[Esapi-user] Octet-byte streaming

Chris Schmidt chris.schmidt at owasp.org
Mon Jul 9 16:09:00 UTC 2012


The premise is that if you are providing access to your real filesystem
directly that could be exploited by an attacker to

1. Download files that they shouldn¹t have access too (Path Traversal)
2. Host Malware if you also allow Uploading

Hopefully that helps.


On 7/9/12 10:02 AM, "Luke Biddell" <luke.biddell at gmail.com> wrote:

> I'm reading the cheat sheet on "Failure to restrict url access" here
>https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
> 
> 
> One of the things it suggests is 
> 
>       "Use octet byte streaming instead of providing access to real files such
> as PDFs or CSVs or similar"
> 
> 
> I've had a google but not come up with any reasonable explanations of the
> attack vector here?
> 
> Can any of you guys enlighten me?
> 
> Thanks as always.
> 
> Luke
> 
> 
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

Chris Schmidt
ESAPI Project Manager (http://www.esapi.org)
ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
Blog: http://yet-another-dev.blogspot.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120709/44cebc89/attachment.html>


More information about the Esapi-user mailing list