WPochNestatag:www.wpoch.com.ar,2009:/Code is the king2011-11-16T00:00:00+00:00Walter Pochhttp://wpoch.com.arme@wpoch.com.artag:www.wpoch.com.ar,2011-11-16:/security-considerations-file-upload
<h1>Security Considerations On File Uploads</h1>
<p>After researching a little bit around the web I came out with these kind of checklist whenever you may want to add File Upload to your project:</p>
<ul>
<li>Use POST instead of PUT method.</li>
<li>First store your files on disk before upload to a database.</li>
<li>Try to store these file on a folder different from the website tree and the system partition, and also restrict the execution right to that folder.</li>
<li>If you have to store the files under the website tree, make sure they are on a different folder that your code.</li>
<li>Scan the uploaded files for viruses.</li>
<li>Validate the length of the request and restrict the file sizes, in order to skip potentially DOS attacks. On .Net always set the <em>maxRequestLength</em> and <em>executionTimeout</em> attributes of the <httpruntime> element to avoid attacks (By default, this is set to 4096 kilobytes (KB)). Also limit the minimum size of the files.</li>
<li>Use your own naming convention to store the files, that doesn't use the users file name.</li>
<li>Validate the file type, extension, and mimetype[1] using whitelists. (check for double extensions), on client AND server.</li>
<li>If you could, use an strict regular expression like: "[a-zA-Z0-9]{1,200}.[a-zA-Z0-9]{1,10}" to validate file names.</li>
<li>Don't overwrite existing files.</li>
<li>Use Cross Site Request Forgery protection methods.</li>
<li>Log user activity.</li>
</ul>
<h2>Must read</h2>
<ul>
<li><a href="https://www.owasp.org/index.php/Unrestricted_File_Upload">https://www.owasp.org/index.php/Unrestricted_File_Upload</a></li>
</ul>
<h2>Other Resources</h2>
<ul>
<li><a href="http://joginipally.blogspot.com/2008/11/security-considerations-for-file-upload.html">http://joginipally.blogspot.com/2008/11/security-considerations-for-file-upload.html</a></li>
<li><a href="http://www.acunetix.com/websitesecurity/upload-forms-threat.htm">http://www.acunetix.com/websitesecurity/upload-forms-threat.htm</a></li>
<li><a href="http://blogs.msdn.com/b/ace_team/archive/2007/09/19/asp-net-file-upload-how-to-prevent-network-clogging.aspx">http://blogs.msdn.com/b/ace_team/archive/2007/09/19/asp-net-file-upload-how-to-prevent-network-clogging.aspx</a></li>
<li><a href="http://msdn.microsoft.com/en-us/library/aa479405.aspx">http://msdn.microsoft.com/en-us/library/aa479405.aspx</a></li>
<li>[1] <a href="http://www.webmaster-toolkit.com/mime-types.shtml">http://www.webmaster-toolkit.com/mime-types.shtml</a></li>
</ul>
2011-11-16T00:00:00+00:002011-11-16T00:00:00+00:00