<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <iframe src="http://www.blogger.com/navbar.g?targetBlogID=8211560&amp;blogName=Tech+Tips,+Tricks+%26+Trivia&amp;publishMode=PUBLISH_MODE_BLOGSPOT&amp;navbarType=BLUE&amp;layoutType=CLASSIC&amp;searchRoot=http://mvark.blogspot.com/search&amp;blogLocale=en_IN&amp;v=1&amp;homepageUrl=http://mvark.blogspot.com/&amp;vt=-5147029996388199615" marginwidth="0" marginheight="0" scrolling="no" frameborder="0" height="30px" width="100%" id="navbar-iframe" allowtransparency="true" title="Blogger Navigation and Search"></iframe> <div></div>

Tech Tips, Tricks & Trivia

by 'Anil' Radhakrishna
A seasoned developer's little discoveries and annotated bookmarks.

Search from over a hundred HOW TO articles, Tips and Tricks

ASP.NET File Uploads: Threats & Counter-Measures

"whenever you allow a user to upload a document that is saved to a web accessible folder, and then you allow others to visit that document directly through their browser, there exists the possibility that a nefarious user will upload a script file so that they can execute code when the file is visited through a browser." [Scott Mitchell]
Counter-Measure: configure IIS so as not to allow script execution on the folder (and subfolders) where files are uploaded.

"A nefarious user could .. upload a HTML file for an XSS or phishing attack, stealing your authenticated users' sessions and cookies or worse." [Ryan]
Counter-Measure: have a whitelist of content types and file extensions.

"Denial of service is one of the threats that you need to consider while implementing file upload functionality in your web application. If a user uploads a huge file, it will clog the network and consume server’s memory." [Varun, ACE Team]
Counter-Measure: By setting an appropriate value for the MaxRequestLength attribute in the setting in web.config, network clogging and excessive use of server memory can be prevented while implementing a file upload functionality. The default value for maxRequestLength is 4096 KB (4 MB).

Know of any other threats specifically related to File Uploads? Please post your comments below.

Related reading:
Checklist: Securing ASP.NET
Large File Uploads in ASP.NET

Labels:

This entry was posted on Tuesday, January 22, 2008. You can skip to the end and leave a response.

« Home | Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »

»

Post a Comment