Ajax fraud: handling

Wednesday, March 21, 2012

Is it possible to "redirect"/URLrewrite ScriptResource.axd?

Hi,

I'm currently working on a project where the client is using a Third-party tool for handling authentication to the website. This means problem because we cannot exclude more files than Default.aspx in the root of the website. The rest of the "unsecure" files needs to be in a special folder. If I look at the source for Default.aspx I see the following (which I understand is AJAX resources?):

I need to include this resources from another URL. Like this:

Is this possible to do?

regards // Magnus

Hi,

I have tested it with the following code:

Overriding Page.Render and replace the string.

<%@. Page Language="C#" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
protected void Button1_Click(object sender, EventArgs e)
{
Label1.Text = TextBox1.Text;
}
protected override void Render(HtmlTextWriter writer)
{
System.IO.StringWriter sw = new System.IO.StringWriter();
System.Web.UI.HtmlTextWriter htw = new System.Web.UI.HtmlTextWriter(sw);
base.Render(htw);
string s = sw.ToString();
s = s.Replace("/AJAXEnabledWebSite3/WebResource.axd", "/AJAXEnabledWebSite3/Secure/WebResource.axd");
writer.Write(s.Replace("/AJAXEnabledWebSite3/ScriptResource.axd", "/AJAXEnabledWebSite3/Secure/ScriptResource.axd"));
}
</script>
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1" runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:ScriptManager ID="ScriptManager1" runat="server">
</asp:ScriptManager>
<asp:UpdatePanel ID="UpdatePanel1" runat="server">
<ContentTemplate>
<asp:Label ID="Label1" runat="server" Text="Label"></asp:Label>
<asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
<asp:Button ID="Button1" runat="server" Text="Button" OnClick="Button1_Click" /><div>
</div>
</ContentTemplate>
</asp:UpdatePanel>
</div>
</form>
</body>
</html>

ThenI received "sys is undefined" error,I think it is because there is no WebResource.axd created in that sub folder, So how to tell ASP.NET to create WebResource.axd in that folder rather than at the root? See following for answer:

AJAX's script handler is performing path check. Hence it is blocking our trick:
Declaring Type: System.Web.Handlers.ScriptResourceHandler
Assembly: System.Web.Extensions, Version=1.0.61025.0
private static void CheckPath(string path)
{
if (!string.Equals(path, VirtualPathUtility.ToAbsolute("~/ScriptResource.axd"), StringComparison.OrdinalIgnoreCase))
{
Throw404();
}
}
To workaround this further, we can:
1. With IIS, create the "Secure" folder under the root directory of our web application (e.g. "C:\Inetpub\wwwroot\AJAXEnabledWebApplication\Secure").
2. Use IIS Configuration Tool to create an child Application for the "Secure" node:
IIS 7.0 Beta: Add a Web Application
http://technet2.microsoft.com/windowsserver2008/en/library/7450f8c5-8d46-4bb2-bd59-4e6ff23df3201033.mspx
The purpose of this is to workaround the virtual path check mentioned above.
3. Open the Web.Config of the application and configure the machine key:
<system.web>
<machineKey
validationKey="0000000000000000000000000000000000000000"
decryptionKey="0123456789012345"
validation="SHA1"/>
This makes the encryption/decryption mechanism consistent between our root application and child application.
4. Apply the code change mentioned previously.
This should work.

This should work.

Best Regards,

Wednesday, March 21, 2012

Is it possible to "redirect"/URLrewrite ScriptResource.axd?

Ajax fraud

Blog Archive

About Me