<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d8211560\x26blogName\x3dTech+Tips,+Tricks+%26+Trivia\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://mvark.blogspot.com/search\x26blogLocale\x3den\x26v\x3d2\x26homepageUrl\x3dhttp://mvark.blogspot.com/\x26vt\x3d-5147029996388199615', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Tech Tips, Tricks & Trivia

by 'Anil' Radhakrishna
An architect's notes, experiments, discoveries and annotated bookmarks.

Search from over a hundred HOW TO articles, Tips and Tricks

ASP.NET File Uploads: Threats & Counter-Measures

"whenever you allow a user to upload a document that is saved to a web accessible folder, and then you allow others to visit that document directly through their browser, there exists the possibility that a nefarious user will upload a script file so that they can execute code when the file is visited through a browser." [Scott Mitchell]
configure IIS so as not to allow script execution on the folder (and subfolders) where files are uploaded.

"A nefarious user could .. upload a HTML file for an XSS or phishing attack, stealing your authenticated users' sessions and cookies or worse." [Ryan]
Counter-Measure: have a whitelist of content types and file extensions.

"Denial of service is one of the threats that you need to consider while implementing file upload functionality in your web application. If a user uploads a huge file, it will clog the network and consume server’s memory." [Varun, ACE Team]
Counter-Measure: By setting an appropriate value for the MaxRequestLength attribute in the setting in web.config, network clogging and excessive use of server memory can be prevented while implementing a file upload functionality. The default value for maxRequestLength is 4096 KB (4 MB).

Know of any other threats specifically related to File Uploads? Please post your comments below.

Related reading:
Checklist: Securing ASP.NET
Large File Uploads in ASP.NET


Tweet this | Google+ it | Share on FB

« Home | Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »


Post a Comment