HTTP referer spoofing, cookies, User Agent strings

There was a post on one of the groups recently by a developer who was making a number of WebRequests for various pages, claiming that one of them would strangely fail.

Yet, this individual stated that if he would paste the respective URL into his browser, that page would come up just fine.

There are several things that could come into play here with various sites:

1) Many sites will reject a request that doesn't match a particular one or more User Agent strings (Here are some samples, if your memory is rusty). So you can add the UserAgent header to the WebRequest. I've even seen some wise-asses who detect Internet Exploder and give you a nasty message about how immoral you are and you should go download Firefox to become a real person and how dare you try to view my site with ..etc...

(Listen, Pal: I already figured out you are a Webtard, so I'm not going to bother to fire up my copy of Firefox to see your page, which I already know is worthless. Besides, your little shenanigan is currently restricting you to only about 15% of your potential audience. Go take a good course in Marketing.)


2) Many times a site is looking for a cookie. Perhaps they set it when you first visit, and subsequent pages look for it. So if you make a request for a "Subsequent page" without the required cookie, you get "Bupkis". Some cookie container code:


CookieContainer myContainer = new CookieContainer();


            // following line adds a cookie in container, which will be for all urls on the domain myDomainstr


            myContainer.Add(new Cookie("name", "value", "/", myDomainstr));


            HttpWebRequest request1 = (HttpWebRequest)WebRequest.Create(httpUrlString);


            request1.CookieContainer = myContainer; // use this same container for all requests


            HttpWebResponse response = (HttpWebResponse)request.GetResponse(); //you can check cookies on response.Cookies


 


            // next request coming--


 


            //all cookies received on request1 would be automatically included in this request from same Cookiecontainer


            HttpWebRequest request2 = (HttpWebRequest)WebRequest.Create(httpUrlString2);


            request2.CookieContainer = myContainer;


            HttpWebResponse response = (HttpWebResponse)request.GetResponse();




3) Another common issue is redirects. Here are a couple of settings you can use:

webrequest.AllowAutoRedirect = [true|false];
webrequest.MaximumAutomaticRedirections = 30;

You can also capture the redirect url:


 public virtual string GetRedirectURL(HttpWebResponse


                webresponse, ref string Cookie)


        {


            string uri = "";


 


            WebHeaderCollection headers = webresponse.Headers;


            if ((webresponse.StatusCode == HttpStatusCode.Found) ||


              (webresponse.StatusCode == HttpStatusCode.Redirect) ||


              (webresponse.StatusCode == HttpStatusCode.Moved) ||


              (webresponse.StatusCode == HttpStatusCode.MovedPermanently))


            {


                // Get redirected uri


                uri = headers["Location"];


                uri = uri.Trim();


            }


 


            //Check for any cookies


            if (headers["Set-Cookie"] != null)


            {


                Cookie = headers["Set-Cookie"];


            }


 


            return uri;


        }//End method





4) Another common technique (this one is real popular with "those" sites) is to check the HTTP Referer. That's available (in ASP.NET) with the Request.UrlReferer property. They do this as a sort of "poor man's authentication" - the idea being that you got in at some "gateway" page with your credentials, and now they figure that you could only be requesting one of their pages from within one of their sites that you "got into" so they look for one or more referers. Here's some code to handle this in a WebRequest:


public string GetUrl(string url, string referer)


        {


           // assumes a fully-qualified "http://" url


            HttpWebResponse webResp = null;


            HttpWebRequest HTTPGetRequest = null;


            StreamReader sr = null;


            string myString = String.Empty;


            HTTPGetRequest = (HttpWebRequest)(WebRequest.Create(url));


            HTTPGetRequest.KeepAlive = false;


            HTTPGetRequest.Referer = referer;


            webResp = (HttpWebResponse)HTTPGetRequest.GetResponse();


            sr = new StreamReader(webResp.GetResponseStream(), Encoding.UTF8);


            myString = sr.ReadToEnd();


            sr.Dispose();


            webResp.Close();          


            return myString;


        }




Happy Spoofing!


Inspector Rae and the case of the Incredible Shrinking DIV


This one popped up on the asp.net newsgroup, and I think it's good for a chuckle!

Comments

Post a Comment

Popular posts from this blog

FIREFOX / IE Word-Wrap, Word-Break, TABLES FIX

One of the most annoying things a developer (who would normally delight in writing code, not futzing with markup) can have is getting rendering issues between different browsers. The two biggest players are of course Internet Exploder and Firefart (as I lovingly like to refer to each). In most cases that's going to take care of 98 percent of your total site traffic. IE has had a proprietary "word-break" style attribute for a long time, and this made it into the CSS 3.0 spec. But that doesn't necessarily help you with Firefox right now. Firefox literally - (and I consider this completely idiotic, since it's been in their bug database for FIVE YEARS) does not have a reliable CSS style element to force table cell content to break in the middle of a word in order to stop the content from expanding your table / div off the page or over other content on the page. Here's a partial fix, which will work for most tables and browsers. The style declaration (I call it m
Read more

Some observations on Script Callbacks, "AJAX", "ATLAS" "AHAB" and where it's all going.

I've taken a more than cursory interest in the whole Remote Scripting (.NET species) vs. AJAX and now ATLAS discussion, mostly because I started using Remote Scripting since Microsoft first released it, and because I continued to refine it after seeing Brent Ashley's excellent work with JSRS, which was one of the first "real" cross-browser solutions back in 2000 (that's the turn of the Century for you history buffs). Now Bertrand Leroy, a Microsoft guy whose work I like , has authored some very interesting ASP.NET 2.0 script callback stuff that he points to on his blog, and he is obviously (at least, to me he is) involved quite heavily in the development of this new ATLAS infrastructure that they'll preview at PDC. Leroy's most recent post brings to the surface what I agree are the major differences between the "AJAX a - la .NET" approach as popularized by Michael Swartz with his AJAX.NET library, and Leroy's RefreshPanel, the ASP.NET 2.0 b
Read more

IE7 - Vista: "Internet Explorer has stopped Working"

Image
This one was a bitch. All of a sudden for no reason at all, out of the blue, I get this dialog "internet Explorer has stopped working". I didn't install any new software, crap- I didn't do anything! So here I am using FIREFART to go on the internet and find out what to do! Damn! Good thing I've got the sucker on the same machine (I'm not "anti-Firefox", i just don't use it that much except to check my page renderings). The Fix The fix (at least for me): 1) Go into Control Panel, and choose "Internet Options". 2) Under the "Advanced" tab, press the "RESET" button at the lower right: Don't ask me why this happens, or why the fix works. That's a BUG, D00D - I don't care how you slice it!
Read more