Five Tips for Thwarting Data Input Attacks Against Your Web App : Page 6

The Web is a battleground where data input attacks are a real danger. Michael Howard illustrates how attackers can gain access to your Web apps and how best to stop them.

by Michael Howard

Jan 1, 2001

Page 6 of 6

Tip 5—Disable Parent Paths
Make sure that ".." is not allowed in a filename. Disable parent paths with the following steps:

Right-click the root of the Web site and choose Properties from the context menu.
Click the Home Directory tab.
Click Configuration.
Click the App Options tab.
Uncheck the Enable Parent Paths checkbox.

You can also disable the paths from the command-line:

cscript adsutil.vbs set w3svc/1/root/AspEnableParentPaths false

All Input Is Bad
To truly be prepared for data input attacks you have to adopt the mindset that all input is bad. Check for valid input instead of looking for invalid data, because attackers will work around the rules quickly. Also learn regular expressions and use them wisely. Remember these rules and you will reduce the number of attack points for your Web application.

Michael Howard is a program manager on the Windows 2000 security team. He is the author of Designing Secure Web-Based Applications for Microsoft Windows 2000 and has spoken about security-related issues at many events, including Microsoft Tech·Ed, Microsoft Professional Developer's Conferences, and numerous industry gatherings. He can be reached at mikehow@microsoft.com.

« Previous Page 1 2 3 4 56

0 Comments (click to add your comment)

Comment and Contribute