Click here to Skip to main content
Click here to Skip to main content

Canonicalization attacks - Prevention and Mitigation Guide

, 30 Aug 2006
Rate this:
Please Sign up or sign in to vote.
Tips for developers and system adminstrators intending to ward off canonicalisation attacks.

What are canonicalisation attacks?

Unauthorised access of file and directories on the web server machine by tampering file/directory paths that a web site normally allows users to enter as part of its functionality. The attack is typically carried out by entering the path of the file in input field on a web page or by supplying it as part of the URL.

What are the consequences?

Loss of confidentiality, integrity and a denial of service results if files are deleted.

What files can the attacker access?

Any file or folder on the disk(s) of the web server m/c.

Defending applications against canonicalisation attacks

- Administrative Controls

  1. Ensure that the web server hosts on a secure file system like NTFS.
  2. Set ACL (access control lists) on files and folders. This can be done by setting appropriate permissions in the [Security] tab in the [Properties] tabpage of files and folders. Ensure that only administrators can access sensitive files and folders.
  3. Do not keep sensitive files, source code or any such material on the web server machine.
  4. Turn-off MS-DOS file name (8.3) convention on the machine by adding the following setting to the HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \FileSystem registry key: NtfsDisable8dot3NameCreation : REG_DWORD : 1.
    Note that this option does not remove previously generated 8.3 filenames.

- Programming Controls

1. White-list directories that you would like to have your application access rather than black-list them.

BAD WAY:
string InputFilePath = GetPathFromUser();
if ( InputFilePath = = "Secret Directory")
Output ("Access Denied")
CORRECT WAY:
string InputFilePath = GetPathFromUser();
if ( InputFilePath startsWith "Application-accessible Directory")
allow Further operations...
else
Output ("Access Denied")

2. If ACLs have been set (Point b in Administrative Controls, above) then turn on Integrated Windows Authentication (in IIS) and impersonate using the WindowsIdentity class in your .NET code.

3. Filter the user input path by subjecting it to MapPath in .NET. MapPath( ), according to MSDN, maps the virtual path in the requested URL to a physical path on the server . To prevent the path from mapping to a path in another application on the same server, set MapPath's third parameter to false.

4. Use regular expressions to control the file\folders that can be accessed. This can be implemented in 1. above.

5. Reduce UTF-8 to its canonical form. UTF-8 text can be represented in multiple forms - guard against this.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

Richard Lewis
Web Developer
India India
I am a Software Security Consultant and specialize in secure code and design reviews. It is my career ambition to build a security fabric for secure software development. I have a programming background in C, C++, device drivers and MFC. I have done a couple of PKI deployments and have also developed a desktop encryptor, authentication SDK and cryptographic SDK.
 
I believe I am what I am because I choose God to make me what He wants me to be.

Comments and Discussions

 
GeneralMy vote of 2 PinmemberPong D. Panda3-Feb-12 19:54 
Generalnice one Pinmembersubai9-Sep-06 22:37 
QuestionPersonal Question PinmemberPrasad Khandekar31-Aug-06 5:51 
AnswerRe: Personal Question PinmemberRichard Lewis31-Aug-06 18:06 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web01 | 2.8.141022.2 | Last Updated 31 Aug 2006
Article Copyright 2006 by Richard Lewis
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid