This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Programming .Net/C # ASP.NET Prohibit access to log files in the form of URLs
View: 11727|Reply: 0

[Tips] ASP.NET Prohibit access to log files in the form of URLs

[Copy link]
Posted on 9/19/2020 12:55:09 PM | | | |
asp.net When using log4net to write logs, the log files will be stored in a folder in the root directory of the project, if the attacker can find the txt log file through brute force impersonation requests, and access it through the URL, you can obtain some sensitive information, how to block the sensitive directory from being accessed through the URL? This article will explain.

Log files:

http://localhost:60155/Log/LogInfo/20180903.txt



You can easily read the log file content through a browser, how to block sensitive directories from being accessed through URLs?

Method 1 (Measured)

In Web.config, configure the following configuration:



At this time, browse the 20180903.txt in the Log/LogInfo directory again and find that it is prohibited, and the prompt is as follows:



The page shows a 404 error, and the page is a custom 404 error page that I customized.

Note: The configured log will not be case-sensitive, that is, all lowercase URL links will also report a 404 error.

Method 2 (untested)

Or edit the web.config file as follows:


The HttpForbiddenHandler code is as follows:


The principle is to forward the link of the specified rule to the corresponding request pipeline, and then the customized HTTP request pipeline will process the request.




Previous:Autofac controls scope and lifetime
Next:ASP.NET Core gets the relative path to the current URL

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com