O'Reilly logo

Security for Microsoft® Visual Basic® .NET by Michael James Bond, Ed Robinson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

File-Based or Directory-Based Attacks

If user input is used as the basis for a file or directory name to open a file, an attacker could manipulate the input to open the file from an unintended location. Suppose you create the following Public function in a server application to save user settings to the file. Your intent is to save the file to the same location as the application by using the Application.StartupPath function.

Public Sub SaveSettings(ByVal UserName As String, _
    ByVal Settings As String)
  Dim hFile As Integer = FreeFile()
  Dim Filename As String = Application.StartupPath & "\" & _
    UserName
  FileOpen(hFile, Filename, OpenMode.Output)
  PrintLine(hFile, Settings)
  FileClose(hFile)
End Sub

Tip

In the case of ASP.NET Web applications, use

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required