I've read through some of the questions here and my understanding is that this is true. Could someone confirm that visitors to an ASP.NET website can actually download the aspx files in their original format? Just like with the css files, etc. Thanks.
Clarification: Please be patient with me. I am newbie and just want to make sure I understand. I know that using Dreamweaver, a person can just download almost all the source files from a website. At least that what could be done some years ago with many websites. He would just change a few text contents and have a similar website like the original with all the original design, images, etc.
So if he can do the same with an asp.net site: downloading all the files, he can look at the aspx file and see what the code does. I am not talking about him executing the page and do the view source command. This file would naturally be processed by the server and doesn't expose source code.
This is one of the reasons why code behind is recommended because the code can be compiled and the source is not uploaded to the site. Only the dll is uploaded and minimum logic is exposed through the aspx file.
No, they can't. The ASPX page contains server-side code that is executed, well, by the server, and ends up containing plain HTML that the client browser can understand.
When IIS receives a GET request for an ASPX page, the ASP.NET handler kicks in and returns the processed HTML. So unless IIS is misconfigured, that is not possible.
No. Visitors cannot see your business logic.
If that were the case the markup asp:TextBox wont get rendered as input type='text'
Also, if that were the case we would be seeing code snippets of sites written using scripting languages like PHP or Classic ASP
in newbie's term:
No, the server won't give you ASPX and code behind files, these are files that don't mean anything to the end-user/visitor/browsers. These codes are processed on the server, and what you get is only a bunch of HTML code, javascripts, css, images, etc. which browsers can render.
If you try to "download" (by accessing them through your browser) .ASPX, .CS, and WEB.CONFIG files to see the actual source code, well you simply can't.
Related
Dear Stack Over Flow Folks,
Hi, I have built a form input page in HTML that
has an action to post to an ASP handler/processor
.asp file. The form handler/processor .asp file
contains only <% Insert VBScript Here %> and no
HTML output whatsoever.
The .asp file was never intended to be a
"web viewable" .asp file like an .asp home page
file or html file would. It's supposed to be
for my eyes only- not the public's however
it does need to take info posted by the public
and do something with it on it's end.
I have used VBScript/ASP3.0 to build the form
handler/processor file and would like to know how
to keep someone from viewing the actual VBScript
in the handler/processor .asp file. I am aware of
obfuscation but I would like to know how to keep
prying eyes from even being able to take a look
at the obfuscated code in the handler/processor
file.
I realize that the server executes the .asp file
first before outputting anything to the browser so
I guess that my main concern is mostly that someone
may could "download" the form handler/processor .asp file,
then view it's contents on their machine.
Assuming the form handler .asp file is where it is,
behind the root, and is on a windows server
(no htaccess approach) how could one protect it so that
it could never be viewed or simply pulled down via
anonymous ftp or something like that?
Is there something like "script only" permissions that
the system administrator could set up for a particular
folder? Remember, with shared hosting I can't go above
the root. If so, would the form still be able to post?
How would any of you guys go about protecting the
asp file in addition to obfuscation? Any help would
be greatly appreciated.
Thanks,
ASP Pee-Wee
Unless your code encounters an error, no one should be able to view the contents of the ASP file in the browser. (If you haven't already, add on error resume next to your code, then add some error handling to prevent leaking too much information in any error message.)
If you can (might not be available with your shared-hosting) deny FTP access to all IP addresses except those you permit.
In a hosted environment, no matter what you do to protect your code, bad administrative/security policy by the host provider is a critical point of failure.
While the question specifies a shared-hosted environment, the best bet is to get a dedicated server and secure it yourself. If the information is important enough, the cost should be justified.
I am wondering are there any standard mechanisms available to protect the asp.net asp code in the client browser ? I found some references to Windows script encoders. Question is, are these script encoders encodes both aspx and code behind source ? If aspx is encoded with the Windows script encoders then how client browsers can decode it? Are they aware of the encoding algorithms ?
Or can we control the client browsers ( IE, Firefox, Chrome etc) to disable the view source option in the Tasks Menu when web site a loaded in them?
Any pointers will be appreciated.
The HTML code generated on a webpage is by definition public. It has to be accessible to the browser for it to be able to render the page properly. You will not find a reliable solution to hide the view source option in browsers.
To explain the basics a little bit :
When you create a page, you write markup in your .aspx file and some c# source code in the .aspx.cs file. The c# code is the server side code, which means that it is executed on the server (as opposed to, say, javascript which is executed directly in the client's browser -- client side).
When a page request is executed, the ASP.NET engine executes the server side code, and also executes the asp tags that you wrote in the .aspx page (for example : <asp:Button runat='server'... /> . It then spits out HTML code (this is a very simplified version of what actually happens).
The client's browser only ever gets the HTML (and it will not see the C# code nor any of asp markup code which is used to generate your page).
As I said before, the HTML generated is, and will always be public. There is nothing you can do to reliably hide it.
Server-side code (ie. code in code-behind pages, controllers, helpers, <% code nuggets %>, etc) will of course never be visible to a web client.
Your aspx or view pages (ie. .aspx, .cshtml, .vbhtml) files will also not be visible to web clients unless you have a signficiant security vulnerability, but the HTML generated by said files will be, along with any outputted or referenced JavaScript.
If the client couldn't read the HTML or JavaScript, how would the web browser be able to parse it?
Here's a question about obfuscating JavaScript, which will at least hinder but not completely remove a user's ability to view your source: How can I obfuscate (protect) JavaScript?
Similarly, one could theoretically obfuscate outputted HTML as well, but it could also be likely be reversed with some work.
It is impossible for the user to see your server-side (C#) source.
It is impossible to stop the user from seeing your client-side (HTML & Javascript) source.
In terms of javascript - the only thing you can do is obfuscate it to an extent that makes it worthless for someone to try to understand.
None of the code behind code is sent down to the client, only the rendered HTML.
there is no way to completely remove the ability for a client to view the source of your HTML. The only thing you can do is to obfuscate your HTML to make it harder for them to tell what they're looking at.
There are many libraries out there for obfuscating HTML in .net if you do a google search.
I'm confused really, but...
If you are on about the ASP.NET markup, you need not worry as any request to an ASP.NET page will cause the page to be compiled (if it hasn't already been, or isn't cached) which renders the page content as HTML.
If you are worried about people navigating to your code behind (e.g. mysite.com/SomePage.aspx.cs), you need not worry, as ASP.NET will not serve that content [unless the standard configuration has been changed].
If you are worried about people accessing your code through FTP, then I would suggest you change your compilation method and not deploy the source.
Am I missing anything?
I've been doing the html and css for a site, sending it off to a guy to implement in a web server. I get a call from the designer freaking out about the progress, saying the clients aren't happy. He wants me to personally integrate my css with what's on the site. The site is done in ASP.net, time is short, and I'm a little in over my head. I have an understanding of how php works, but have never worked extensively with it.
Looking at the stuff on the ftp, I can't even find equivalent of the index.html file (I know that when I go to the site itself, there is nothing after the base url, i.e., www.site.com/ brings me to the homepage.)
Can anyone give me a few tips or links as to what I am to do with this, or where to even being navigating this site?
EDIT: It's -not- a .Net Web Application, from the looks of it.
ASP.Net can be run in a compiled or a scripted environment. It is important to understand which environment your client has. If it is completely scripted, then you are likely looking for the default.aspx file and it's contents. If it is a compiled environment, you may be in for a ride. A compiled site may incorporate "master pages" as a templating engine, and then you'll need to apply your html/css modifications in several places.
You should start with the default.aspx page if there is one. Look for master page directives (it'll be named something like masterpage.master). If there isn't one, then you're in luck you'll just need to implement your changes on a page by page basis. The aspx page will be in a templated xml format so avoid touching tags that involve touching
If you are making changes to divs and structures of that nature, you may need to modify the CssClass attribute of the controls. I would recommend however that you make a back up, give it a shot, and under no circumstances attempt to do something that you aren't really ready to do. You will only anger the client and ruin your rep. It may actually be prudent to contact an actual ASP.Net developer to analyze the files separately and determine what you need to do.
I suggest that you read the Wikipedia article about ASP.NET to get familiarized with it as it summarizes the basic building structures.
Then, just to get you started: take a look at the more recent ASP.NET MVC (Model-View-Controller) paradigm. There's also development in what is called ASP.NET WebForms.
For example: when you go to www.site.com/ (known as friendly URLs) it may be redirecting you to an action method inside a controller. It's called routing. There's also URL rewrite.
In the MVC world a Controller can send/redirect the user to a specific View/Page.
A View (.aspx form/page) that contais HTML markup and CSS on the server side is basically an HTML page (.htm) page that'll be rendered on the client side.
I've seen a lot of dynamic website through the internet that their pages are in html or htm format . I don't get it why is that ? And how they do that ?
Just look at this website : http://www.realmadrid.com/cs/Satellite/en/Home.htm
What you see in the URL can be set at will by the people running the web site. The technique is called URL rewriting.
How
On Apache, the most popular solution to that is the mod_rewrite module.
Seeing as you've tagged ASP.NET: As far as I know, ASP.NET has only limited rewriting support out of the box. This blog entry promises a complete URL rewriting solution in ASP 2.0
Why
As for the why, there is no compelling technical reason to do this.
It's just that htm and html are the recognized standard extensions for HTML content, and many (including myself) think they simply look nicer than .php, .php5, .asp, .aspx and so on.
Also, as Adam Pope points out in his answer, this makes it less obvious which server side technology/language is used.
The .html/.htm extension has the additional effect that if you save it to disk, it is usually automatically connected with your installed browser.
Maybe (a very big maybe) there are very stupid simple client programs around that recognize that they have to parse HTML by looking at the extension. But that would be a blatant violation of rules and was hopefully last seen in 1994. Anyway, I don't think this is the case any more.
There are a number of potential reasons, these may include:
They could be trying to hide the technology they built the site with
They could be serving a cached version of a page which was written out to HTML.
They could simply perceive it to look friendlier to the user
They might be using a server-side scripting language like PHP or ASP. You can configure what file extensions get parsed by the language by editing the web server configuration files.
For example in PHP the default extension is .php but you could configure the server to use .html, that would mean any files with the .html extension could contain PHP code they would get parsed before the page is sent to the clients web browser.
This is generally not recommend as it adds an overhead and .html pages that don't have any PHP would be parsed by the PHP engine anyway which is slower then serving pages direct to the browser.
The other way would be to use some form of URL rewriting. See URL Rewriting in ASP.NET
Another reason is SEO(Search engine optimization). Many search engines like html pages and many guys(I mean some SEO specialists) think the html can improve the rank of their content in search engine.
One possibility is just historical reasons. Pages that started static, now are generated dynamically, but sites don't want to break old customer's favorites.
They keep some pages as html because their content is not supposed to change frequently or not at all.
But you should also keep in mind the fact that some sites are dynamic but they change the page extention to html but original page remains same eg php or aspx, etc using htaccess or some frameworks like codeigniter etc.
My asp.net 2.0 web site generates text files. Sometimes these files can get quite large. Under most cases the files are presented to the user, and approved without modification. However there are times when the end-user has to make changes to these files and submit the changed version back to the system.
Currently, when a file needs to be changed, I load the text into a textbox control, and I rewrite the file on postback. However I'm running into problems with OutOfMemory exceptions, invalid viewstate, etc.... These problems only occur when the file generated is large.
I beginning to think that I need another strategy for editing these files, but I'm at a loss as to which direction to take. Is there an ACTIVEX control that would serve me better? Should I abandon server side controls for this interaction and just deal with plain vanilla http posts?
Thanks in advance.
I am not sure about an activeX control, but you could use Silverlight. Thsi would allow you to stream the file to th Silverlight control, and then it could be edited on the clints machine, and when they are done, the chnages are sent back and stored by the server.
However, you will need to have .Net 3.5 on the server and make some changes to the web.config inorder to build against the 3.5 framework. If this is not acceptable, but you like the idea of doing stuff on the client side, you can also try using flash.
One suggestion to consider would be an ajax call to a pagemethod that way you could just post the text file to the server without posting the whole page and the associated viewstate.
Can you break up the text files into sections and allow the users to submit changes one section at a time?