Although not in the list of Top 10 web security vulnerabilities according to the OWASP 2020 announcement, File Upload is still an extremely dangerous vulnerability that you should be careful of. File Upload is a favorite target for hackers, as it requires your website to upload large amounts of data and write it to disk.
This creates an opportunity for attackers to inject malicious scripts into your server. If hackers can figure out how to execute those scripts, they can compromise your entire system.
So, in this article, I will show you how the File Upload vulnerability works through a real example.
How File Upload Vulnerability Works
Ellyx13 is a hacker who signed up for a website that runs on a popular content management system (like WordPress, for example).
Ellyx13 has noticed a few interesting things about the site’s avatar upload function.
First, uploaded files are not renamed as part of the upload process. The original filename appears in the avatar profile URL. Second, the site checks the file format with javascript.
Ellyx13 writes a simple script called hack.php. When the website executes this PHP script, it will run any commands passed in the “cmd” parameter.
Ellyx13 disables JavaScript in her browser and uploads files hack.php make your avatar profile. Since JavaScript is disabled, the file format will not be checked.
No wonder Ellyx13’s avatar profile can’t be displayed, because the file I uploaded is not a valid image file. However, the hack.php script is currently live on the server.
Now, you just need to change the URL of the avatar profile in the browser address bar a little to make the hack.php script execute.
In fact, any command passed in the “cmd” parameter will be executed on the server. Ellyx13’s file upload created a command execution vulnerability.
Now Ellyx13 has permission to execute commands on the web server. At this point, I have the right to execute cmd commands to access sensitive data such as locating the my.cnf file to find the database configuration file, for example. By entering the command path: http://cdn.example.com/1a2fe/hack.php?cmd=locate+my.cnf
I already have the database configuration file path, what should I do next? Using the command of course cat /etc/mysql/my.cnf to read the file content and find the web password account and nothing more.
Very dangerous, right? Now that we have seen how the File Upload attack can make your website vulnerable, now we will learn how to secure the File Upload feature.
How to secure File Upload
File Upload is a fairly easy way for an attacker to inject malicious code into your website. You need to make sure your uploaded files are quarantined until they are fully secured, otherwise you could create an easy path for your system to be attacked.
Risk
Clever hackers often exploit a combination of vulnerabilities when attacking your website – uploading malicious code to the server is the first step in the attack process. The next step is to find a way to execute the malicious code.
Even large companies suffer from this vulnerability, especially if they are running complex, legacy codebases.
Guard
Any input coming from the user must be handled with care until it is guaranteed to be safe. This is especially true for uploaded files, because initially your application often treats them as a block of innocuous data, allowing attackers to inject any kind of malicious code they want into the system. your.
Split uploads
Uploaded files are usually less processed. Unless you are building a website that handles images, videos or documents. If that’s the case, making sure uploaded files are kept separate from the system code is of the utmost importance.
You can use cloud storage services or a content management system to store uploaded files. Also, if you want, you can write uploaded files to your database. Both of these approaches prevent random script execution.
Even storing uploaded files on a file server or in a separate disk partition helps, isolating the potential damage that a malicious file can cause.
Make sure the file upload cannot be executed
However, if the uploaded files are written to disk, make sure they are not treated as executables by the operating system. Your web server must have read and write permissions on the directories used to store the uploaded content, but cannot execute any files there. If you are using a Unix-based operating system, make sure that the uploaded files do not have “executable” permissions.
Rename the uploaded file
Rewriting or obfuscating filenames would make it harder for an attacker to identify malicious files once they’ve been uploaded. At this point, the hacker will not be able to determine the file name to execute the file upload.
Validate file formats and extensions
Make sure you check that the file extension of the uploaded file is in the list of allowed file types. Do this on the server side, as client side checks can be disabled.
Content-Type Authentication
Files uploaded from the browser will be accompanied by a Content-Type header. Make sure it’s on the whitelist of allowed file types. (Be aware, however, that simple scripts or proxies can spoof the file type, so this protection, while useful, is not sufficient to deter an attacker.)
Use a virus scanner
Virus scanners are very helpful in detecting malicious files masquerading as a different file type, so if you are using the File Upload feature, you should run a virus scan.
There are also other File Upload security measures such as checking file size, zip bomb, etc.
If you want me to work on any holes next, please comment below. Don’t forget to join Anonyviet’s Server Discord here.