file-upload-vulnerability-of-web-applications

When an web applicatino allows upload of files to file system without checking extension,type , contents ,size , then an attacker can upload dangerous files. The files could be server side code(.php/.jsp) , a backdoor, webshell or client side executable.

How to ensure file uploads are safe?

Extension validation: Allow only whitelisted file extensions.
- Note that whitelisting is better than blacklisting. (it is hard to blacklist all dangerous extnesions ). black list can be bypassed , for eg
  - in case of blacklisting for example example.php. may get uploaded as the extension is ".php." which is NOT blacklisted. later on the trailing dot might get ignored during file save time and the file which gets saved is example.php
  - Try using the URL encoding (or double URL encoding) for dots, forward slashes, and backward slashes. If the value isn't decoded when validating the file extension, but is later decoded server-side, this can also allow you to upload malicious files that would otherwise be blocked: example%2Ephp . Note that .php extnesion is blakclisted but ".php" will not found and in url encoded value.
- Even if an attacker renames a server side executable file(say .php) as .jpeg , it would be harmless as the runtime environment would not consider the file as an executable file.(webservers wont execute files unless they have been configured to do so) The extension validation logic should account for known bypasses like
  - Multiple extension types. For example if a file is allowed to have multiple extension types(in apache this i s possible,read here https://httpd.apache.org/docs/trunk/mod/mod_mime.html) . Each extension can have a handler. Hence a backdoor.php file can be named as backdoor.php.gif. This file would get uploaded as file extension is gif is whitelisted by the app . Also since the file has multiple extension and .php there is a hanlder associated , php code will get executed. Appserver should not allow multiple extension types and extension validation logic should also block it.
  - In IIS6 (or prior versions), a script file can be executed by using one of these two methods:
    - by adding a semi-colon character after the forbidden extension and before the permitted one (e.g. “file.asp;.jpg”)
    - by renaming a script file’s extension (e.g. “.asp”) to an allowed extension (e.g. “.txt”) in a folder that its name ends with the script’s extension (e.g. “folder.asp\file.txt”). In Windows, it is possible to create a directory by using a file uploader and ADS (Alternate Data Stream). In this method, a filename that ends with “::$Index_Allocation” or “:$I30:$Index_Allocation” makes the file uploader to create a directory rather than a file (e.g. “folder.asp::$Index_Allocation” creates “folder.asp” as a directory).
  - Null bytes, e.g. .php%00.jpg, where .jpg gets truncated and .php becomes the new extension for the php processor.
    - Note that the app restrection of only allowing.jpg will be bypassed as filname ends with jpg.
    - The phpprocessor will read from left and on encountering null byte it will stop there hence it will consider this php file. see the following video https://www.youtube.com/watch?v=jBtzFGwHvxE&list=PLIbCFt2m6LvK6RZWxBiiFyl9e3VbtH51v&index=2
    - using burp proxy request can be intercepted and filename modified. The ability to manipulate filename can also lead to directory traversal vulnerability.
  - case sensitive. in case of blacklisting if case senstivity can become an issue . eg .php is blocked , but .PhP may not be blocked and may get uploaded. Hence in general whitelisting is better than black listing.
  - Using Windows 8.3 feature, it is possible to replace the existing files by using their shortname (e.g. “web.config” can be replaced by “web~1.con” or “.htaccess” can be replaced by “HTACCE~1”). This has to be factored in as it has to ensured that configuration files such as “.htaccess” or “web.config” cannot be replaced using file uploaders.
Content type validation : make sure content type is validated. Note that content type validation alone is not sufficent as using tool like burp proxy you can easily change the content type. (Burp Proxy lets you intercept, view, and modify all requests and responses passing between your browser and destination web servers).
File name validation
- Modify filename to a random filename: Even if the attacker is successful in uploading a malicious file , if he cannot access it , the attack would fail.
- if filename cannot be changed for say legal reasons then ensure
  - there is max length check.
  - restrcit charecters to alphanumeric characters, hyphen, spaces, and periods.
- filename can is a meta data provided by HTTP mult part encoding. It can be modified by burp proxy which can intercept the request.
- filename should not have any travesal sequence eg (../)
Set file size limit (both max and min). Note that very large will lead to DOS attack. (Denial of service attack as the server memory may get exhausted).
- Note that the pixel size of image can be spoofed leading to pixel flooding attack which can lead to DOS attack. pixel size can be manipulated/spoofed using tools /sites eg https://www.resizepixel.com/. To handle this To fix the image processing library should set a maximum amount of pixels or width/height. In general oploaded files can use vulnerabilities in broken libraries/applications on the server side
- The PNG file format contain a section, called zTXT, that allows zlib compressed data to be added to a PNG file.The zTXt chunk contains textual data, just as tEXt does; however, zTXt takes advantage of compression. Read more https://www.w3.org/TR/PNG-Chunks.html. To create DOS attack large amount of repeated zeros being over 100MB and then are DEFLATE compressed through zlib, resulting in compressed data of a few KBs. This is then added to the zTXT section of any regular PNG file . This file when read on server side can lead to DOS through memory exahaution (as compressed data will be uncompressed)
- There would be other examples of issues in file processing moudle (in case of image , image processing module which may be exploited by hackers ). eg would be zip bomb. A zip bomb allows a program to function normally, but, instead of hijacking the program's operation, creates an archive that requires an excessive amount of time, disk space, or memory to unpack.[Most modern antivirus programs can detect whether a file is a zip bomb in order to avoid unpacking it.
- . If the system is going to extract the files , there are various security concerns like file size after decompression. read more https://wiki.sei.cmu.edu/confluence/display/java/IDS04-J.+Safely+extract+files+from+ZipInputStream
Allow only logged in users to upload files.
The file can be stoed in a temprary location and scanned by antivirus to ensure it does not contain malicious data/virus/malware.
File content validation
- Antivirus : antivirus can check against zip bombs/virus/malware.
- Apache POI can check mircosoft documents.
- Image content verification . Some api can be called to determine some attribute of the image , eg in php getimagesize() api can be called to determine if the file is image.
  - In case of multiple extension type getimagesize() api can be bypassed.
    - (in an actual gif file actual.gif), the php code can be inserted in the comment section of gif file. (some gif manipulation tool can be used)
    - rename the file actual.php.gif (the file now has multiple extension type).
    - getimagesize() will suceed/bypassed as the file is actually as gif file
    - this file can be executed as php file in case of multiple extension type. check out this video https://www.youtube.com/watch?v=0fB6CpR4sdw&list=PLIbCFt2m6LvK6RZWxBiiFyl9e3VbtH51v&index=3
Keep user uploaded files on a different server or at the minimal outside webroot. Note that file upload vulnerability in conjuction with directory traversal vulnerability can allow the attacker to overwrite critical app server configuration files/ executable files. (tools like burp proxy can intercept request and help in changing filename , say file being uploaded has name abc.jpg , it could be modified to ../../config/webserver-config.xml. The application appends the this filename to a base directory and uses a filesystem API to write. This can lead to file being overwritten.
Protecting against CSRF attack : fileuploads need to protected from CSRF attack. an html form on any website may have its action to any otherwebsite url. if the user is allready authenticated CSRF attack can happen. attack can be prevented with the help of same site cookies and CSRF tokens.
Cross origin ajax requests should be allowed only if required (control the cors headers).
Typically post method should be used for fileupload. not put . put is made to a existing resource and put is supposed to idempotent unlike post. Note that some webservers may be configured to support put, in which case even if upload feature is not avalaible via web interface still malicous files may be uploaded.

	Nishant Anand I am technical architect with around 18 years of experience in telecom , banking and health care domain. I was part of the founding team of Drishti and currently CTO at affordplan
	Consult Send Query