Securing Browser Definition Files

ASP.NET

Browser definition files (.browser files) contain information about the capabilities of classes of browsers (such as Internet Explorer) and specific browsers (such as Internet Explorer 6.0). At run time, ASP.NET uses the information in .browser files to determine what browser has made the request, what capabilities the browser has, and how to render markup to that browser. For more information, see Browser Definition File Schema (browsers Element).

For detailed information about best practices for writing secure code and securing applications, see the book "Writing Secure Code" by Michael Howard and David LeBlanc, and see the guidance provided by Microsoft Patterns and Practices.

Note:
Browser definition files are new in the .NET Framework version 2.0. In earlier versions of the .NET Framework, the browserCaps element was used to define browser definitions in configuration files.

 Browser Definition File Security

All browser capability features, including the .NET Framework classes and the browser definition files, require partial trust at the application level, and require full trust at the global level. The global browser definition assembly is signed with a unique machine key before placement in the global assembly cache and cannot be tampered with. The browser definition files in the %SystemRoot%\Microsoft.NET\Framework\version\CONFIG\Browsers directory are protected by access control lists (ACLs) and require administrative privileges to modify.

Browser Definition File Directories

The global Browser directory and the application-level App_Browsers subdirectory should contain only files with the file name extension .browser. Only .browser files are compiled by the ASP.NET browser capabilities feature. Additionally, ASP.NET protects the files in these directories from being served by the Web server and from being accessed by code in other applications.

Browser Definition Files ACLs

The following table lists the ACLs that are set by default on the .browser files located in the %SystemRoot%\Microsoft.NET\Framework\version\CONFIG\Browsers directory. These ACLs are also set on the directory itself, but they include Modify permissions for the CREATOR OWNER group. The directory is read only.

Windows account	Permissions
Administrators	Full control
ASP.NET Machine Account (<server>\ASPNET)	Read and Execute
CREATOR OWNER	Full control
IIS_WPG (<server>\IIS_WPG)	Read and Execute
LOCAL SERVICE	Read and Execute
NETWORK SERVICE	Read and Execute
Power Users (<server>\Power Users)	Modify
SYSTEM	Full control
Users (<server>\Users)	Read and Execute

The following table lists the ACLs that should be set on application-level .browser files in the App_Browsers subdirectory.

Windows account	Permissions
Administrators	Full control
IIS_WPG (<server>\IIS_WPG)	Read and Execute
INTERACTIVE	Read
Internet Guest Account (<server>\IUSR_<server>)	Read
NETWORK	Read
NETWORK SERVICE	Read
SYSTEM	Full control
Users (<server>\Users)	Read and Execute
ASP.NET Web Site Administration Tool account	Special

Adding Browser Definition Files

Do not download or install browser definition files unless you trust their source. For example, examine a new browser definition file to see if any unfamiliar namespaces are referenced in any of the following attributes:

• The markupTextWriterType attribute of the controlAdapters element.

• The value attribute of the capability element.

• The controlType and adapterType attributes of the adapter element.

For information about valid elements and attributes, see Browser Definition File Schema (browsers Element).

Changing Browser Definition Files

If you add new browser definition files to the global directory or if you make changes to global browser definition files, those changes have no effect until you manually recompile the browser capabilities collection using the Aspnet_regbrowsers.exe tool, available in the %SystemRoot%\Microsoft.NET\Framework\version folder, or programmatically cause recompilation by using the BrowserCapabilitiesCodeGenerator class.

However, you do not need to recompile changes to application-level browser definitions. Changes to those definitions are recompiled and reapplied dynamically.

 Securing Browser Definition Files in a Shared Hosting Environment

In a shared hosting environment, malicious users can potentially modify browser definition file settings through direct modification of the browser definition files, modification via the configuration APIs, and other administration and configuration tools. To mitigate this threat, maintain strong ACLs on browser definition files. The contents of browser definition file directories are compiled, therefore they should be protected in the same way as any other code directory in the application. If a user is prevented by the host administrator from adding code to an application, the user should also be prevented from adding browser definition files.

Holding a File-Lock on a Browser Definition File

Only multiple attempts to save to a browser definition file or open a file handle can lock a browser definition file. A malicious user might attempt to lock the browser definition files in the %SystemRoot%\Microsoft.NET\Framework\version\CONFIG\Browsers directory. However, locking a browser definition file requires Full trust, which is disabled in ASP.NET by default.

Using the Configuration API to Read Arbitrary Files

The classes of the browser definition configuration API cannot read any directories that are not part of the application domain, or any files that do not have a .browser file name extension.

Caching Browser Capabilities

At run time, browser definition file information is merged into a collection of known browsers in a BrowserCapabilitiesFactory object. When a request is made, ASP.NET identifies the requesting browser by the request header and compiles an HttpCapabilitiesBase object that corresponds to the requesting browser. The object is cached and might be used again for a different request made by the same browser.

A malicious client might try to flood your Web server with requests where each new request uses a different request header, causing ASP.NET to generate and cache browser capability objects for each request, which in turn can result in a denial-of-service attack. To mitigate this threat, configure the userAgentCacheKeyLength attribute of the browserCaps Element (ASP.NET Settings Schema) element in the Machine.config file or a Web.config file. This element defines the character length to use as the key to identify cached capabilities objects in the internal cache. The default is 64. You can reduce this value to make it more likely that a matching browser will be found in the cache, reducing the load on the cache.

 Exceptions

To help prevent sensitive information from being exposed to unwanted sources, configure your application either not to display detailed error messages or to display detailed error messages only when the client is the Web server itself. For more information, see customErrors Element (ASP.NET Settings Schema).

 Event Log

If your server is running Windows Server 2003, you can improve the security of your application by securing the event log and by setting parameters regarding the size, retention, and other features of the event log to help prevent an indirect denial of service attack. For more information about configuring event logs, search for "Event Viewer" in Windows Help and Support.

 See Also

Tasks

How to: Detect Browser Types in ASP.NET Web Pages

Concepts

ASP.NET Web Server Controls and Browser Capabilities

Securing Browser Definition Files

ASP.NET Configuration Scenarios

ASP.NET Device Filtering Overview

Architectural Overview of Adaptive Control Behavior

ASP.NET Mobile Web Development Overview

Securing ASP.NET Configuration

Reference

Browser Definition File Schema (browsers Element)

Other Resources

Securing ASP.NET Web Sites