|
To use this tool:
1) Compile PDFXSSFilter.cs - this can be done in VS.NET2003 or 2005, as well as via command line (csc 1.1 or 2.0.) You will need to add a reference to System.Web.dll before it will compile.
2) Once compiled, drop the file in the /bin directory of the ASP.NET application
3) Open the IIS Admin tool
4) Right click on the site / virtual directory you wish to implement this on
5) Select the "Home Directory" tab (or "Virtual Directory" depending on the type of site)
6) Under the "Application settings" section, click on the "Configuration" button
7) Double-click on the extension for .ascx (or any other entry handled by asp.net)
8) Copy the text from the "Executable" line
9) Click "Cancel"
10) Click "Add" to create a new extension type
11) Under "Executable" paste the line you copied from above (note, this is the path to the appropriate aspnet_isapi.dll)
12) For "Extension", enter ".pdf"
13) Under "Verbs", you can leave this as "All verbs" - if performance is an issue, you may try limiting this to GET and POST
14) Click "OK"
15) Click "OK" to close the "Application Configuration" window
16) Click "OK" to close the site properites
17) Open the web.config file for the site in question
18) In the <system.web> section, look for the <httpHandlers> section. If one does not exist add it now.
19) Add the entry for the PDFXSSFilter to the httpHandlers section. Your configuration may look something like:
<httpHandlers>
<add verb="*" path="*.pdf" type="PDFXSSFilter,PDFXSSFilter" />
</httpHandlers>
20) Now add an entry for the TokenEncryptionKey to the <appSettings> section. Make sure to change this key for your site or it will defeat the purpose of adding this code.
21) Now add a TokenTimeout entry to the <appSettings> section - this allows you to specify the timeout value.
A very simple web.config file could look like this:
<configuration>
<system.web>
<httpHandlers>
<add verb="*" path="*.pdf" type="PDFXSSFilter,PDFXSSFilter" />
</httpHandlers>
</system.web>
<appSettings>
<add key="TokenTimeout" value="10" />
<add key="TokenEncryptionKey" value="DEADBEEFC0FFEE" />
</appSettings>
</configuration>
You may need to close any instances of your browser and/or stop any running instances of Acrobat Reader for this to take effect. I have not done extensive testing of this code and make no guarantees regarding its use. This code is completely public domain and you may do with it as you like. Thanks to Amit Klein, Guy Podjarny, and the rest of the WebSecurity Mailing List (http://www.webappsec.org/lists/websecurity/) for the details to implement this.
enhanced version - Sidney Chong - 24/4/2007
Original version - Mike Metzger - 1/4/2007
|
By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.
If a file you wish to view isn't highlighted, and is a text file (not binary), please
let us know and we'll add colourisation support for it.
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.