Canonicalization : Security Attack
One of the common types of security attacks is due to canonicalization. A canonicalization error is an application vulnerability that occurs when an application parses a filename before the operating system has canonicalized it. Operating systems canonicalize filenames when processing a file to identify the absolute, physical path of the given file given a virtual or relative path.
Files can be accessed using multiple names. An example is given below. If your application uses one of the methods to validate whether the user has access to the file, an attacker could potentially use one of the other synonymous names.
DoNotTouch.txt
DoNotT~1.txt
DoNotTouch.txt.
DoNotTouch.txt::$DATA
How to minimize canonicalization errors:
Files can be accessed using multiple names. An example is given below. If your application uses one of the methods to validate whether the user has access to the file, an attacker could potentially use one of the other synonymous names.
DoNotTouch.txt
DoNotT~1.txt
DoNotTouch.txt.
DoNotTouch.txt::$DATA
How to minimize canonicalization errors:
- Validate user input to ensure that the entered file name is not a restricted file. Use regular expressions to look for specific file name embedded within the user input string.
- Canonicalize the file name before validation. This is the process of deriving to most simple form of the file. This is a more secure option, because the .NET framework will provide the application with the absolute name of the file. To do this, you can use System.IO.Path.GetFullPath.
No comments: