Securing URL in File Download in ASP.net

Discussion in 'ASP .Net Security' started by anoop, Nov 14, 2007.

  1. anoop

    anoop Guest

    Hello,
    There is a website in ASP.Net in which there is a File download
    option with URL

    English/Scripts/download.aspx?file=.... . Here the code substitutes the URL
    of the file to download. but If I substitute the URL of the file that is
    stored on the web server, then file such as aspx.vb or even web.config can be
    downloaded by any user. Now I want to know how to protect this "file"
    parameter in ASP.Net, so that only intended files can be downloaded.

    Thank you
     
    anoop, Nov 14, 2007
    #1
    1. Advertising

  2. anoop

    Manish Bafna Guest

    Hi,
    You need to encrypt and decrypt querystring.Below link shows how to do it:
    http://www.codeproject.com/aspnet/TamperProofQueryString.asp
    --
    Hope this helps.
    Thanks and Regards.
    Manish Bafna.
    MCP and MCTS.



    "anoop" wrote:

    > Hello,
    > There is a website in ASP.Net in which there is a File download
    > option with URL
    >
    > English/Scripts/download.aspx?file=.... . Here the code substitutes the URL
    > of the file to download. but If I substitute the URL of the file that is
    > stored on the web server, then file such as aspx.vb or even web.config can be
    > downloaded by any user. Now I want to know how to protect this "file"
    > parameter in ASP.Net, so that only intended files can be downloaded.
    >
    > Thank you
     
    Manish Bafna, Nov 15, 2007
    #2
    1. Advertising

  3. On Nov 14, 5:22 am, anoop <> wrote:
    > Hello,
    > There is a website in ASP.Net in which there is a File download
    > option with URL
    >
    > English/Scripts/download.aspx?file=.... . Here the code substitutes the URL
    > of the file to download. but If I substitute the URL of the file that is
    > stored on the web server, then file such as aspx.vb or even web.config can be
    > downloaded by any user. Now I want to know how to protect this "file"
    > parameter in ASP.Net, so that only intended files can be downloaded.
    >
    > Thank you


    Put files for download to a special folder (e.g. /download) and check
    if requested file is located in that folder (avoid requests to other
    folders)
     
    Alexey Smirnov, Nov 17, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Johnson Sr.

    Securing ASP.NET in a shared environment

    Michael Johnson Sr., Feb 17, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    335
    Michael Johnson Sr.
    Feb 17, 2004
  2. Johan Pingree

    Securing XML documents on a ASP.net site....

    Johan Pingree, Apr 26, 2004, in forum: ASP .Net
    Replies:
    9
    Views:
    415
    =?Utf-8?B?QW5kcmV3IENvcmxleSwgTUNTRCwgTUNEQkE=?=
    Apr 26, 2004
  3. TK
    Replies:
    1
    Views:
    434
    Hans Kesting
    Jun 24, 2004
  4. Steve C. Orr [MVP, MCSD]
    Replies:
    0
    Views:
    1,666
    Steve C. Orr [MVP, MCSD]
    Mar 7, 2005
  5. Steve Lloyd

    Securing files for download.

    Steve Lloyd, Dec 9, 2003, in forum: ASP .Net Security
    Replies:
    4
    Views:
    165
    Petr PALAS
    Dec 12, 2003
Loading...

Share This Page