After Doug's comment yesterday I started poking around to see if there was a to filter requests to sensitive files and as it turns out the answer is yes.
Both WebResource.axd and ScriptResource.axd using the function Page.DecryptString which is marked as internal. We can, of course, use reflection to get access to this function and evaluate the decrypted string that the user is trying to pass to these these classes. The updated code below includes code to do just that and passes each string to a blacklisted set of regular expressions.
Important: You also need to rewrite requests to ScriptResource.axd into this module.
Ideally the list of expression would be loaded from web.config, but for the time being you will need to add any additional expressions in the constructor.
Showing posts with label CBC-R. Show all posts
Showing posts with label CBC-R. Show all posts
Tuesday, September 21, 2010
Subscribe to:
Posts (Atom)