One of our application will be run in an iframe, inside salesforce and I'm having troubles with accessing the referer. They'd like us to do some referer checks, to make sure the request is coming from salesforce and we've been given the IP addresses to check against.
My problem is that anytime I try to access the referer through either of the following two methods:
HttpContext.Current.Request.ServerVariables["HTTP_REFERER"]
HttpContext.Current.Request.UrlReferrer
it returns me null.
Any ideas how could I get hold of the referer?
PS: I'm aware that you can spoof the referer, but it's part of the requirement.
If I understand the question correctly you have client sites that refer to your site by embedding IFrames in their webpages the point to your site. You wish to "ensure" that the requests are coming from host page which itself is part of a designated set of sites. The set of designated sites is described by a set of IP addresses. Does that cover it?
Tricky. First off lets assume you've got a referer. You will need to aquire the host name from it (easy enough using the Uri type). Then you need to resolve the IP address for the host name using DNS (again not too difficult with .NET framework).
Of course you need to get a referer and that is the trickiest bit. Browsers do not always place a referer header in the request. This is especially true when the referee address is not in the same domain as the referer, which is the case here. IOW, this is a showstopper.
A better approach to solving this problem (and is not prone to spoofing) is to use some hash based authentication. Doesn't have to be too sophisticated (if the original requirements felt the referer testing was sufficient anyway).
A referrer is only there if the page was requested through a link. When a page is opened say from the address bar in a browser by typing in the address directly (or in your case y setting the src. of the IFRAME), the referrer will be empty.
Related
Recently I have attended a training in mvc. The trainer said that - As per the security concerns we have to use HttpPost instead of HttpGet. Always use HttpPost.
Can anyone explain - what is the security issue when we use HttpGet?
When transmitting data over secure connection (https) body of the post request is encrypted and practically undreadable, you can only see address where data is going but not the data itself. Get on the other hand has no body and data has to be transmitted in either query string or as a path parameter. While it is true that query string does get encrypted as well, due to request logging on the server and browser it is possible to get hold of that data.
Anyone can insert image on public forum or stackoverflow with link to your web-site. Then happens next:
Browser looks at url in image tag
Browser find cookies corresponding to domain in url
Browser sends request to url with cookies of user
Your server performs action
Browser tries to parse response as image and fails
Browser renders error instead of image
But if you mark your action as Http Post only then this scenario isn't applicable for 90% of sites. But you should also consider that if hacker can create a form on other web-site then he still can make browser to perform request. So you need CSRF. Well, browsers made a lot to prevent cross-site requests, but it's still possible in some scenarios.
I'm writing a local Proxy server. It already works for the majority of the requests. But sometimes I have Problems when I want to resolve the Host-name. Here is what I do:
When the header of the request is received, I filter the first line out. Then I take the Request-URL (which is between the two spaces) out of that line and store it into an Uri object. After that I extract the hostname with: string host= uri.host;
At least I do the DNS-call: IPAddress[] ips = Dns.GetHostAddresses(host)[0];
(How do I know here, which IP of the array I should take. Whats the difference between those IP's)
Like I said, for the majority of the Requests that works fine. But there are some adresses, that cannot be resolved. Here an example: When I want to open www.gmx.net, I first get the HTML-File ( this works fine ). After that, the Browser reloads a couple of Web-Objects like pics, javascript and so on. Those Object of course have some URL. And one of those URLs, that cannot be resolved is: ipv4-cout.gmx.net .
The attempt to resolve this URL results in the warning: The stated Host is unknown.
Another thing I need to know is: How to handle Alias-Host-names? For example: When I enter the hostname gmx.de into the Browser, it automaticaly resolves it into www.gmx.net. I know, there are Recource Reccords on a DNS-Server with type CNAME, but I dont know how to implement this.
I would say that they come back in the order that the DNS server sends them, I can no find no reference to any particular ordering.
Dns.GetHostAddresses Method
In most cases, there would only be a single IP address. In the case of www.gmx.net, they do have 2 and in theory, this would mean that you would round-robin the requests.
www.gmx.net has address 212.227.223.5
www.gmx.net has address 212.227.223.4
For your information. pv4-cout.gmx.net does not resolve on my machine and would result in a 404 when accessed any other way.
gmx.de does not resolve to www.gmx.net, there is a URL redirect on the web server.
Connecting to www.gmx.de|212.227.223.10|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.gmx.net/ [following]
I created REST base webAPI in MVC 4 and hosted on server when I call this from HTML on other domain and on my local pc I need to call it as JSONP request like put callback=? in url so it can be jsonp. My question is that why this is so? if its due to cross domain then how google and facbook and other companies host their api we also call it from our own domain but we dont keep callback=? in their url.
so why my API need callback=? in url if i call it from other domain or on my local pc with simple jquery html.
Its because of the Same Origin Policy imposed by the browsers.
See
http://www.w3.org/Security/wiki/Same_Origin_Policy
http://en.wikipedia.org/wiki/Same_origin_policy
.
Also note that CORS might be a better option than JSONP in the future
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
EDIT: ------------
If you have gone through above links you would see that JSONP allows users to work-around this Same Origin Policy security measure imposed by the browsers.
Trick is browsers allow tags to refer files in other domains than the origin.
Basically what happens is with JSONP, you send a callback function name to the server appended to the query string. Then the server will pad or prefix it's otherwise JSON request with a call to this function, hence the P in the name to denote response is padded or prefixed.
For example you can create a script tag like
then the target server, should send a response such that
mymethod({normal: 'json response'})
when this repsone is evaluated on the client side (as for any other javascript file) it will effectively call your method with the JSON response from that server.
However, this can only do GET requests.
If you want to make POST (PUT/DELETE) requests you need to use CORS in which server needs to set a specific header beforehand.
Access-Control-Allow-Origin: www.ext.site.com
Hope this helps.
Because of the same-origin policy limitations. The same-origin policy prevents a script loaded from one domain from getting or manipulating properties of a document from another domain. That is, the domain of the requested URL must be the same as the domain of the current Web page. This basically means that the browser isolates content from different origins to guard them against manipulation.
Lets say I have a web site hosted on a computer named "linux" and it is part of two different networks with the addresses 192.168.1.1 and 10.1.1.1. When working locally on "linux", I can access this web site through the following URLs :
http://192.168.1.1/
http://10.1.1.1/
http://linux/
http://localhost/
http://127.0.0.1/
Working on another machine on the network "10.1.1.0/24" I can use the following :
http://10.1.1.1/
http://linux/
But on "192.168.1.0/24" I can only use :
http://192.168.1.1/
http://linux/
I'm developing an application that compares URLs, and on this application's context two URLs are equal if they point to the same resource.
Is there a quick way of doing that kind of comparison using the URI class in C# ?
There's no way the URI class will help you; it can only determine if two URIs are the same URI, and they're only the same URI if they have the same server name / IP address.
The best option is to download the resource from both URLs and see if it is the same resource by checking for equality and assuming that two resources are the same resource if they're the same sequence of bits.
That isn't an option for me, the perfomance cost could be too great. I was hoping for something that could match the 'host address' part of the URI's, then all that was left to compare would be the relative path and port... – Thiado de Arruda
Unfortunately, there is nothing in the framework that will do what you want out of the box, because there's no reliable way of mapping different host names to the same host and therefore the same resource.
You are going to have to have some sort of mapping of hosts to the various aliases of those hosts and query for them yourself. The URI.Host property will get the host name of the URI in question for you, but you'll have to translate it yourself. Nothing in the framework is going to be able to do it for you.
You may be able to do this with beautiful soup using python (scrape the page and check if a few elements are the same) however it will be slower since you'll need to pull the actual web data.
I use Process.Start("firefox.exe", "http://localhost/page.aspx");
And how i can know page fails or no?
OR
How to know via HttpWebRequest, HttpWebResponse page fails or not?
When i use
HttpWebRequest myReq = (HttpWebRequest)WebRequest.Create("somepage.aspx");
HttpWebResponse loWebResponse = (HttpWebResponse)myReq.GetResponse();
Console.Write("{0},{1}",loWebResponse.StatusCode, loWebResponse.StatusDescription);
how can I return error details?
Not need additional plugins and frameworks. I want to choose this problem only by .net
Any Idea please
Use Watin to automate firefox instead of Process.Start. Its a browser automation framework that will let you monitor what is happening properly.
http://watin.sourceforge.net/
edit: see also Google Webdriver http://google-opensource.blogspot.com/2009/05/introducing-webdriver.html
If you are spawning a child-process, it is quite hard and you'd probably need to use each browser's specific API (it won't be the same between FF and IE, for example).
It doesn't help that in many cases the exe detects an existing instance and forwards the request there (so you can't trust the exit-code, since the page hasn't even been requested in the right exe yet).
Personally, I try to avoid assuming any particular browser for this scenario; just launch the url:
Process.Start("http://somesite.com");
This will use the user's default browser. You have to hope it appears though - you can't (reliably and robustly) check that externally without lots of work.
One other option is to read the data yourself (WebClient.Download*) - but this may have issues with complex cookies, login, user-agent awareness, etc.
Use HttpWebRequest class or WebClient class to check this. I don't think Process.Start will return something if the URL not exists.
Don't start the page in this form. Instead, create a local http://localhost:<port>/wrapper.html which loads http://localhost/page.aspx and then either http://localhost:<port>/pass.html or http://localhost:<port>/fail.html. localhost: is a trivial HTTP server interface implemented by your app.
The idea is that Javascript gives you an API inside the browser, which is far more standard than the APIs on the outside of browsers. Since the Javascript on wrapper.html comes from the same server and even port as the subsequent resources, this should satisfy the same-origin policies in current browsers.