ASP.NET File Uploads: Threats & Counter-Measures

"whenever you allow a user to upload a document that is saved to a web accessible folder, and then you allow others to visit that document directly through their browser, there exists the possibility that a nefarious user will upload a script file so that they can execute code when the file is visited through a browser." [Scott Mitchell]
Counter-Measure: configure IIS so as not to allow script execution on the folder (and subfolders) where files are uploaded.

"A nefarious user could .. upload a HTML file for an XSS or phishing attack, stealing your authenticated users' sessions and cookies or worse." [Ryan]
Counter-Measure: have a whitelist of content types and file extensions.

"Denial of service is one of the threats that you need to consider while implementing file upload functionality in your web application. If a user uploads a huge file, it will clog the network and consume server’s memory." [Varun, ACE Team]
Counter-Measure: By setting an appropriate value for the MaxRequestLength attribute in the setting in web.config, network clogging and excessive use of server memory can be prevented while implementing a file upload functionality. The default value for maxRequestLength is 4096 KB (4 MB).

Know of any other threats specifically related to File Uploads? Please post your comments below.

Related reading:
Checklist: Securing ASP.NET
Large File Uploads in ASP.NET

Comments

Post a Comment

Popular posts from this blog

Maven Crash Course - Learn Power Query, Power Pivot & DAX in 15 Minutes

Image
In the Maven Crash Course " Learn Power Query, Power Pivot & DAX in 15 Minutes ", Chris Dutton walks through a hypothetical business case while showcasing the power of modern Excel tools like Power Query, Power Pivot and DAX. Power Query is used to extract, transform, and load data from external sources like SQL databases, PDF and CSV files. A relational model is created to join the tables without writing a single formula. Exploratory analysis is done using Power Pivot and Data Analysis Expressions (DAX). Data Analysis Expressions is the language that we can use to define new calculated columns and measures to enhance our Data Model instead of the traditional cell formulas that we'd typically use if our data was stored in worksheets. Pivot Charts and slicers are used to design a simple interactive report that the sales managers can use to analyze revenue trends and product performance.
Read more

"Data Prep & Exploratory Data Analysis" course by Maven Analytics

Image
The Maven Analytics course on " Data Prep & Exploratory Data Analysis " by Alice Zhao is a beginner-friendly introduction to machine learning with Python. It covers the key steps of the data science workflow, including: Gathering Data Scoping a Project Modeling Data Sharing Insights Cleaning Data Exploring Data Modeling Data  Sharing Insights The presentation deck which is available as a download crisply summarizes the essential details and is a great reference to keep going back to. The course is well-suited for aspiring data scientists looking to get hands-on experience with the data prep and EDA stages of the machine learning workflow using Python and Jupyter Notebook. 
Read more

Gartner Magic Quadrant for Strategic Cloud Platform Services

Image
Gartner defines strategic cloud platform services (SCPS) as standardized, automated, public cloud offerings integrating infrastructure services (e.g., computing, network and storage), platform services (e.g., application, data and value-added services such as AI/ML) and transformation services (resources to help customers adopt cloud-oriented IT delivery models). Image - Gartner Insights I found interesting from the Gartner Magic Quadrant for Strategic Cloud Platform Services report: The eight SCPS providers & global hyperscalers featured in this Magic Quadrant control over 97% of the total CIPS market. While AWS has maintained profitability and a leading global infrastructure as a service (IaaS) and platform as a service (PaaS) market share of over 42%, its growth rate relative to its key competitors slowed in 2023. Azure public cloud market share is 26%. GCP's overall market share stands at 11.5%. Oracle's strategy of positioning OCI as the top cloud for Oracle software i
Read more