Suppressing HTTP 500 Response Codes
Feb 10, 2010
I've had a bit of feedback from some threat and vulnerability folks relating to websites returning HTTP 500 response codes. Essentially the advice is that all possible measures must be taken to avoid the server throwing a 500 (i.e. extensive form input validation) which is fine. However, the advice also suggested that attempts to compromise security by means such as inserting a tag into a random query string causing ASP.NET request validation to fire or manipulating viewstate also should not return an HTTP 500. Obviously the native framework behaviour is to interpret the request and possibly throw to a custom error page but even this will return a 500 response code.
So I'm after some thoughts on how to approach this. Is there any way to configure the app at either the .NET level or IIS level to return an HTTP 200 when a 500 is raised? Or does this become a coding exercise at global.asax level in one of the application events? Are there other consequences to consider? BTW, the rationale from the security side is that apps which return HTTP 500 may be viewed as "low hanging fruit" by bots randomly scanning for vulnerabilities and prompt further malicious activity. attempts I'm personally not convinced that changing response codes offers any real security gains but am happy to hapy to take the advice of the pros.
View 3 Replies
Similar Messages:
Jun 9, 2010
I've a question about something I'm searching for,for too long! We've build an application from which an admin upload songs into a database. Then user can bought songs and download it individualy. The problem is that when user download MP3 songs with the code below, it works great in Firefox and Chrome but not in IE8 simply because WMP trying to open the songs and it just don't get it instead of having a "Save as" dialog? Any issue on HOW can i force to have the "Save As" diaglog? Note that I have not MP3 physicaly on server it's in database. So I can't direct link to song ...
Here's my code :
// Remove "specials chars"
foreach (char aChar in @"/:*?""<>| ") {
if (aChar == ' ') {
songNameAndExt = songNameAndExt.Replace(' ', '_');
} else {
songNameAndExt = songNameAndExt.Replace(aChar.ToString(), string.Empty);
}
}
Response.Clear();
Response.ClearHeaders();
Response.ClearContent();
HttpContext.Current.Response.ContentType = "application/octet-stream";
HttpContext.Current.Response.Headers.Add("Content-Disposition", string.Format("filename={0}", songNameAndExt));
HttpContext.Current.Response.OutputStream.Write(songData, 0, songLength);
View 1 Replies
Feb 21, 2010
I need to I can make the web request to a webservice which take a XML argument. And is expected to return a Binary response. I am able to make the request but while recieving the response back I am unable to get the response in binary. When I read the response
using streamreader see the header and some attached "HEBRISH" words probably binary but unable to sepreate it out. Please help in seprating out the binary the response data.
View 1 Replies
Mar 23, 2011
What wrong with this code?
[Code]....
I would like the numeric values of the enum of Response.StatisCode
View 1 Replies
Apr 4, 2011
I'm trying to query a database that contains information about a "ticket" using jQuery's .ajax() method.
$.ajax({
type: 'GET',
url: 'Preview.ashx',
data: 'ticketID=' + ticketID,
success: function (data) {
// 'data' should be a row from the database, so it should be like an
// array that contains each column of the row
// do stuff with this data
}
});
... so that all works fine. I'm having trouble with the data variable. On the server side, I do...
// get the ticket ID from the POST parameter
int ticketID = context.Request["ticketID"] != null ? Convert.ToInt32(context.Request["ticketID"]) : -1;
if (ticketID >= 0) {
// grab the data from the database, getInfo() will retrieve the row
// in the DB that corresponds to the ticket ID given, returning an
// ArrayList with all of the information
ArrayList theTicket = getInfo(context, ticketID);
// now, I need to somehow return this information so that I could deal with it
// in the 'success' callback function above
return;
} else {
// something went wrong with the 'newTicket' POST parameter
context.Response.ContentType = "text/plain";
context.Response.Write("Error with 'ticketID' POST parameter.
");
return;
}
return;
I've debugged this enough to be sure that the ArrayList contains the correct information. Now I just need to return it. How would I do this? How would I return the data in the ArrayList? Is it possible to structure the response so that I could do data.ID, data.otherColumnName, etc... in the callback function to access the different fields?
View 3 Replies
May 14, 2010
I have an asp.net appliction on the one server. There I've added code on server-side in Page_Load:
Response.AddHeader("key", "password-key-from-hotel");
On the client side I have a form:
<form ... action="www.link-to-another-domaint" >
<input type="hidden" id="asd" value="fgh" >
....
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
Then on the other domain - there is also my other application - I'm trying to get the hedaer "key" by this code:
Request.Headers["key"].ToString();
But there is no such header. Is there is a desicion? Where is my mistake?
View 2 Replies
May 27, 2010
In my application I need to set a http response header. I'd like to do this in web.config. but I dont'know if this is possible and I can't find it on Google. Solution Finally, after a long search I found the solution. Create a class with this code:
public class myHTTPHeaderModule : IHttpModule
{
#region IHttpModule Members
public void Dispose()
{
}
public void Init(HttpApplication context)
{
context.EndRequest += new EventHandler(context_EndRequest);
}
void context_EndRequest(object sender, EventArgs e)
{
HttpResponse response = HttpContext.Current.Response;
response.AddHeader("Content-Language", "*");
}
#endregion
}
(Don't ask me why to use this event, but it works..) Now add a line in web.config in the HttpModule section:
<httpModules>
<add type="namespace.myHTTPHeaderModule, assembly name" name="headers" />
<add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
</httpModules>
View 4 Replies
Nov 24, 2010
I've just finished reading URL vs. URI vs. URN, in More Concise Terms, and it's really helped understand the distinction between the three terms. Since then I've skimmed the RFC2141 and RFC2616 specs and Microsoft's Response.Redirect Method documentation in an effort to answer the following question confidently.
Given this line of code:
Response.Redirect("~/Foo.aspx");
And this resulting HTTP response (trimmed for context):
Status=Found - 302 Date=Wed, 24 Nov
2010 17:27:58 GMT
Server=Microsoft-IIS/6.0
X-Powered-By=ASP.NET
X-AspNet-Version=2.0.50727
Location=/MyWebApp/Foo.aspx
What name(s) most properly describes what has been placed into the "Location" header?
URL? URI? URN? URC? Which is it?
View 5 Replies
May 14, 2010
I've developed a component which processes online payments. At a specific point the user must be redirected to the selected acquirer web site for authentication. The acquirer itself suggests that there should be a web page which does it. Something such as the following,
<!--TakeOff.aspx-->
<html xmlns="[URL]">
<head id="Head1" runat="server">
<title>@</title>
<script type="text/javascript">
function Go() {
form1.submit();
}
</script>
</head>
<body onload="Go();">
<form id="form1" runat="server" method="post" action="/...">
<div>
<asp:HiddenField ID="MID" runat="server" />
<asp:HiddenField ID="Amount" runat="server" />
<asp:HiddenField ID="ResNum" runat="server" />
<asp:HiddenField ID="RedirectURL" runat="server" />
</div>
</form>
</body>
</html>
This page redirects the user and posts required arguments to the acquirer's web site. Prior to this page there is another page with a payment button (for example). In the click event of the payment button my component is instantiated and required calculation is done. Something such as the following,
protected void btnPayment_Click(object sender, EventArgs e)
{
try
{
var paymentProcessor = new NS.PaymentProcessor(/*required arguments*/);
/*...*/
NS.Result result = paymentProcessor.Calc();
Session.Add("PaymentProcessResult", result);
Response.Redirect("TakeOff.aspx");
}
catch (Exception p)
{
throw p;
}
}
What I'm going to do is to generate [TakeOff.aspx] page at run-time by the payment processor component instead of having static page (I mean aspx pages that are generated during development phase). The reason why is that we may have different acquirers and each acquirer requires its own arguments to be posted. So if the payment processor component generates aspx or even html pages at run-time we do not need recompile and redeploy the web application.
My problem is that I do not know how to generate aspx pages at run-time. I'm not an ASP.NET guru and all efforts that I've made using HttpResponse were in vain as the original page does not transfer the control to the generated page.
View 1 Replies
Jan 5, 2011
I have two very similar pieces of ASP.NET code that send a file in an HTTP Reponse to the client. They should cause the browser to prompt to save the file. The first one works, the second one doesn't. The HTTP responses as seen in Fiddler are below.
Working:
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 228108
Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
content-disposition: attachment; filename=Report.xlsx
Date: Wed, 05 Jan 2011 12:17:48 GMT
<binary data>
Not working:
HTTP/1.1 200 OK
Server: ASP.NET Development Server/10.0.0.0
Date: Wed, 05 Jan 2011 12:19:21 GMT
X-AspNet-Version: 4.0.30319
Content-Length: 228080
content-disposition: attachment; filename=report 2.xlsx
Cache-Control: private
Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Connection: Close
<binary data>
When the first one is seen in Fiddler the browser correctly prompts to save the file. When the second one is seen in Fiddler, nothing observable happens in the browser. Same behaviour in both chrome and firefox.
EDIT: ASP.NET code that produces the second response
Response.Buffer = false;
Response.ContentType = @"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet";
Response.AppendHeader("content-length", genstream.Length.ToString());
Response.AppendHeader("Content-Disposition", string.Format("attachment; filename={0}.xlsx", filename));
byte[] buffer = new byte[1024];
genstream.Position = 0;
int n;
while ((n = genstream.Read(buffer, 0, 1024) ) > 0)
{
Response.OutputStream.Write(buffer, 0, n);
}
View 4 Replies
May 12, 2010
I am using an SMS Gateway to make my application receive SMSs. For this, the SMS Gateway sends a request to one of the pages in my application with the message as a querystring parameter. eg.[URL]. Now after my page gets invoked, I need to send an OK response to the SMS Gateway so that it doesn't keep retrying to send the same message to my application again and again. I cannot figure out how to send the OK response.
View 1 Replies
Apr 27, 2010
How can I unit test an action which alters the Http Response object? I haven't been able to solve this. I can mock the object but can't see how I can check the value after the action runs. I set the Response.StatusCode when errors occur in ajax requests and need to check it has been set in the unit test. The only alternative I can see is to change all my actions to return json objects with a IsSuccessful flag or similar.
View 5 Replies
Jul 23, 2010
we're facing a weird and seemingly randomly appearing problem where the browser renders the complete, raw HTTP response (to a GET request) including all headers and the compressed content as text instead of just using the contents and rendering it. This happens for whole page loads as well as postbacks as well as page loads inside an iframe; for sure in Firefox 3.6.*, not sure about IE right now.
Our service is an ASP.NET 2.0 web app running on IIS 7.5, on our test machines we regularly have Fiddler running in the background (wondering if this might be part of the problem).
This behaviour occurs very rarely but we have started seeing this problem lately during our tests.
Has anybody encountered this problem before and knows what causes it and maybe even knows what to do about it?
View 1 Replies
Apr 16, 2012
I am trying to the following to return xml response from an http request
Code:
Try
Dim id As String = Request.QueryString("id")
Dim xmlOut As String = ""
cn.ConnectionString = "Data Source=192.168.1.2;Initial Catalog=db;Persist Security Info=True;User ID=sa;Password=pass"
dad = New SqlDataAdapter("select * from tbl where id = '" & id & "'", cn)
ds.Clear()
[Code] ...
Is there some other way to do this without having to resort to writing the xml to a temp file on C drive and reading it again to display the output ?
View 2 Replies
Jan 27, 2011
I'm using .net 3.5 and am currently creating a web application used to generate a report through Aspose.CellsActually, the page is composed in a form where I get the configuration of the report I have to generate. The "generation" button is in an update panel. When I click on it, the "generation" button is hidden and a progress bar appears. When the excel file is generated, I save it in a memory stream and I send it back to the aspx page where I change the headers to allow the file's download.
View 3 Replies
Aug 25, 2010
The objective of this component is to be able to forward whatever HTTP requests it receives to forward to a different server based on the parameters but keeping the URL and POST data intact. For example:
If the component receives
[URL]
It will return the response from either
[URL]
where XYZ can be valid name of the page. I think I can probably individually create each page to do a Response.Redirect but i am wondering if there is a more generic way to do this? In addition, is this something I have to configure on the IIS level rather than code level?
View 1 Replies
Feb 15, 2011
im working with a 3rd party on a project, we are going to pass them up to 3 values via a querystring and they are going to return 2 values that i need within a http response.
I found a few example here and just using google but they all varied of course due to the individual requirements in those examples..
what im looking for is a example that can get me started on how to send them the values during a button click on my page, wait for a response from them, then read the 2 values returned and continue with my button event which will involve passing the values to our stored procedure.
I found this link [URL] but not sure how i would call that within my page or if this would even work for what i need.
they should have the page ready sometime today so i can see how the data is being returned and so on.. figured i would see if i can get something setup so i can just plug in values when they are ready.
View 3 Replies
Mar 11, 2010
Is it possible to cache the response of a http handler on the server and on the client?This doesn't seem to be doing the trick:
_context.Response.Cache.SetCacheability(HttpCacheability.Public);
_context.Response.Cache.SetExpires(DateTime.Now.AddDays(7));
View 2 Replies
Jan 5, 2011
my current question is tightly related to this one, but is far more specific. We have to plan a design strategy for the objective described in that question. We want to do this by rewriting HTML on ASP.NET web forms. My question is: which strategy is the best according to parameters of feasibility, performance impact and implementation effort on legacy applications.
what I have to do is to basically get the HTML output of a Web Form, parse it, and replace certain URLs according to user-defined rules. In that example, I would rewrite all static content to CDN URLs, but it can be easily extended to URL rewriting techniques. I found lots (and I really mean lots) of articles about URL rewriting from the perspective of having URLs like [URL]interpreted as [URL] but I found none showing me how to smartly format old-style URLs to shorter format right from inside HTML (so the page will render the short-form URL directly) [edit] without deep code intervention.
Strategy 1
Like suggested in an answer of the above question, write an HTTP Module that intercepts the HTML and rewrites it. Actually, I looked around and saw I can set a Response.Filter stream object that performs the HTML filtering.
Pros:
I can inject the HTTP Module on a legacy application, configure rewriting rules via XML and have the oldest CRM/ecommerce application load static content from a CDN without touching its code at all.
Cons:
I suspected that (and a comment here confirms my suspects) having to reimplement a Stream's Write method, which operates on a partial buffer in the general case, can result in bad replacements. Suppose the Write method is first called with a chunk like [URL] (where I assume <img src="h was already written before) and later ge.png" /> (so guess the final URL :-P) with a rewrite rule that regexes [URL][^"]* into [URL] the substitution is not done. To workaround that, I could use a MemoryStream or something like that to buffer the complete set of data and then perform the substitutions, but it could cause troubles on highly loaded servers
Strategy 2
Overriding Page's Render method in a way such as described here
Pros:
doesn't suffer the chunking problem
Cons:
requires defining a base class for all pages. Feasible on new applications, not sure for maintaining legacy applications. Seems has a problem as you cannot instantiate HttpTextWriter directly Obviously, for the new webapps we'll have to develop, I would adopt strategy 2, but I really like using dynamic components a lot, as they can be plugged with ease when application requires them (so if our new app will be installed without a CDN the feature is turned off).
Briefly, my questions are How would you fix both strategies' cons (particularly 1st)? And, of course, do you have other strategies to suggest to achieve this objective?
View 1 Replies
May 11, 2010
First of all, quickly what exactly I want to achieve: translate particular exception into the HTTP 404 so the ASP.NET can handle it further. I am handling exceptions in the ASP.NET (MVC2) this way:
protected void Application_Error(object sender, EventArgs e) {
var err = Server.GetLastError();
if (err == null)
return;
err = err.GetBaseException();
var noObject = err as ObjectNotFoundException;
if (noObject != null)
HandleObjectNotFound();
var handled = noObject != null;
if (!handled)
Logger.Fatal("Unhandled exception has occured in application.", err);
}
private void HandleObjectNotFound() {
Server.ClearError();
Response.Clear();
// new HttpExcepton(404, "Not Found"); // Throw or not to throw?
Response.StatusCode = 404;
Response.StatusDescription = "Not Found";
Response.StatusDescription = "Not Found";
Response.Write("The whole HTML body explaining whata 404 is??");
}
The problem is that I cannot configure default customErrors to work with it. When it is on then it never redirects to the page specified in customErrors: <error statusCode="404" redirect="404.html"/>. I also tried to raise new HttpExcepton(404, "Not Found") from the handler but then the response code is 200 which I don't understand why. So the questions are:
1-What is the proper way of translating AnException into HTTP 404 response?
2- How does customErrors section work when handling exceptions in Application_Error?
3- Why throwing HttpException(404) renders (blank) page with success (200) status?
View 1 Replies
Jan 12, 2010
I have a WCF client test harness where I'm using a "client message inspector" endpoint behavior to "pick off" raw requests and response messages going to and from a service and save them for later display in the UI.
This works great, except for the use case where invalid credentials are passed (Basic Authentication). The server returns an HTTP 401 along with a SOAP fault in the body containing details of what happened. I have no control over the service, so this behavior cannot be changed.
Because the HTTP 401 is returned as a WebException, my message inspector never fires and I can't get to the raw response. This exception eventually gets to the UI in the form a MessageSecurityException.
Is there any way to suppress this so the message inspector's AfterReceiveReply still fires? or is there somewhere else I can access the entire raw response?
View 1 Replies
Jul 16, 2010
I have a ASP.NET page with a WebMethod that creates an object and runs one of the object's methods in a new thread.I need to access the System.Web.HttpContext.Current.Response.ContentType property from within this thread. Each time I (try to) access it, I receive a NullReferenceException.
View 1 Replies
Jan 18, 2011
I know that you can enable NTLM authentication in an ASP.Net app using:
<authentication mode="Windows" />
However - I need to handle Forms, HTTP and other custom authentications in the same app, so ASP.Net's limited built-in support is no use.
The NTLM handshake should be fairly simple:
Request - [unauthenticated - no user info passed]
Response - 401 Unauthorized
WWW-Authenticate: NTLM
Request - Authorization: NTLM <base64-encoded type-1-message>
[code]...
I need to parse type-1 and type-3 messages and generate a type-2 message.
The structure for those messages is well documented but fairly complex - it seems very messy to write my own message generators and parsers. I think the methods to read and write these messages should already be in .Net, but I haven't been able to find them.
View 1 Replies
Mar 28, 2011
If I were to specify a page for redirect using the ASP.NET Custom Errors feature, would my application still spit out the HTTP status code for that particular error?
For example if had a line in my web.config that had all Internal Server Errors redirect to Errors/500.aspx and then I encountered a 500 error, I would then be redirected to my custom Errors/500.aspx page. Will my application still respond with a HTTP 500 at any point in this exchange?
View 1 Replies
Mar 26, 2011
I have an application that interact with a SMS gateway and after successful delivery of message to my application i will like to acknowledge them by sending HTTP 200 Response to the Gateway, how can I do that suing asp.net. I am thinking of using Response Headers parameter to do that.
View 3 Replies