we building asp.net mvc5 web app includes serving file downloads.
users required login using asp.net identity framework.
the files stored in database (we interfacing legacy application) , each file identified standard integer primary key.
we plan serve files follows:
the user requests file using id eg.
http://www.example.com/getfile?fileid=5the controller checks see if requesting user allowed access file (using complex business rules) , if successful streams file user.
i have been researching best practices struggling find specifics of i've read deals scenario files being read physical paths , therefore recommendation obfuscate filename in request.
we could obfuscate file's id don't see point if controller validate user's access file on each request.
is our approach sufficient or should doing way, if so, recommended way please?
your approach sufficient. if authorisation rules in controller adequately protect files, should require.
the information leak occurring use of presumably primary key of file in database in url being used request file. potentially create vulnerability if example part of application vulnerable sql injection attacks , attacker makes use of ids in url construct sql injection attack fetch file specific id. whether risk in practice depends on whether application vulnerable sql injection attacks , attackers guess or brute force ids way, there may little practical benefit masking these if vulnerable sql injection attacks - better focus in case make sure you're not.
Comments
Post a Comment