The files that are stored in subdirectories are vulnerable to path traversal attacks. Extract the file name from the input, and use the Path class to limit files to a particular directory.
Objective
This lab provides information about how to secure files from path traversal attack effects with a resource injection code attack on all available URLs, and it teaches how to:
- Implement the classes available in the System.IO namespace to secure files
Scenario
To manipulate and secure unmanaged files, you must really understand how the System.IO works. .NET framework allows you to manipulate files including read, write, and append. The System.IO namespace contains various classes for file handling that allow reading and writing of files and data streams, and also provides basic file and directory support.
.NET Secure File Handling
Secure Programming Exercises / .NET Secure File Handling contains the following Exercises:
- Protect Files from Path Traversal Attacks
- Protecting Applications against Canonicalization Attacks
- Securing Your Static Files
- Adding Role Checks to File Access
- Reliable Ways of Securing File I/O
- Virtual Path Mapping Using MapPath
- Secure File Extension Handling
The Virtual Private Cloud for this Lab set utilizes:
Secure Programming Exercises are available as part of the following subscription:
Each subscription provides 6 months access to 68 Different Exercises. Each exercise contains a Scenario, Objectives, and individual step by step tasks to guide the user through all steps necessary to complete the exercise. The Secure Programming Exercises are designed to give the user an ultimate hands-on experience. Each exercise category above has it’s own Virtual Private Cloud that comes preconfigured with Vulnerable websites, Victim Machines, and the environment is LOADED with tools. Included in your network share are all the supporting tools required to practice in the Cyber Range / Lab environment.
Lab exercises are included for:
- Input Validation and Output Encoding
- .NET Authentication and Authorization
- Secure Session and State Management
- .NET Cryptography
- .NET Error Handling, Auditing, and Logging
- .NET Secure File Handling
- .NET Configuration Management and Secure Code Review