The system should only serve files with extensions within a specific list.
Servers usually host files that are required for their operation or that contain relevant technical information. These files should not be publicly accessible because the information they contain could be leveraged by an attacker in order to exploit other vulnerabilities. Configuring the server to serve only files with a specific extension helps prevent the unintentional disclosure of technical information.
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-213: Exposure of Sensitive Information Due to Incompatible Policies. The product’s intended functionality exposes information to certain actors in accordance with the developer’s security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product’s administrator, users, or others whose information is being processed.
OWASP Top 10 A6:2017-Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
OWASP-ASVS v4.0.1 V12.3 File execution Requirements.(12.3.4) Verify that the application protects against reflective file download (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should be set to text/plain, and the Content-Disposition header should have a fixed filename.
OWASP-ASVS v4.0.1 V12.5 File Download Requirements.(12.5.1) Verify that the web tier is configured to serve only files with specific file extensions to prevent unintentional information and source code leakage. For example, backup files (e.g., .bak), temporary working files (e.g., .swp), compressed files (.zip, .tar.gz, etc.) and other extensions commonly used by editors should be blocked unless required.
OWASP-ASVS v4.0.1 V14.4 HTTP Security Headers Requirements.(14.4.1) Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8, ISO 8859-1).
OWASP-ASVS v4.0.1 V14.4 HTTP Security Headers Requirements.(14.4.2) Verify that all API responses contain Content-Disposition: attachment; filename="api.json" (or other appropriate filename for the content type).