Click here to Skip to main content
Click here to Skip to main content

Securing image URLs in a website

, 21 Apr 2004 GPL3
Rate this:
Please Sign up or sign in to vote.
How to hide image URLs on a website to avoid illegal access, using a custom HttpHandler and encryption.

Introduction

Recently, I started work on a medical image server for a hospital. Clearly, in such a context, security is very important. Because I had to authenticate users using some 3rd party components that are integrated into the HIS (hospital information system), Windows authentication was out of the question. This meant I could not use NTFS permissions to secure the actual image files. Form based authentication is possible, but does not solve my problem of someone typing in the URL of a patient's image directly. For simplicity, I stuck with anonymous IIS authentication, and a login form that created a session ticket which could be checked on every page. Again, this does not solve the problem of direct image access using URLs. However, I found some interesting articles about custom HTTP handlers on the MSDN site. This alone actually WORSENS the problem as it allows a user to actually gain access to images on the whole file system of the web server, but together with symmetric encryption (again from articles on the net), a secure system can be setup!

Taking the images out of the website

In order to avoid somebody typing in URLs to gain illegal access to images, we have to take them out of the website if we cannot rely on file permissions. In order to still be able to access those files, we will setup a custom HTTP handler (also check out Microsoft support and more specifically MSDN). This last article looked exactly what I needed, so I implemented it. Please read it for details.

In web.config, you add:

<httpHandlers><add verb="GET" path="ShowImage.axd" 
   type="Imageserver.StreamImage, ImageServer" />
</httpHandlers>

The page ShowImage.axd is a dummy endpoint, it doesn't actually exist. The type tag points to a class in my namespace ImageServer, which I will list further. HTML image elements now looked something like:

<img src="ShowImage.axd?Path='Some PHYSICAL path, e.g. C:\Images\Img1.jpg'" />

Encryption

However, to my amazement, this method actually allows a user to download an image file from anywhere in the file system of the server. Indeed, I dumped an image test.jpg in C:\temp\ on the server, typed in the URL "ShowImage.axd?Path=C:\temp\test.jpg" in IE, and PRESTO, it showed the test image! Clearly not an improvement, even if it can be solved with extra coding in the handler and NTFS permissions ...

After some reflection, I decided to use symmetric encryption to make the Path querystring unreadable on the client, thereby hiding any details about the location of my images on the server. This also avoids users trying to type in random paths, as the chance that a valid path results after decryption is very, very small. So the procedure goes as follows:

  1. Generate a key when a user logs on and store it in the session object.
  2. Encrypt any path querystring in the ASP.NET pages using that key.
  3. Decrypt the path querystring in the StreamImage HttpHandler class associated with the ShowImage.axd endpoint.
  4. Read the image from the file system and stream it to the client.

So finally the HTTP handler looks as follows (based on MSDN code!):

Public Class StreamImage
    Implements IHttpHandler
    Implements IReadOnlySessionState
  Public ReadOnly Property IsReusable() As Boolean _
    Implements IHttpHandler.IsReusable
      Get
        Return True
      End Get
  End Property
  Private Sub WriteImage(ByVal ctx As HttpContext, ByVal FileName As String)
    If FileName Is Nothing Then Return
    Dim strContentType As String = "image/JPEG"
    Dim ext As String = IO.Path.GetExtension(FileName).ToLower
    Select Case ext
      Case ".gif"
        strContentType = "image/GIF"
      Case ".png"
        strContentType = "image/PNG"
    End Select
    ctx.Response.ContentType = strContentType
    ctx.Response.WriteFile(FileName)
  End Sub

  Public Sub ProcessRequest(ByVal ctx As HttpContext) _
      Implements IHttpHandler.ProcessRequest
  'This sub uses 3DES to decrypt the image filename to avoid people typing
  'in the URL to this handler directly, and thereby gaining read access to 
  'images on the WHOLE server filesystem!!!!!!!!!!!!!!!!
  'Each session generates its own symmetric key 
  'which is stored in the session object
  'This means that as long as the session object is safe there is no problem
    Try
      Dim strPath As String = ctx.Request.Params("Path"), strDecPath As String
      Dim bOk As Boolean = False
      ctx.Trace.Write("ProcessRequest", "Encrypted image path " & strPath)
      If Not strPath Is Nothing Then
        ' TODO -- Add Role Check
        strDecPath = Common.DecryptString(strPath, ctx.Session)
        ctx.Trace.Write("ProcessRequest", "Decrypted image path " & strDecPath)
        If Not strDecPath Is Nothing Then
          If File.Exists(strDecPath) Then
            bOk = True
          Else
            'ctx.Trace.Warn("ProcessRequest", _
            '  "Invalid image path after decryption!")
          End If 
        Else
          'ctx.Trace.Warn("ProcessRequest", "Encryption key or IV missing!")
        End If
      Else
        'ctx.Trace.Warn("ProcessRequest", "Image path missing!")
      End If
      If bOk Then
        Me.WriteImage(ctx, strDecPath)
      Else
        Me.WriteImage(ctx, ctx.Server.MapPath("/images/false.gif"))
      End If
    Catch ex As Exception
    'ctx.Trace.Warn("ProcessRequest", "Runtime error in custom HTTP handler!")
    End Try
  End Sub
End Class

The routines for the encryption and decryption of strings look like this (modified from code snippets on the net):

Public Overloads Shared Function EncryptString(ByVal value As String,_
              ByVal oPage As Page) As String
  If Not oPage.Session("Key") Is Nothing And Not _
                  oPage.Session("Key") Is Nothing Then
    Return EncryptString(value, oPage.Session("Key"), oPage.Session("IV"))
  Else
    Return Nothing
  End If
End Function

Public Overloads Shared Function EncryptString(ByVal value_
     As String, ByVal oKey() As Byte, ByVal oIV() As Byte) As String
  If value <> "" Then
    Dim oCryptoProvider As TripleDESCryptoServiceProvider = _
       New TripleDESCryptoServiceProvider
    Dim oMemoryStream As MemoryStream = New MemoryStream
    Dim oCryptoStream As CryptoStream = _
    New CryptoStream(oMemoryStream, oCryptoProvider.CreateEncryptor(oKey, oIV), _
        CryptoStreamMode.Write)
    Dim sw As StreamWriter = New StreamWriter(oCryptoStream)
    sw.Write(value)
    sw.Flush()
    oCryptoStream.FlushFinalBlock()
    oMemoryStream.Flush()
    Return Convert.ToBase64String(oMemoryStream.GetBuffer(),_
                                       0, oMemoryStream.Length)
  End If
End Function

Public Overloads Shared Function DecryptString(ByVal value_
          As String, ByVal oS As HttpSessionState) As String
  If Not oS("Key") Is Nothing And Not oS("Key") Is Nothing Then
    Return DecryptString(value, oS("Key"), oS("IV"))
  Else
    Return Nothing
  End If
End Function

Public Overloads Shared Function DecryptString(ByVal value As String, _
        ByVal oKey() As Byte, ByVal oIV() As Byte) As String
  If value <> "" Then
    Dim ooCryptoProvider As TripleDESCryptoServiceProvider_
                       = New TripleDESCryptoServiceProvider
    Dim buffer As Byte() = Convert.FromBase64String(value)
    Dim oMemStream As MemoryStream = New MemoryStream(buffer)
    Dim oCryptoStream As CryptoStream = _
      New CryptoStream(oMemStream, _
      ooCryptoProvider.CreateDecryptor(oKey, oIV), CryptoStreamMode.Read)
    Dim sr As StreamReader = New StreamReader(oCryptoStream)
    Return sr.ReadToEnd()
  Else
    Return ""
  End If
End Function

Some of the overloaded methods take into account that the personal symmetric key of a user is stored in the session object. Note that the querystring becomes almost twice as long because of the 2 byte per characters.

The correct URL for an image thus becomes (ASP style):

<img ID='ImageControl' 
  src='ShowImage.axd?Path=<% EncryptString("C:\Images\Img1.jpg", Page) %>' />

More likely the src attribute will be set in the code-behind page:

Aspx page:

<img ID='ImageControl' runat="'server'" />

aspx.vb codebehind:

ImageControl.attribues.add("src", _
  "ShowImage.axd?Path=" & EncryptString("C:\Images\Img1.jpg", Page))

Conclusion

We have presented a way to hide the URLs of images from any access outside that permitted by the security logic inside the aspx pages: no URLs in the HTML source code anymore, and no direct typing in of URLs either.

License

This article, along with any associated source code and files, is licensed under The GNU General Public License (GPLv3)

Share

About the Author

yvdh
Software Developer (Senior)
Belgium Belgium
Physicist, Biomedical Engineer, Phd in engineering. Specific expertise is in medical photography and it's related image processing, and in colourimetry.

Comments and Discussions

 
GeneralRe: Broken Images PinmemberandrewPP2-Jan-05 9:14 
GeneralRe: Broken Images Pinmemberyvdh3-Jan-05 2:42 
GeneralSession Data PinsussAnonymous22-Jun-04 3:48 
GeneralRe: Session Data Pinmemberyvdh22-Jun-04 4:47 
GeneralRe: Session Data PinsussAnonymous22-Jun-04 7:31 
GeneralRe: Session Data Pinmemberyvdh23-Jun-04 1:39 
GeneralRe: Session Data PinsussAnonymous24-Jun-04 6:24 
GeneralRe: Session Data Pinmemberyvdh25-Jun-04 0:25 
Ahah,
 
that's your problem! To my knowledge there is only one web.config file per web application, and thats were the handler must be set. However, when it says it can't find the proper assembly it means you probably have a namespace problem. For instance, if your web application defines the namespace 'ImageServer', and the class is called 'StreamImage', then you insert
 
<add verb="GET" path="ShowImage.axd" type="Imageserver.StreamImage, ImageServer" />
 
In your case you should check your application namespace, it is possibly different than what I used, i.e. 'ImageServer' (Click properties on your project and set the root namespace in 'General'). Also, web.config is an XML file, so it is CASE-SENSITIVE!!!! To give you an example, I mistakenly used 'Imageserver' instead of 'ImageServer' with capital S when naming my root namespace and thats why it says 'Imageserver.StreamImage' instead of 'ImageServer.StreamImage' as I would have liked! If I use 'ImageServer.StreamImage' it gives the same assembly error as you had! So to conclude:
- 1 web config
- set root namespace
- use correct namespace.class in web.config
- try until no assembly error on startup!
 
Good luck
Big Grin | :-D
 
Yves
 


GeneralRe: Session Data PinsussAnonymous25-Jun-04 5:13 
QuestionHow to create the key Pinmemberyvdh15-Jun-04 23:15 
AnswerRe: How to create the key PinsussAnonymous25-Jun-04 5:04 
GeneralNice article PinmemberAbdul (Rajib) Bahar14-May-04 5:21 
GeneralRe: Nice article Pinmemberyvdh14-May-04 6:14 
QuestionWhy not do this? PinsussAnonymous30-Apr-04 0:40 
AnswerRe: Why not do this? Pinmemberyvdh30-Apr-04 1:13 
GeneralNice but.... PinmemberFrank Ouimette28-Apr-04 6:09 
GeneralRe: Nice but.... Pinmemberyvdh28-Apr-04 23:05 
GeneralRe: Nice but.... PinmemberFrank Ouimette29-Apr-04 5:42 
GeneralExcellent! PinmemberA. Riazi24-Apr-04 18:58 
GeneralUsage PinmemberStas Elensky22-Apr-04 7:54 
GeneralRe: Usage Pinmemberyvdh22-Apr-04 11:02 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.141216.1 | Last Updated 22 Apr 2004
Article Copyright 2004 by yvdh
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid