Monday, October 11, 2004

Understanding This ASP.NET Canonicalization Vulnerability

Equivalent forms of names can be resolved to a single standard name, or the "canonical" name. Example, c:\dir\test.dat, test.dat, and ..\..\test.dat might all refer to the same file.

When a URL is received by a Web server, the server maps the request to a file system path that determines the response. The canonicalization routine that is used to map the request must correctly parse the URL to avoid serving or processing unexpected content.

ASP.NET developers can safeguard through adding checks at Application_BeginRequest event handler in Global.asax file w/c is being executed for each web requests. Here's the code snippet.

An example is in Forms Authentication in ASP.NET. In securing subdirectories through this means, a non authenticated user is redirected to login page. But if the attacker includes a backslash ("\") in the url they can somehow bypass the authentication and directly access a resource.

Microsoft release an installable HttpModule that would give security necessary to deny any requests containing the backslash.