Wanta .NET ?

Dave Wanta

Securing Site Content/Images

Lets face it, its pretty difficult to secure site content and/or images on the internet. If it can be accessed via the web, it can probably be automated in someway to retrieve/download it.

A year or so ago, someone was telling me, the way they secure some image data, for their gallery, was to check the Http Referer, and if it matches their site, they let the images through.

This is great, however, the Http Referer is actually sent from the browser, so this technique depends upon two things:
a. The browser sends the correct Http Referer (which I’ve seen bugs with this).
and
b. Someone doesn’t spoof the Referer.

And with .NET this has even gotten easier, in fact, I whipped up a console app and was able to generate this code.

Imports System.IO
Imports System.Net
Imports System.Net.WebRequest

Module Module1

    Sub Main()

        Console.WriteLine(FetchURL("http://www.google.com"))

        Console.ReadLine()

    End Sub


    Function FetchURL(ByVal SomeURL As String) As String
        Dim WebResp As HTTPWebresponse
        Dim HTTPGetRequest As HttpWebRequest
        Dim sr As StreamReader
        Dim myString As String

        HTTPGetRequest = WebRequest.Create(SomeURL)
        HTTPGetRequest.KeepAlive = False
        HTTPGetRequest.Referer = "http://www.microsoft.com"
        WebResp = HTTPGetRequest.GetResponse()
        sr = New StreamReader(WebResp.GetResponseStream(), System.Text.Encoding.Default)
        myString = sr.ReadToEnd()

        Return myString

    End Function

End Module


Cheers!
Dave

Posted: Jul 07 2003, 07:24 AM by AdvanIntel | with 7 comment(s)

Comments

Frans Bouma said:

Protecting images is not that hard, that is, if you want to prevent deep linking. You should use a simple ASP page or ASP.NET page which streams the image in binary to the browser. You use this page as the source for your <img > tag. The trick is: the containing page sets a flag in the session. If the flag is set in the image stream page too, the user isn't deeplinking, but viewing the image on the original page. If the flag isn't set, stream an image like "deeplinking not allowed" or similar :)

This of course never stops the user from saving the image data to disk, but nothing is.
# July 7, 2003 9:46 AM

Dave said:

yup!

In fact, I've written a HttpModule that deals with serving up images. I hope to post the code later this week.

Cheers!
Dave
# July 7, 2003 9:51 AM

Patrick Steele said:

There is a third option:

c) The Referer is set.

Some "privacy packages" (like Norton's) automatically strip referer headers from all HTTP requests. Of course it's required for some and the user can selectively enable referer's for a specific site, but by default, it's stripped out.
# July 7, 2003 12:33 PM

The Jeff said:

That good ol' print screen messes with it too, because even if you can stop someone from saving it, you have to still stop them from print screening it.

The Jeff
# July 7, 2003 10:04 PM

Securing Site Content/Images said:

Pingback from  Securing Site Content/Images

# November 28, 2007 5:13 AM

Radmilla said:

Greeting. I'm glad I didn't have to fight in any war. I'm glad I didn't have to pick up a gun. I'm glad I didn't get killed or kill somebody. I hope my kids enjoy the same lack of manhood. Help me! Help to find sites on the: Alavert sleep. I found only this - <a href="genericalavert.info/">cheapest alavert</a>. Always of this time is of profitable term to kdd, alavert. Fernandes lavrador was used by the king of portugal and instead with pĂŞro de barcelos he out wrote labrador, which was moored and described after him, alavert. Thanks for the help :eek:, Radmilla from Zambia.

# March 26, 2010 11:36 AM

kvhdztllmct@gmail.com said:

One more thing to say is that an online business administration program is designed for scholars to be able to efficiently proceed to bachelor's degree programs. The 90 credit diploma meets the other bachelor diploma requirements when you earn the associate of arts in BA online, you will get access to the most up-to-date technologies on this field. Some reasons why students have to get their associate degree in business is because they may be interested in this area and want to find the general training necessary prior to jumping into a bachelor college diploma program. Thanks alot : ) for the tips you provide in the blog. www.hghreleaserreview.com

# March 8, 2013 1:44 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)