Serving Documents Securely From Web Applications

In this article..
Using the file system?
Protecting your documents

While performing vulnerability assessments, I have come across a lot of web applications that generate reports in Word, Excel, or Adobe PDF formats. These reports are usually only supposed to be accessible to authenticated and authorized users. In many instances, these documents may be exposed through Forceful Browsing attacks, either by authenticated users who do not have access to them or by users who are not even authenticated.

Using the file system
This happens because the documents are usually generated and stored in the web server file system and a temporary link created to them. The problem is that while the link is valid, other users, authenticated or in some case, even unauthenticated users be able to guess the link and access the files. In some cases, these documents are not deleted for a significant period of time after the user has viewed or downloaded them, exposing them further to unauthorized access.

They are also exposed to web crawlers and search engines. A search engine such as Google may be used to look for all Word documents within a specific company:

doc "<company name>"

 or

doc site:http://<website>

This can lead to information leakage and cause considerable damage to the company concerned.

Protecting Your Documents
One way to protect your documents is to store the documents in the database as a Binary Large Object (BLOB). This allows the application to check the credentials and permissions of the user requesting the document before allowing access. If the user has the necessary permissions, then the application can retrieve the document from the database, add it to the HTTP response and send it to the user.

To display a Word document to the user, the Content Type should be set appropriately

ContentType = "Application/vnd.ms-word"

This method ensures that the document itself is not stored on the server and minimizes the chances of exposure. Depending on the sensitivity of the information in the document, you may want to send the document over an HTTPS connection.