.NET Daily

Passive Security Tip: Deny Unused file extensions in an ASP.NET website

Introduction

Darius

Darius

Darius Dumitrescu is a creative Senior CMS Consultant with in depth .NET knowledge, focused on Web Development and Architecture Design.


LATEST POSTS

How to Deliver Accurate Project Status Reports 21st April, 2018

JIRA Workflow for Web Development Example: Simple and Effective 17th April, 2018

ASP.net

Passive Security Tip: Deny Unused file extensions in an ASP.NET website

Posted on .

There are cases when for example due to poor form validation, an attacker can upload a .bat file instead of a picture on a form and after that can execute the malicious .bat file via URL.

Remedy

ASP.NET allows developers to specify in the web.config file certain file or services extensions that they won’t be used in the application.

Below you have an example of the web.config section where you can specify the banned extensions:

<httpHandlers>
    <add verb="*" path="*.mdb" type="System.Web.HttpForbiddenHandler" />
    <add verb="*" path="*.csv" type="System.Web.HttpForbiddenHandler" />
    <add verb="*" path="*.exe" type="System.Web.HttpForbiddenHandler" />
    <add verb="*" path="*.asmx" type="System.Web.HttpForbiddenHandler"/>
</httpHandlers>
Darius

Darius

Darius Dumitrescu is a creative Senior CMS Consultant with in depth .NET knowledge, focused on Web Development and Architecture Design.

There are no comments.

View Comments (0) ...
Navigation

Privacy Preference Center