Microsoft MVC’s Doggy Door

TLDR: Microsoft MVC has a ‘secret’ backdoor which is not very useful for developers or hackers.

Recently I was poking around in the Microsoft MVC codebase trying to figure out how to make my own bundler. While there I came across the following rather peculiar looking code:

//source https://aspnetoptimization.codeplex.com/SourceControl/latest#src/System.Web.Optimization/DefaultBundleBuilder.cs
///
/// Intrumentation mode applies only for Page Inspector and will consist of no minification
/// and a special preamble between files in the bundle.
/// 

///The HTTP context providing details of the request /// A boolean value indicating whether the requestor is Page Inspector.
internal static bool GetInstrumentationMode(HttpContextBase context) {
if (context == null || context.Request == null) {
return false;
}

string userAgent = context.Request.UserAgent;
if (!String.IsNullOrEmpty(userAgent) && Regex.IsMatch(userAgent, @"Eureka/(?[\d\.]+)")) {
return true;
}

return false;
}

///
/// Logic for a bundle request is as follows:
/// 1. Generate the ordered list of files to include in the bundle i.e. Orderer.OrderFiles(GetFiles())
/// 2. We read in the contents of the files, generate the BundleResponse, and apply the Transform specified
/// 4. We send the response using the transformed BundleResponse
///

internal void ProcessRequest(BundleContext context) {
context.EnableInstrumentation = GetInstrumentationMode(context.HttpContext);

Of interest in this code is the seemingly random user-agent which appears to cause MVC to ‘enable instrumentation’ of bundles.

Regex.IsMatch(userAgent, @"Eureka/(?[\d\.]+)")

From the code it does not appear there is anyway for a developer to disable this mode. Switching my user agent to Eureka/1.0 I fired off a get for both JavaScript and CSS bundles. Surprisingly it worked. Whenever MVC received a request for a bundle from this Eureka user agent it would respond with an instrumented version of the bundle. This instrumented version included not only the locations of any source files used to generate the bundle, but it also provided a non-minified/obfuscated version of the source code.

As an example consider the following two requests made to .NET security expert Troy Hunt’s haveibeenpwned.com.

HaveIBeenPwned's javascript properly bundled

HaveIBeenPwned’s JavaScript properly bundled

HaveIBeenPwned's javascript in instrumentation mode

HaveIBeenPwned’s JavaScript in instrumentation mode

I don’t think this is a very large concern as obfuscated JavaScript, or CSS should not ever be used as a substitute for proper security. However, that does not justify the existence of this ‘secret’ mode for the MVC bundler.