[Esapi-user] Octet-byte streaming

Olivier Jaquemet olivier.jaquemet at jalios.com
Mon Jul 9 16:30:07 UTC 2012


Although I do agree that preventing against path traversal and unwanted 
file access is a requirement, I personally think the solution is NOT to 
implement octet byte streaming.
You will never implement it properly as compared to what appservers have 
done :
- proper buffering when reading files (for good server side performance)
- support for chunked delivery
- support for caching header (HEAD request, ETags, Expires, etc etc)
- nice configuration of mime type (eg in web.xml or in default app 
server settings)
- ...

I would recommend using a servlet filter in front of the native 
AppServer file delivery to control file access :
- forbid anything outside the decidated folder for download, and only 
use native Java File api (never trust any string/path)
- check file access on each request against current user authorization


On 09/07/2012 18:09, Chris Schmidt wrote:
> Re: [Esapi-user] Octet-byte streaming The premise is that if you are 
> providing access to your real filesystem directly that could be 
> exploited by an attacker to
>  1. Download files that they shouldn't have access too (Path Traversal)
>  2. Host Malware if you also allow Uploading
> Hopefully that helps.
> On 7/9/12 10:02 AM, "Luke Biddell" <luke.biddell at gmail.com> wrote:
>     I'm reading the cheat sheet on "Failure to restrict url access"
>     here . https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
>     One of the things it suggests is
>           "Use octet byte streaming instead of providing access to
>     real files such as PDFs or CSVs or similar"
>     I've had a google but not come up with any reasonable explanations
>     of the attack vector here?
>     Can any of you guys enlighten me?
>     Thanks as always.
>     Luke
>     ------------------------------------------------------------------------
>     _______________________________________________
>     Esapi-user mailing list
>     Esapi-user at lists.owasp.org
>     https://lists.owasp.org/mailman/listinfo/esapi-user
> Chris Schmidt
> ESAPI Project Manager (http://www.esapi.org)
> ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
> Blog: http://yet-another-dev.blogspot.com
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

Olivier Jaquemet <olivier.jaquemet at jalios.com>
Ingénieur R&D Jalios S.A. - http://www.jalios.com/
@OlivierJaquemet +33970461480

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120709/976c3d92/attachment.html>

More information about the Esapi-user mailing list