There are cases when for example due to poor form validation, an attacker can upload a .bat file instead of a picture on a form and after that can execute the malicious .bat file via URL.
Remedy
ASP.NET allows developers to specify in the web.config file certain file or services extensions that they won’t be used in the application.
Below you have an example of the web.config section where you can specify the banned extensions:
<httpHandlers>
<add verb="*" path="*.mdb" type="System.Web.HttpForbiddenHandler" />
<add verb="*" path="*.csv" type="System.Web.HttpForbiddenHandler" />
<add verb="*" path="*.exe" type="System.Web.HttpForbiddenHandler" />
<add verb="*" path="*.asmx" type="System.Web.HttpForbiddenHandler"/>
</httpHandlers>