If you’re developing on the ASP.Net web stack you’ve probably used either the WebForms FileUpload control or the MVC HttpPostedFileBase model binding parameter many times before. On a badly configured website this can create a perfect storm of insecurity potentially exploited by anyone who uploads malicious files. As this very attack can be your website’s undoing let’s take a look at why it’s a problem and what you can do to fix it.
NTLM Authentication for websites is a great addition to the bat-belt when writing ASP.Net sites. Additionally it is also a great to have support for it in Team Foundation & SharePoint portals. However as great as having support for NTLM authentication may be, having to enter & re-enter your credentials when surfing Intranet or Extranet sites can be an annoyance that is just not worth it.
Mountain View must be starting to worry more about applying to it’s “Don’t be evil” mantra, by releasing a new web application security testing tool that has been under development internally. SkipFish is its name, and its sure to add another tool to your developer toolbox. On the flip side, this tool will definitely also pop up on the radar of the very people its trying to stop;