Click here to Skip to main content
15,867,860 members
Articles / Web Development / ASP.NET

How to Rename the Trace.axd?

Rate me:
Please Sign up or sign in to vote.
0.00/5 (No votes)
26 Nov 2014CPOL7 min read 26.5K   59   2   1
Renaming of Trace.axd to custom name in ASP.NET

Introduction

Trace is a great diagnosing feature in ASP.NET and it is a very useful tool to debug the ASP.NET applications especially in production servers where we are not able to debug the applications. Trace collects the diagnosing information like page execution flow, request information, custom trace messages and other diagnosing information at runtime to debug an application. Basically, it appends the collected information into a page or trace viewer (Trace.axd) content. The flip side, the trace introduces a high vulnerability security risk by exposing all essential information of an application to the outside world, so hackers can use this information and play around it. This is one of the reasons why we have been advised to stop trace on production servers (also it has performance impact).

Trace.axd is a virtual and hardcoded resource to access the trace viewer and it is well known for information leak in the application security world. Hackers can use this trace.axd to collect the information when trace is enabled on a web application. Another problem is we can’t rename the Trace.axd to custom name and there is no straight forward option that exists in ASP.NET. I found some interesting steps to rename the Trace.axd and in this article, we are going to see how to rename the Trace.axd to custom resource name in ASP.NET step by step.

Pre-requisites

I am assuming that you have knowledge on ASP.NET trace, HTTP handler and module concepts. Having knowledge on response filter is nice to have but it is not mandatory. If you don’t have knowledge about the above mentioned items, don't worry just go through the following links then come back here for better understanding.

Background

In ASP.NET, all requests related to dynamic resources are handled by corresponding http handlers, same way the trace viewer request (Trace.axd) is handled by TraceHandler from System.Web namespace. With this information, we can add a handler configuration to web.config with an alternate name for Trace.axd. But the problem is not solved completely because the trace handler injects the Trace.axd references into hyperlinks so when user clicks on these hyperlinks, it will navigate to Trace.axd. As you know, we can’t modify the trace handler content directly so we can't replace Trace.axd references from the trace viewer output until and unless we are creating our own trace handler but fortunately we have an option in ASP.NET called Response Filter which can alter the response before sending to the browser. Response filter is a specialized version of stream and it has options to read and write the response content.

Renaming of Trace.axd

By using http handler/module and response filter concepts, we are going to emulate the renaming of Trace.axd and it requires the following five steps:

  • Enable the Trace
  • Block the access of Trace.axd
  • Configure an alternate name for Trace.axd
  • Create a Response Filter
  • Register the Response Filter

The following diagram explains about the smart trace viewer life cycle in the ASP.NET application.

Image 1

Enable the Trace

I am assuming that you have already enabled the trace option in web.config. Since it is a prerequisite for other steps, I want to make sure that you have already done it. If not, please add the following configuration in web.config.

XML
<system.web>
  <trace enabled="true" localOnly="false" 
  pageOutput="false" requestLimit="500" 
  mostRecent="true" traceMode="SortByTime"/>
</system.web>

Alter the above settings according to your needs.

Block the Access of Trace.axd

As long as trace is enabled, we can access the Trace.axd from outside the world so we need to block the access of Trace.axd just like how the web.config is blocked in web server. We can do the same for Trace.axd by simply adding the following configuration in web.config.

XML
<system.webserver>
  <security>
    <requestfiltering>
      <hiddensegments>
        <add segment="Trace.axd"></add>
      </hiddensegments>
    </requestfiltering>
  </security>
</system.webserver>

The above settings will not work with ASP.NET Development Server, so we need to deploy our solution on IIS7 or above to test the same.

When we are trying to access the Trace.axd from the local IIS server, it will return the following error message after adding the above configuration in web.config.

Image 2

When we are trying to access the Trace.axd from remote machine, it will return the following message:

Image 3

Configure an Alternate Name for Trace.axd

Next step, we need to specify the custom name to access the trace viewer, to do that, add the following configuration in web.config. Here, I given Eventviewer.aspx as an alternate resource to Trace.axd and you can give whatever name you want.

XML
<system.web>
  <httpHandlers>
    <add verb="GET,POST" path="Eventviewer.aspx" 
    validate="false" type="System.Web.Handlers.TraceHandler, 
    System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
  </httpHandlers>
</system.web>

<system.webServer>
  <validation validateIntegratedModeConfiguration="false"/>
  <handlers>
    <add name="SmartTraceHandler" path="Eventviewer.aspx" 
    verb="GET,POST" type="System.Web.Handlers.TraceHandler, System.Web, 
    Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
  </handlers>
</system.webServer>

Now, you can access the trace viewer through eventviewer.aspx but as we know, the content of eventviewer page still refers to Trace.axd in the hyperlinks. In the next section, we are going to see how to fix it.

Create a Reponse Filter

Fortunately, we have response filter in ASP.NET to alter the response before sending to the browser and we are going to use this response filter to replace Trace.axd with custom resource name in all hyperlinks. Response filter is a specialized form of stream class and it overrides few important methods and properties of stream class to read and write the response content. Here, I created a response filter called TraceFilter and it has an overridden Write method to find and replace all Trace.axd references. The following snippet shows the Write method of TraceFilter.

C#
public override void Write(byte[] buffer, int offset, int count)
        {
            var content = _encoding.GetString(buffer, offset, count);

            // Find all trace.axd entries and replace it with custom resource name
            var checkTrace = new Regex("Trace.axd", RegexOptions.IgnoreCase);

            if (checkTrace.IsMatch(content)) {
                content = checkTrace.Replace(content, TraceFile);
                buffer = _encoding.GetBytes(content);
            }
            // write back the modified response
            _stream.Write(buffer, 0, buffer.Length);
        }

Register the Response Filter

Now, we need to attach the new response filter in to response context but there is no easy way to do it (not like adding an http handler/http module configuration in web.config). In order to do it, we need to create an http module and attach it to the corresponding response context. Here, I created an http module called SmartTraceModule and it will check for custom resource related request and attach our response filter to the response.

C#
public class SmartTraceModule : IHttpModule
    {
        /// <summary>
        /// Initialize the custom trace module
        /// </summary>
        /// <param name="context"></param>
        public void Init(HttpApplication context)
        {
            //Make sure the current request is related to ASP.NET 
            //dynamic pages and it's already processed with respective handler
            context.ReleaseRequestState += new EventHandler(InstallTraceFilter);
        }

        /// <summary>
        /// Installs the trace filter to current response stream 
        /// when the current request to smart trace viewer and content type in text/html
        /// </summary>
        /// <param name="sender"></param>
        /// <param name="e"></param>
        private static void InstallTraceFilter(object sender, EventArgs e)
        {
            var context = HttpContext.Current;
            var response = context.Response;
            //install the trace filter when the current request 
            //to smart trace viewer and content type is text/html
            if (context.Request.RawUrl.ToLower().EndsWith(TraceFilter.TraceFile) 
                && response.ContentType == "text/html")
                response.Filter = new TraceFilter(response.Filter,response.ContentEncoding);
        }
        
        /// <summary>
        /// Clean all used resources here
        /// </summary>
        public void Dispose() {

        }        
    }

Finally, we need to configure the SmartTraceModule into web.config as below:

XML
<system.web>
  <httpModules>
     <add name="SmartTraceModule" type="SmartTrace.SmartTraceModule, SmartTrace"/>
  </httpModules>
</system.web>

<system.webServer>
  <validation validateIntegratedModeConfiguration="false"/>
  <modules runAllManagedModulesForAllRequests="true">
     <add name="SmartTraceModule" type="SmartTrace.SmartTraceModule, SmartTrace"/>
  </modules>
</system.webServer>

Now, we are ready to access the trace viewer with custom name (in this case eventviewer.aspx). To test with the attached sample project, do the following steps:

  1. Download the attached source and open the solution with Visual Studio 2010 or above version.
  2. Build and run the application. It will open the http://localhost:53927/ URL on your default browser and you will get the following screen:

    Image 4

  3. Click all buttons which are displayed on the screen to produce some trace data. Then type URL http://localhost:53927/eventviewer.aspx to view the trace viewer and you will get the following trace viewer screen.

    Image 5

    Here, we got the trace viewer successfully with new name (eventviewer.aspx) instead of Trace.axd. Since we did not change any functionality of trace viewer, it will work as it is how it works before. Here, you can click the view details link to navigate details view.

    Image 6

    Image 7

As we expected, the new resource name (eventviewer.aspx) is added to details page URL by our response filter.

Conclusion

In this article, we have seen how to rename the Trace.axd into custom resource name but this is not a bullet proof solution for security issues, in fact it introduces a little performance impact by modifying the response content (an additional step required to rename the Trace.axd from the response content). Leaving the trace viewer to public access is a high vulnerability risk so restrict it to authorized persons with proper authentication. It is always better to stop the trace in production servers (for both performance and security improvements) but you can make use of this option in unavoidable situations. Thanks for reading this article and I hope it shared some useful information to you. Please provide your valuable feedback on this article.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Architect FE
India India
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

 
SuggestionMinor suggestion, if TraceFile value is mixed case, response filter may not be installed Pin
who_else30-May-19 12:07
who_else30-May-19 12:07 
First, thank you for the contribution, I appreciate it and am testing something similar on an intranet for a customer.

Now, I am not certain if anyone else has run into this, but depending on the value of TraceFilter.TraceFile (specifically when the tracefile value is mixed case): the response filter may not be installed.

I would suggest this line

> if (context.Request.RawUrl.ToLower().EndsWith(TraceFilter.TraceFile)

change to

> if (context.Request.RawUrl.ToLower().EndsWith(TraceFilter.TraceFile.ToLower())

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.