Asp. Net Core example of preventing picture chain theft through middleware
- 2021-08-28 19:51:04
- OfStack
1. Principle
To realize the anti-theft chain, we must first understand the implementation principle of the anti-theft chain. When it comes to the implementation principle of the anti-theft chain, we have to start with HTTP protocol. In HTTP protocol, there is a header field called referer, which uses URL format to indicate where to link to the current web page or file. In other words, with referer, the website can detect the source page visited by the destination page, and if it is a resource file, it can track the address of the page that displays it. With referer tracking source is easy to do, at this time can be processed by technical means, 1 to detect that the source is not this site, that is, to block or return to the specified page. If you want to protect your website against theft, you need to treat it differently according to different situations.
If the website server uses apache, it is easy to prevent all kinds of chain theft by using Url Rewrite function provided by apache. Its principle is to check refer, and redirect the information of refer to the specified picture or webpage if it comes from other websites.
If the server uses IIS, it needs to realize the anti-theft chain function through the third-party plug-in. Now a commonly used product is called ISAPI_Rewrite, which can realize the anti-theft chain function similar to apache. In addition, for the forum, you can also use the method of "login verification" to prevent theft.
2. Implement the anti-theft chain
Now let's implement the anti-theft chain technology in ASP. NET Core to protect our application and site files. This involves listening for and processing all incoming requests through the middleware technology in ASP. NET Core, checking whether these requests are from our application.
Let's create the middleware program for this anti-theft chain:
public class HotlinkingPreventionMiddleware
{
private readonly string _wwwrootFolder;
private readonly RequestDelegate _next;
public HotlinkingPreventionMiddleware(RequestDelegate next, IHostingEnvironment env)
{
_wwwrootFolder = envWebRootPath;
_next = next;
}
public async Task Invoke(HttpContext context)
{
var applicationUrl = $"{contextRequestScheme}://{contextRequestHostValue}";
var headersDictionary = contextRequestHeaders;
var urlReferrer = headersDictionary[HeaderNamesReferer]ToString();
if(!stringIsNullOrEmpty(urlReferrer) && !urlReferrerStartsWith(applicationUrl))
{
var unauthorizedImagePath = PathCombine(_wwwrootFolder,"Images/Unauthorizedpng");
await contextResponseSendFileAsync(unauthorizedImagePath);
}
await _next(context);
}
}
In this middleware, we can see that the Request object in ASP. NET Core does not encapsulate Referrer. To obtain Referrer, we must access it through HTTP header information (Headers).
1 generally has an IApplicationBuilder extension:
public static class BuilderExtensions
{
public static IApplicationBuilder UseHotlinkingPreventionMiddleware(this IApplicationBuilder app)
{
return appUseMiddleware();
}
}Finally, to use it, you only need to call the above extension function in the Configure function.
app.UseHotlinkingPreventionMiddleware();3. Can you really prevent it?
How to break through the anti-theft chain. For the way of checking refer, you can first enter another page of the destination address in the page middleware and turn to the destination page, so that the refer of the page is the destination site itself, thus achieving a breakthrough. There are many tools available for this, especially mature web project test packages, such as HtmlUnit, and refer can be set directly in the request.
If the stolen website is protocol of https and the picture link is http, the request from https to http will not take referer because of the security regulations, thus realizing the bypass of the anti-theft chain.
Finally, I can only say that this way can only be defended to a certain extent, and it is impossible to eliminate all attacks. It is recommended to use a mature server application scheme, such as Nginx.