Last post Jun 12, 2011 05:52 PM by Anton Palyok
Jun 12, 2011 05:52 PM|Anton Palyok|LINK
Today I want show you some trick that I learned by investigating some problem some time ago.
For example, you want to include some content (.js, .css, .jpg etc) to your website from folder /Views.
The reasons for this scenario could be different. Maybe such architecture, maybe customers wants this.
It does not matter. In this case we have some problem.
E.g. we want to include style sheet from /Views folder:
<link href="/Views/test.css" rel="stylesheet" type="text/css" />
When we open this in browser we will get an error 404 (Not Found).The reason for this behavior lies in web.config file in the folder /ViewsIf we open this file we can noticed next string:
<add path="*" verb="*" type="System.Web.HttpNotFoundHandler"/>
So all requests that starts from /Views will be redirected to HttpNotFoundHandler handler and we will see appropriate error.If we remove this string then we can access to our content.But potential attacker can open direct link to our view-files, e.g: http://localhost/Views/Home/Index.aspxSo we can protect from displaying only this files (.aspx and .cshtml)To do this we should configure web.config file in folder /Views:
<add path="*.cshtml" verb="*" type="System.Web.HttpNotFoundHandler" />
<add path="*.aspx" verb="*" type="System.Web.HttpNotFoundHandler" />
<add name="DontShowCsHtml" path="*.cshtml" verb="*" type="System.Web.HttpNotFoundHandler" />
<add name="DontShwAspx" path="*.aspx" verb="*" type="System.Web.HttpNotFoundHandler" />
And now our views are protected from displaying and we can access to necessary content in folder /Views.
Hope this will help someone quickly deal with similar problem, while others could learn for yourself something new.