I've looked through several similar questions on SO but haven't found something quite like what I need, so my question is this:
I want to take a screenshot (thumbnail) of a URL after the user provides one. I was going to use Awesomium because they provide a fairly simple solution for screengrabs. Unfortunately, Awesomium won't compile in an x64 application, and since I'm building this with ASP.NET for Windows Azure, I can't switch to x86.
So I'm left with a less-elegant solution, using Windows.Forms WebBrowser to load the url and take the screenshot (as shown here: http://www.codeproject.com/Articles/95439/Get-ASP-NET-C-2-0-Website-Thumbnail-Screenshot ).
Ugly, I know, but it works with most pages (there is the occasional white screenshot), but now I'm concerned with security.
If the user inputs a malicious URL and the WebBrowser loads it, what is to stop it from running harmful code and downloading a virus to the server where the app is hosted?
There are several services and websites that offer similar functionality, albeit with different approaches, but the core idea is the same: the site must open up the URL and render the page in order to grab the screenshot. So what kind of measures would one expect them to take to thwart viruses and malicious URLs?
The biggest threat to your application would be client script executing in your browser control (i.e. JavaScript and client-side VBScript). It appears it is not possible to disable JavaScript programmatically in the WebBrowser object:
VB.NET WebBrowser disable javascript
Disable javascript in
WinForms WebBrowser control?
Stripping <script> tags in the first question's first answer is not the way to go for security, as there are so many other ways script can get inserted.
Changing window.alert in the second answer won't work as it needs the page to load fully first, and it is possible for script to execute before then. Also, this would only stop the alert function and not prevent script code in any other way.
Changing the registry settings as suggested in this answer may be the way to go, but this appears to be the same as changing Internet Explorer settings to high security for the internet zone (or selecting custom and disabling Active Scripting). If you are always in control of the machine where your app is loaded from, then manually disabling scripting in Internet Explorer options could be a viable solution.
Most client-side internet threats such as drive-by downloads involve script in some way, so this approach will go a long way in protecting your app.
However, there are other exploits such as the Windows Metafile vulnerability that can harm a client machine.
Viewing a website in a web browser that automatically opens WMF files, in which case any potential malicious code may be automatically downloaded and opened. Internet Explorer, the default Web browser for all versions of Microsoft Windows since 1996, does this.
However, making sure your machines are patched with the latest Windows Updates will secure you against threats like these. This will leave zero-day attacks against Internet Explorer or the WebBrowser object, which you will not be able to do much about. I would suggest running your app on an isolated machine (or VM) which would then upload the screenshot to another server (e.g. via the web) which would help mitigate threats in this scenario.
Related
I want to monitor changes in background in complex web application. This is one-page application with many scripts and so on. I need to be logged in to have access to data I want to monitor.
I tried to use webrequest, but I think that the application is to complex to do it that way. There is also a problem with authentication.
I also tried WebBrowser component, but web application is telling me, that this browser is too old and I should get newer one.
Perfect solution would:
Open this web application in chrome (or some other modern browser) in background
Save the page to memory
Extract values using something like HtmlAgilityPack
While this will be happening I want to normally use the computer (so opening chrome window is not a good solution for me).
Is there any way to achieve something like that?
if you can cope with an extra browser running, have a look at SeleniumHQ. with its webdriver-backed selenium you can start a dedicated browser instance and perform user actions by coding in high-level programming languages like java. it should not interfere your manual work at all, but will take up the same amount of memory and cpu time your "real" browser would.
if the web application has no captcha and does not object to automated script accessing it, you could also login in a background program by sending appropriate HTTP requests and parse the response. python's urllib2 would be my first choice.
if you dont want any additional processes running, you could also create a browser plugin, that autorefreshs and parses a certain open tab every few seconds.
Corodva, Javascript and HTML5 developers.
I need to intercep all get requests made by the WebBrowser component in Windows Phone 8.0 at any point and be able to view the resource that it's requesting. To give an example of "all", this is what I mean.
I have a simple application that contains a cordova(WebBrowser control with Decorators that allows XHRrequests to be retrieved from local storage) view, and navigates to an index.html file.
The index.html contains only the following in the body
<img src="logo.png" />
This file is loaded and displayed by the web browser but there is not interceptable request made through the web browser to the Windows Phone that I can see. The file just appears in the browser magically. I know that cordova overwrites all XHRrequests to swap out for local files. No method in the XHRHelper.cs is being hit with a request for logo.png. Here is everything I have tried just so we can all be on the same page.
Subscribed to the Navigating, Navigated and NavigationFailed (Just because there's no other option) events to see if it fires at any point to load logo.png. This turned out nothing, it only fired for actual navigation calls made within the application. I also subscribed to all, I literally mean all events available from the WebBrowser control. Even ones that are inherited from UIElement.
Tried to wrap the WebBrowser in a COM Wrapper that "monitors" all outgoing traffic using http://www.codeproject.com/Articles/157329/Http-Monitor-for-Webbrowser-Control which does not work for Windows Phone 8.0 Web browser control. Was still a good exercise. It also does not get requests made for local files.
The next option I checked out is a way of intercepting all requests from JavaScript for anything, but found many posts that only explain how to intercept all AJAX requests, which is not what I want to do.
I then implemented the ways of intercepting all AJAX requests to see if it will give some insight on what I could possibly do. Nothing panned out from this exercise. I then also did this [How do you 'intercept' all HTTP requests in an EmberJs app?. Ant that also did not help, I then looked at intercept.js and tried to use that, but again the logo.png slipped the grasp of intercept.js aswell
Me being a Windows Phone .NET developer and not at all experienced in JavaScript except for 6 months of wrapping HTML5 apps into cordova I returned back to the windows phone code trying to catch the navigation as it leaves the WebBrowser control. I tried to override all the methods that were specific to a WebBrowser and tried to cancel any and all requests, just to see if logo.png would still appear in the browser and it did :(
I wouldn't ask this question if I didn't do any research on this subject. Some of the JavaScript devs said that they don't think it's possible from inside the application, many of the C++ developers said I should look at the native code implementation for the WebBrowser control, find out what interfaces it extends and get hold of it for extension somehow. I will be attempting to do this tomorrow all day, but would like to not overkil the situation if there's (hopefully) an easy way of doing this.
My next step is to use a tool like fiddler or charles to monitor all packets through a proxy. If I can see requests made for the local files through any of these tools then there must be a way to intercept those requests in code. If this is successfull I will attempt to set up a local proxy at runtime and redirect through my filehandler.
I spoke to some iOS developers and they used NSURLProtocol, which you just have to set up then you can monitor all you traffic (Lucky). Is there anything like this for Windows Phone 8.0? Does anyone have suggestions on how I could implement this for Windows Phone 8.0? Is there any way I can intercept all requests from a html5 app. Any way would be fine, I'm fairly confident that I'll be able to implement any suggestion and give feedback if it does not work. The biggest question would be if it's even possible.
Any feedback would be appreciated, and any suggestions will be followed through. And I will provide feedback on that suggestion.
Thank you in advance, I know there are some serious Code Ninjas on here that will give me a million options :)
I have found a very simple solution to this problem. Since Mobile IE10 does not provide functionality to intercept requests made by a webpage I moved off that path and chose to not intercept the requests but rather redirect it.
I did this by setting up a socket server on the phone and requesting the assets in the HTML5 application from the localhost. Here's an example:
A file that I used in the index.html like below
<img src="logo.png" />
I changed to
<img src="http://localhost:99/logo.png" />
This way you get a Process request event fired in the socket server where you can handle your asset request appropriately. You can take the logo.png and give back a image with a different name by using a simple mapping in the socket server, which is what I needed to do.
I hope this helps someone dealing with the same problem :)
Background:
I am creating a Windows Form App that automates order entry on a intranet Web Application. We have a large amount of order entry that needs to be done that will cost us a lot of money so I volenteered to automate the task.
Problem:
I am using the webbrowser class to navigate the web app. I have gotten very far but reached a road block. There is a part in the app that opens a web dialog page. How do I interact with the web dialog. My instance of the webbrowser class is still with the parent page. I am hoping someone can point me in the right direction.
You've got a number of options. To expand on the answers from others and add a new idea...
Do it using the webbrowser control: This is technically possible by either injecting javascript into the target page as demonstrated here or creating a JavaScript object and using it as a bridge via the webbrowser.objectforscripting property. This is very fragile - something as simple as the website changing an element's Id could break it. You also need to make sure your code doesn't interfere with the functioning of the form (clashing function names, etc...)
Do it using a postback: Monitor the communications between the web browser and the server (I personally prefer Firfox/Firebug but ie/Fiddler or Chrome/F12 are both good too). As long as you can replicate the actions of the browser exactly, the server can't know the difference. The problem here is that browsers are complex and the more secure a form is, the more demanding servers are. This means you may have to fake a login, get cookies, send them back on subsequnt requests, Handle Viewstate data and xss prevention variables. It's possible and it's far more robust than the first option but can be a pain to get working. If it's not a highly secure form,, this is your best bet. More information here
Do it by browser automation: Selenium is probably the best option here (as mentioned by others) but suffers from a similar flaw to the webbrowser control in that it's sensitive to changes on the form itself (But not as mcuh so as the webbrowser control).
Incidentally, if you have Visual Studio Ultimate/Test edition (and some others, not sure which), it includes a suite of testing tools including an excellent engine to automate load testing a website. This is also superb for tracking down what exactly a form does as you can see every step of the emulation.
Hope this helps
You have two choices depending of the level of complexity you need:
Use a HTTP Debugger like Fiddler to find out the POST data you
need to send to each page and mimic it via a HttpWebRequest.
Use a Browser Automation Tool like Selenium and do the job.
NOTE: Your action may be considered as spamming by the website so be ready for IP blocking, CAPTCHA...
You could give Selenium a go: http://seleniumhq.org/
UI automation is a far more intuitive approach to these types of tasks.
I need to write a .NET application that captures screenshots of various web pages periodically. The application needs to run as a windows service in unattended mode - when there is no user session or when the workstation is locked. A situation similar to: (Screenshot of process under Windows Service), only, I need to do this on web pages rather than processes.
When I try to use PrintWindow API, I am able to capture inactive or hidden windows, but get a black image when the workstation is locked. Tried this approach (www.devnewsgroups.net/group/microsoft.public.dotnet.framework.windowsforms/topic34231.aspx) but doesn't work.
I know this is possible since there are apps like WebShot (www.websitescreenshots.com) that are able to do it - capture screenshots of web pages even when the workstation is locked or when it runs as a service.
What am I missing? How do I get this to work?
Thanks much for your time.
Edit: More on my approach - I'm using the .NET WebBrowser control created programmatically. I load the webpage in the browser control and capture the image from it using the PrintWindow API. This I'm able to do whether the control is visible or not, but it trips me up when the workstation is locked.
BrowserShots (http://browsershots.org/ http://browsershots.org/) is an open source application that seems to have similar goals to you - they may already have solved your problem. Unfortunately their site seems a bit broken at present.
Since you are only rendering websites and not getting screenshots of different programs you could try WebBrowser.DrawToBitmap.
That way you would wouldn't have to worry about login state
http://thepursuitofalife.com/the-missing-drawtobitmap-function-in-the-net-webbrowser-class/
Let me rephrase the question...
Here's the scenario: As an insurance agent you are constantly working with multiple insurance websites. For each website I need to login and pull up a client. I am looking to automate this process.
I currently have a solution built for iMacros but that requires a download/installation.
I'm looking for a solution using the .NET framework that will allow the user to provide their login credentials and information about a client and I will be able to automate this process for them.
This will involve knowledge of each specific website which is fine, I will have all of that information.
I would like for this process to be able to happen in the background and then launch the website to the user once the action is performed.
You could try the following tools:
StoryTestIQ
Selenium
Watir
Windmill Testing Framework
Visual Studio Web Tests
They are automated testing tools/frameworks that allow you to write automated tests from a UI perspective and verify the results.
Use Watin. It's an open source .NET library to automate IE and Firefox. It's a lot easier than manipulating raw HTTP requests or hacking the WebBrowser control to do what you want, and you can run it from a console app or service, since you mentioned this wouldn't be a WinForms app.
You can also make the browser window invisible if needed, since you mentioned only showing this to the user at a certain point.
I've done this in the past using the WebBrowser control inside a winforms app that i execute on the server. The WebBrowser control will allow you to access the html elements on the page, input information, click buttons/links, etc. It should allow you to accomplish your goal.
There are ways to do this without the WebBrowser control, look at the HTML Agility Pack.
Assuming that you are talking about filling and submitting a form or forms using a bot of some sort then scraping the response to display to the user.
Use HttpWebRequest(?) to create a form post containing the relevant form fields and data from your model and submit the request.
Retrieve and analyse the response, store any cookies as you will need to resubmit the cookie on the next request.
Formulate the next request based on the results of the first request ( remembering to attach cookies as necessary ) and submit it.
Retrieve the response and display or parse and display ( depending on what you are hoping to achieve ).
You say this is not a client app - therefore I will assume a web app. The downside of this is that once you start proxying requests for the user, you will have to always proxy those requests as there is no way for you to transfer any session cookies from the target site to the user and there is no ( simple / easy / logical ) way for the user to log in to the target site and then transfer the cookie to you.
Usually when trying to do this sort of integration, people will use some form of published API for interacting with the companies / systems in question as they are designed for the type of interactions that you are referring to.
It is not clear to me what difficulty you want to communicate when you wrote:
I currently have a solution built for
iMacros but that requires a
download/installation.
I think here lies some your requirements about which you are not explicit. You certainly need to "download/install" your .Net program on your client's machines. So, what's the difference?
Anyway, Crowbar seems promising:
Crowbar is a web scraping environment
based on the use of a server-side
headless mozilla-based browser.
Its purpose is to allow running
javascript scrapers against a DOM to
automate web sites scraping but
avoiding all the syntax normalization
issues.
For people not familiar with this terminology: "javascript scrapers" here means something like an iMacros' macro, used to extract information from a web site (in the end is a Javascript program, for what purpose you use it I do not think makes a difference).
Design
Crowbar is implemented as a (rather
simple, in fact) XULRunner application
that provides an HTTP RESTful web
service implemented in javascript
(basically turning a web browser into
a web server!) that you can use to
'remotely control' the browser.
I don't know if this headless browser can be extended with add-ons like a normal Firefox installation. In such case you can even think to use yours iMacros' macros (or use CoScripter) with appropriate packaging.
The more I think about this, more I feel that this is a convoluted solution for what you wrote you want to achieve. So, please, clarify.