Application Security Testing: An Integral Part of DevOps
In this article, I begin an implementation of an FTP client in managed code. (The basis for this article was a previously published knowledge base article from Microsoft.com, knowledge base 832670, How to Access a File Transfer Protocol Site by Using Visual Basic .NET. The code is uniquely my own, but some snippets were mined from that article.) While the implementation is not complete, the article is a good starting point that provides enough information to enable you to write a complete implementation.
Why might you want to write an FTP client in the 21st century? Simple: Many of the largest companies in the world are still using 20th century code. Best-in-class businesses use dated technology because their business processes are dependent on legacy systems that would be too costly, too labor-intensive, and too risky to migrate all at once. Thus, many of these companies are bridging the old and new in stages using intermediate techniques like FTP-ing data for batch processing.
At such companies, if a business-to-business transaction takes hours or days, a legacy system is in the way. In fact, if whatever you need cannot be done "while you wait," data more than likely is being FTP-ed, batched, or evaluated by a person instead of a machine, and manual steps or legacy systems are in the way. Lost luggage, checks being held, and a latency between the application of a loan and its approval are all examples of dated processes and dated software.
Why is this important to know? Simple: Many mega-software systems need to be migrated, and in many instances this migration has only just begun. This makes TCP and socket programming skills useful and valuable, and it also means that much work remains to be done in the field of software development.
Building an FTP Client with .NET
The File Transfer Protocol (FTP) is a TCP protocol that is described by RFC (Request for Comment) 959. RFCs are basically white papers and every RFC that I have searched for has been posted somewhere on the Internet. This article borrows a few snippets from the aforementioned Microsoft.com knowledge base article, as well as knowledge base article 318380 and RFC 959. I encourage you to look these up, if for no other reason than to familiarize yourself with how to find them.
What you won't find in this article is low-level TCP programming or low-level socket or RS232 (serial port) programming. The .NET framework makes many of these skills superfluous unless you are a socket or RS232 programmer.
Writing an FTP client is relatively easy with .NET. To write an FTP client, you use the System.Net.Socket namespace, an instance of the Socket class, and an instance of an IPEndPoint. The rest of the code is simply figuring out what to do with the data the FTP server sends back. Because RFC 959 guides the data an FTP server returns, you also pretty much know what the data should be and what the data means. The hardest—though this word seems almost inappropriate—part then is to translate raw codes and text into meaningful behaviors. This article focuses on converting FTP server data into a useful FTP client library.
As is true with a lot of programming, this exercise requires a little prep-work. (If you are a Windows pro, you can skip to the section "Implementing the FTP Client.") I prefer to test everything possible on my workstation and the same is true with an FTP client.
The word client implies that there is a server, but you don't need to write an FTP server. You need to just install the one that ships with Windows. Installing the Microsoft FTP server on your workstation and then turning it on is all you need to do to prepare, write, and test your client.
First, verify that the FTP server is installed on your workstation. To do this, follow either one of the following set of steps:
- Open a command prompt.
- Type FTP and hit enter. This starts the ftp.exe client that ships with Windows.
- At the FTP prompt, type open localhost and hit enter. Localhost refers to the loopback IP address 127.0.0.1, which is your machine.
- If you get a Connected response (see Figure 1), you have the FTP service running on your PC.
Figure 1: An FTP Service Is Running on Your PC If You Get This Response.
The following are the alternate steps for verifying an FTP service:
- If you aren't an old DOS user, open an instance of Internet Explorer and type ftp://localhost in the Address bar.
- If you see some files or don't receive an error, the FTP service is running (see Figure 2; I placed the file shown in the figure there intentionally; your PC may not have any files.)
Figure 2: Use Internet Explorer to See If the FTP Service Is Running on Your PC.
The default FTP folder is c:\wwwroot\ftproot. You can locate this folder and add some files to experiment with if you'd like.
If you receive an error, the service may be installed but not running. To check to see whether the service is installed and stopped, follow these steps:
- Click Start.
- Right-click on My Computer.
- Click Manage.
- In the Computer Management Console, expand Services and Applications, expand Internet Information Services, and click on FTP Sites.
- If there is a Default FTP Site (or other sites), the service is installed. Check the status on the right and see what the FTP service's state is (see to Figure 3).
Figure 3: The Computer Management Console Will Show a Running FTP Site If the Service Is Installed and Running.
The state you want is Running. If the Default FTP Site is present but its state is Stopped or Paused, click Default FTP Site, right-click, and click Play. If the service is not installed, you need to install it. (By default, the FTP service is no longer installed because it can open security holes, but you are a cowboy developer unafraid of hackers.)
To install the FTP service, follow these steps:
- Select Start|Control Panel|Add or Remove Programs|Add/Remove Windows Components. This will start Windows setup. (I am using Windows XP, but the steps should be similar on other versions of Windows.)
- In the Windows Component Wizard, find Internet Information Services, select it, and click Details.
- Find the File Transfer Protocol Service and check it.
- Click OK to close this dialogue and Next to install the FTP service.
The last step installs the FTP Service. If the Windows setup files have been copied from your CD, the FTP Service will be installed from your hard drive. If not, you are prompted for your Windows CD-ROM. That's it.
You are now ready to write and test the FTP client.