.NET Daily

Passive Security Tip: Deny Unused file extensions in an ASP.NET website

Introduction

Darius

Darius

Darius Dumitrescu is a creative Senior CMS Consultant with in depth .NET knowledge, focused on Web Development and Architecture Design.


LATEST POSTS

ASP.NET Core. Issues with Creating Cookies 02nd February, 2019

My View on the Life cycle of a Fixed Cost Web Project 01st July, 2018

Featured

Passive Security Tip: Deny Unused file extensions in an ASP.NET website

Posted on .

There are cases when for example due to poor form validation, an attacker can upload a .bat file instead of a picture on a form and after that can execute the malicious .bat file via URL.

Remedy

ASP.NET allows developers to specify in the web.config file certain file or services extensions that they won’t be used in the application.

Below you have an example of the web.config section where you can specify the banned extensions:

<httpHandlers>
    <add verb="*" path="*.mdb" type="System.Web.HttpForbiddenHandler" />
    <add verb="*" path="*.csv" type="System.Web.HttpForbiddenHandler" />
    <add verb="*" path="*.exe" type="System.Web.HttpForbiddenHandler" />
    <add verb="*" path="*.asmx" type="System.Web.HttpForbiddenHandler"/>
</httpHandlers>
Darius

Darius

Darius Dumitrescu is a creative Senior CMS Consultant with in depth .NET knowledge, focused on Web Development and Architecture Design.

There are no comments.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

View Comments (0) ...
Navigation