub-domains.
Also might want add a blank host header, so that any requests for subdomains not listed get forwarded to the proper default website
If you aren't familiar with them, modules are very simple to create and work with.
Heres a link to a very similar implementation by Brendan Tompkins:
http://codebetter.com/blogs/brendan.tompkins/archive/2006/06/27/146875.aspx
You could also do some URL rewriting in the module should you need specific URL "look" behavior.