Wanta .NET ?

Dave Wanta

Securing Site Content/Images

Lets face it, its pretty difficult to secure site content and/or images on the internet. If it can be accessed via the web, it can probably be automated in someway to retrieve/download it.

A year or so ago, someone was telling me, the way they secure some image data, for their gallery, was to check the Http Referer, and if it matches their site, they let the images through.

This is great, however, the Http Referer is actually sent from the browser, so this technique depends upon two things:
a. The browser sends the correct Http Referer (which I’ve seen bugs with this).
and
b. Someone doesn’t spoof the Referer.

And with .NET this has even gotten easier, in fact, I whipped up a console app and was able to generate this code.

Imports System.IO
Imports System.Net
Imports System.Net.WebRequest

Module Module1

    Sub Main()

        Console.WriteLine(FetchURL("http://www.google.com"))

        Console.ReadLine()

    End Sub


    Function FetchURL(ByVal SomeURL As String) As String
        Dim WebResp As HTTPWebresponse
        Dim HTTPGetRequest As HttpWebRequest
        Dim sr As StreamReader
        Dim myString As String

        HTTPGetRequest = WebRequest.Create(SomeURL)
        HTTPGetRequest.KeepAlive = False
        HTTPGetRequest.Referer = "http://www.microsoft.com"
        WebResp = HTTPGetRequest.GetResponse()
        sr = New StreamReader(WebResp.GetResponseStream(), System.Text.Encoding.Default)
        myString = sr.ReadToEnd()

        Return myString

    End Function

End Module


Cheers!
Dave

Comments

Frans Bouma said:

Protecting images is not that hard, that is, if you want to prevent deep linking. You should use a simple ASP page or ASP.NET page which streams the image in binary to the browser. You use this page as the source for your <img > tag. The trick is: the containing page sets a flag in the session. If the flag is set in the image stream page too, the user isn't deeplinking, but viewing the image on the original page. If the flag isn't set, stream an image like "deeplinking not allowed" or similar :)

This of course never stops the user from saving the image data to disk, but nothing is.
# July 7, 2003 9:46 AM

Dave said:

yup!

In fact, I've written a HttpModule that deals with serving up images. I hope to post the code later this week.

Cheers!
Dave
# July 7, 2003 9:51 AM

Patrick Steele said:

There is a third option:

c) The Referer is set.

Some "privacy packages" (like Norton's) automatically strip referer headers from all HTTP requests. Of course it's required for some and the user can selectively enable referer's for a specific site, but by default, it's stripped out.
# July 7, 2003 12:33 PM

The Jeff said:

That good ol' print screen messes with it too, because even if you can stop someone from saving it, you have to still stop them from print screening it.

The Jeff
# July 7, 2003 10:04 PM