Canonicalization attacks - Prevention and Mitigation Guide

Richard Lewis

Rate me:

2.26/5 (10 votes)

30 Aug 20062 min read

41.5K

Tips for developers and system adminstrators intending to ward off canonicalisation attacks.

What are canonicalisation attacks?

Unauthorised access of file and directories on the web server machine by tampering file/directory paths that a web site normally allows users to enter as part of its functionality. The attack is typically carried out by entering the path of the file in input field on a web page or by supplying it as part of the URL.

What are the consequences?

Loss of confidentiality, integrity and a denial of service results if files are deleted.

What files can the attacker access?

Any file or folder on the disk(s) of the web server m/c.

Defending applications against canonicalisation attacks

- Administrative Controls

Ensure that the web server hosts on a secure file system like NTFS.
Set ACL (access control lists) on files and folders. This can be done by setting appropriate permissions in the [Security] tab in the [Properties] tabpage of files and folders. Ensure that only administrators can access sensitive files and folders.
Do not keep sensitive files, source code or any such material on the web server machine.
Turn-off MS-DOS file name (8.3) convention on the machine by adding the following setting to the HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \FileSystem registry key: NtfsDisable8dot3NameCreation : REG_DWORD : 1.
Note that this option does not remove previously generated 8.3 filenames.

- Programming Controls

1. White-list directories that you would like to have your application access rather than black-list them.

BAD WAY:
string InputFilePath = GetPathFromUser();
if ( InputFilePath = = "Secret Directory")
Output ("Access Denied")

CORRECT WAY:
string InputFilePath = GetPathFromUser();
if ( InputFilePath startsWith "Application-accessible Directory")
allow Further operations...
else
Output ("Access Denied")

2. If ACLs have been set (Point b in Administrative Controls, above) then turn on Integrated Windows Authentication (in IIS) and impersonate using the WindowsIdentity class in your .NET code.

3. Filter the user input path by subjecting it to MapPath in .NET. MapPath( ), according to MSDN, maps the virtual path in the requested URL to a physical path on the server . To prevent the path from mapping to a path in another application on the same server, set MapPath's third parameter to false.

4. Use regular expressions to control the file\folders that can be accessed. This can be implemented in 1. above.

5. Reduce UTF-8 to its canonical form. UTF-8 text can be represented in multiple forms - guard against this.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Written By

Richard Lewis

Web Developer

India

I am a Software Security Consultant and specialize in secure code and design reviews. It is my career ambition to build a security fabric for secure software development. I have a programming background in C, C++, device drivers and MFC. I have done a couple of PKI deployments and have also developed a desktop encryptor, authentication SDK and cryptographic SDK.

I believe I am what I am because I choose God to make me what He wants me to be.

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.