[Esapi-user] Octet-byte streaming

Chris Schmidt chris.schmidt at owasp.org
Mon Jul 9 17:05:42 UTC 2012


I was merely explaining the philosophy behind this, not agreeing ­ so yes,
Olivier you are 100% on target here and I agree completely. A good AuthZ
system is the real fix here IMHO.


On 7/9/12 10:30 AM, "Olivier Jaquemet" <olivier.jaquemet at jalios.com> wrote:

>    Hi,
>  
>  Although I do agree that preventing against path traversal and unwanted file
> access is a requirement, I personally think the solution is NOT to implement
> octet byte streaming.
>  You will never implement it properly as compared to what appservers have done
> : 
>  - proper buffering when reading files (for good server side performance)
>  - support for chunked delivery
>  - support for caching header (HEAD request, ETags, Expires, etc etc)
>  - nice configuration of mime type (eg in web.xml or in default app server
> settings)
>  - ...
>  
>  I would recommend using a servlet filter in front of the native AppServer
> file delivery to control file access :
>  - forbid anything outside the decidated folder for download, and only use
> native Java File api (never trust any string/path)
>  - check file access on each request against current user authorization
>  
>  Olivier
>  
>  
> On 09/07/2012 18:09, Chris Schmidt wrote:
>  
>  
>>  Re: [Esapi-user] Octet-byte streaming The premise is that if you are
>> providing access to your real filesystem directly that could be exploited by
>> an attacker to 
>>  
>>   
>> 1. Download files that they shouldn¹t have access too (Path Traversal)
>> 2. Host Malware if you also allow Uploading
>> 3.  
>>  
>>  Hopefully that helps.
>>  
>>  
>>  On 7/9/12 10:02 AM, "Luke Biddell" <luke.biddell at gmail.com> wrote:
>>  
>>   
>>> I'm reading the cheat sheet on "Failure to restrict url access" here .
>>> https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
>>>  
>>>  
>>>  One of the things it suggests is
>>>  
>>>        "Use octet byte streaming instead of providing access to real files
>>> such as PDFs or CSVs or similar"
>>>  
>>>  
>>>  I've had a google but not come up with any reasonable explanations of the
>>> attack vector here?
>>>  
>>>  Can any of you guys enlighten me?
>>>  
>>>  Thanks as always.
>>>  
>>>  Luke
>>>  
>>>  
>>> 
>>> _______________________________________________
>>>  Esapi-user mailing list
>>>  Esapi-user at lists.owasp.org
>>>  https://lists.owasp.org/mailman/listinfo/esapi-user
>>>  
>>  
>>  Chris Schmidt
>>  ESAPI Project Manager (http://www.esapi.org)
>>  ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
>>  Blog: http://yet-another-dev.blogspot.com
>>  
>>   
>>   
>>  
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
>>  
>  
>  

Chris Schmidt
ESAPI Project Manager (http://www.esapi.org)
ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
Blog: http://yet-another-dev.blogspot.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120709/f538825d/attachment.html>


More information about the Esapi-user mailing list