December 05, 2006

ASP.NET 2.0 Dangerous File Types

Prevent serving 'dangerous' file types

Use the script map settings to map the file type to ASP.NET

  • Application configuration > mappings > Add
  • In the section map the extension to a blocking handler
  • HttpForbiddenHandler will generate a 403 Forbidden which may give away the file existence
  • The HttpNotFoundHandler may be a better choice

Make use of Protected Directories

By default the following URL fragments are blocked by ASP.NET 2.0:

  • App_Data
  • App_Code
  • App_Browsers
  • App_WebReferences
  • App_GlobalResources
  • App_LocalResources
  • Bin

Files in these directories will not be served to the browser, regardless of the file extension.

Use URL Authorization

URL authorization is based on rules defined in section. These rules are processed top-down and use the first matching rule.

The following section will allow all authenticated users and deny all anonymous users: