We have an HttpHandler that deals directly with binary posts over HTTP from custom client software. The client software occasionally sends data which results in IIS 7 responding with a 400 - Bad Request. Since the "400 Bad Request" is special in that HTTP.SYS transparently handles it in kernel mode without notifying user mode of anything, no errors are raised to be handled in ASP.NET. Is it possible to catch this http 400 in ASP.NET, so that I can write specific data to the Response stream in these scenarios? A redirect to another page isn't an option as it needs to be in the current Request/Response.
If you know what is causing the 400, then you may be able to customise the behaviour of http.sys via the registry to deal with it:
http://support.microsoft.com/kb/820129
However, you should be aware that there are potential security and performance ramifications of doing this.
Another option would be to use a filtering proxy before IIS, thereby capturing the request before it goes any further.
I would instead ask them to fix the custom client software. Give them a report showing the failed requests. If you are able to, run a sniffer such as Wireshark and send them the packets if they do not believe the problem is with their software.
If your custom client causes IIS to trigger HTTP 400, it's probably flawed and is not submitting valid HTTP requests according to the standard. If you can alter the client, it would be the right thing to do. Otherwise, what you're working with is not HTTP, and IIS is designed to handle HTTP requests. Therefore, you should run a custom server for your own protocol (which is a non-standard HTTP like thing).
It's not advised to use IIS/ASP.NET to handle such a request as it might cause some weird unexpected things to happen.
Related
I am not sure of what it is called, but what happens is that my POST method request can be captured by a tool like (burp suite) and change the POST to GET.
Afterwards the process would still continue, but now it shows the parameters and its value in the URL.
How do I defend against this kind of attack?
The website is on ASP.NET C#.
Burp suite is a "man in the middle" (MITM) proxy with injection/manipulation capability. If your site is on http (not https), then yes: you are completely at the mercy of every intermediary that the traffic passes through. Change your site immediately to use https with a valid certificate.
For this to work on https, you need to deliberately break your machine, by installing a dodgy root certificate authority that will issue fake certificates for the sites it wants to MITM. This only passes your browser's security system because you broke your machine.
An attack that depends on the client already having been compromised is not an interesting attack from a server perspective. All you can reasonably do is protect intact clients. By using https and disabling http (non-TLS). You can do things like reject GET if you're expecting POST - but this doesn't change that the GET will have happened. But note:
the MITM proxy can already read the POST variables without needing to change them to GET: it is in complete control of the data
other intermediaries between the MITM proxy and your server cannot read the data regardless of whether it is GET or POST, as long as it is https (which is why you need to disable http, not just enable https)
the only thing you're changing with GET vs POST here is what appears in your own server logs... and it doesn't matter how you respond to the request at that point: it has already been logged, even if you return 404 or 500 or whatever
I get this error with my .Net app but it only occurs on chrome on 2 pages on my site and only on my network.
What does the notes in the image mean? If I hit refresh it works fine. How do I figure out what the headers are and if it's a network or security thing?
Clear your cookies. This must be caused by an invalid cookie. Had the same issue and clearing the cookies worked for me
Followings can be possible options to look at:
As you getting issues in Chrome, clear cache/cookies
Error 400: The Web server thinks that the data stream sent by the client (e.g.
your Web browser) was 'malformed' i.e. did
not respect the HTTP protocol completely. So the Web server was
unable to understand the request and process it.
It indicates that the two systems (our robot and the Web server)
fundamentally disagree on the syntax of HTTP data streams. Mare sure you are not calling HTTPS from HTTP?
Hope this helps!
I'm building out a simple C# application that integrates with a SOAP web service. I add the service reference to the appropriate WSDL and everything works out fine so far.
Occasionally, the server's firewall will respond with a 503 error before the request gets a chance to hit the web service. That 503 error also contains some HTML with an ID number (which changes each time) that I want to capture.
If I catch the exception, it doesn't give me the full message - just the re-formatted basic exception that says the server is too busy.
I tried the message inspectors suggestion from this post:
Intercept SOAP messages from and to a web service at the client
...and it gives me the outbound request, but it never hits the AfterReceiveReply call, so the response isn't captured.
I've also tried subscribing to all of the channel's major events (Faulted, Opening, Opened, UnknownMessageReceived, etc), and I've tried inspecting the channel when I catch the exception, but nothing seems to work.
Any thoughts or suggestions?
Why not just run fiddler on the machine your soap client is running on and intercept and inspect the traffic that way?
Turn on WCF Tracing. In particular, Message Logging.
It seems like disabling SOAPProcessing in the .config file may be a step in this direction, but I was unable to figure out how to enable this setting via code (and I cannot use a .config file in my final application because this is a plugin and the parent app's .config file is dynamically generated each launch).
I was able to work around this somewhat. In my situation, I had separate dev and production servers. The 503s errors were happening mostly on the production server (likely due to the firewall being sensitive about a different hostname in the API requests), so I ended up with a solution that duplicated the API requests and sent them over to the production server.
(This was okay, because the production server was not configured with anything that would be affected by any API requests that made it through the firewall. The requests would just be considered invalid.)
I did this by using message inspectors to generate the last outgoing request. Then for each outgoing request, I generated a new WebBrowser control, set the proper headers (SOAPAction and all that), re-injected the security credentials (the message inspector stripped them out at runtime), and then posted the request to the production server with that WebBrowser control. The WebBrowser instance's DocumentCompleted event let me dump the result and search for the ticket ID when appropriate.
Not exactly glamorous, but it works well.
I've some fishy application that makes HTTP requests to a website, i would like to intersect that request and send other data to the server. Is that possible in C#,java or C++?
EDIT: The application isn't mine, i just know the endpoint that it sends http requests
Fiddler might provide the functionality you need. At the very least it may enable you to see what is being sent to the web site.
in Java You can intercept request from Filter
You may want to look into using an HttpModule, whose purpose is to intercept incoming HTTP requests.
The ASP Column: HTTP Modules
Firstly are you aware of how it is connecting to the internet? For example, is it using the settings from Internet Explorer, or is it establishing a direct connection? If the latter, this may be tricky, there is no direct port forwarding as there in Linux, so you'll need some third-party tools to redirect the traffic to a server (which you can write in Java, C++ or C#, I would go for C# if you know it for pure speed of development) In that server you can intercept the request, and then create your own to actually send to the real destination.
Sounds like a cludge, but I think you're stuck with this approach due to the lack of direct port forwarding. You'll have to configure the third-party tool that you use to forward someother well known port to 80, and your server should write to this.
I have a C# console application that calls SSRS soap based webservice (service runs on a remote machine). I want to capture the incoming and outgoing soap request.
How can this be done?
Thanks
Is this just for debugging purposes? If so, Fiddler is probably your best bet. Wireshark is also great, but it doesn't do the HTTPS stuff that Fiddler does.
It's possible to capture the data on the service side by effectively adding an incoming and outgoing filter which just passes the data along, logging it as it goes - but that's slightly fiddly from what I remember. Worth the effort if you're trying to do this for long-term audit etc, but for simple inspection I'd go with Fiddler.