Tuesday, September 21, 2010

blocking requests to sensitive files (e.g. web.config) through *.axd requests

After Doug's comment yesterday I started poking around to see if there was a to filter requests to sensitive files and as it turns out the answer is yes.
Both WebResource.axd and ScriptResource.axd using the function Page.DecryptString which is marked as internal. We can, of course, use reflection to get access to this function and evaluate the decrypted string that the user is trying to pass to these these classes. The updated code below includes code to do just that and passes each string to a blacklisted set of regular expressions.
Important: You also need to rewrite requests to ScriptResource.axd into this module.

Ideally the list of expression would be loaded from web.config, but for the time being you will need to add any additional expressions in the constructor.

1 comment:

  1. Very nice. Maybe propose this on the Microsoft feature request tool (whose name I forget). It's kinda ridiculous that this WebResources thing can get to pretty much any file instead of a narrow whitelist of the files that are supposed to be used that way. (The whole thing is kinda questionably useful, but if its going to exist it should at least be secure.)