Menu
I'm working on photo album functionality for my .net MVC 5 site and I recently ran into an issue where by default .net limits file uploads to 4 MB.
Not wanting to ever encounter this error again, I am tempted to set it to something large like 1 GB. But this seems like it might be a bad idea. I have 3 questions:
What security holes do I open up if I set the file upload max length to 1 GB?
Someone recommended that I increase the file upload length only for uploads to a specific directory. Is this actually any more secure?
In .net, the config files are not specific if I am limiting the length of POSTs, GETs, or all requests. I assume that this restriction applies to all requests?
238
HttpRuntime maxRequestLength ASP.NET has its own setting to limit the size of uploads and requests. Use the maxRequestLength of the httpRuntime element. The default size is 4096 kilobytes (4 MB). Max value 2,147,483,647 kilobytes (~82 Terabyte). The following setting defines a max size of 500 megabytes.
However many web application does not have proper security check during uploading files and this results in a vulnerability called File Upload Vulnerability. This one simple vulnerability leads to server-side scripting, arbitrary code execution, cross-site scripting, and CSRF attacks.
What security holes do I open up if I set the file upload max length to 1 GB?
It'd be easier for a resource consuming DoS attack to succeed. 1GB may be high, but this may be an acceptable risk to you if you need to accept files that large. This setting depends on what resources your server has (particularly memory and disk size) and the requirements of your application.
Yes, a malicious user could post many small files rather than one massive file - but these individual requests will be queued up along with the legitimate requests to your server. Chances are that the server will have finished processing a malicious one before a legitimate one. For example, a malicious user uploading 1GB might block a thread while that file is processed, whereas the load caused by 1000 one megabyte files can be spread out within the application's processing.
Another attack is a DDoS attack which can be thought of as many DoS attacks at once. Increasing the maximum length allowed of a single request could mean that a DDoS attack succeeds whereas a normal DoS attack doesn't because a single user only has a limited amount of available bandwidth. That is, you're making it easier for lots of users to post big files whereas before the amount of damage per user was limited by single file size.
Someone recommended that I increase the file upload length only for uploads to a specific directory. Is this actually any more secure?
If only a limited set of users has access to the page that has large file uploads allowed then this will limit any attack.
This should work because AuthorizeRequest is called before ProcessRequest where the HttpRuntime settings are applied.
In .net, the config files are not specific if I am limiting the length of POSTs, GETs, or all requests. I assume that this restriction applies to all requests?
Yes, this applies to all requests. If you're willing to accept a large request size on a POST then there is no additional risk of allowing this on a GET. The only advantage would be on an Intrusion Detection System (IDS) application level because it would be able to log a large GET request as suspicious activity.
93
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
