Securing File Upload

File upload is the first step in many attacks to get some code to the system to be attacked according to OWASP Foundation. File upload represents an easy way for the malicious files entering into your application or servers. This can happen accidentally by a customer/end user unknowingly uploading the infected files or deliberately by an attacker to inject a malicious code. It is imperative for any organization with File upload functionality in their application to fully secure this else there is a risk of creating an easy route to having their systems compromised.

What can possibly go wrong?

Custom Applications(Home grown or CMS based) are fast growing with digital transactions becoming mainstream for many businesses in COVID/Post COVID era, customers/end users uploading files to the application/servers for business processing is a standard feature.

If the file uploader feature in the application does not have any validation for the files content, there is a high possibility that users may accidentally upload an infected file with the safe name and extension on the server. If the server is not properly configured or if anyone in your organization opens the infected file, the file can get executed on the server which can lead to Lateral movement, Data Exfiltration and can cause significant damage to the business data.

It is also an opportunity for an attacker to deliberately upload a malicious file to exploit vulnerabilities and execute the malicious code. Uploading a malformed file might trigger a vulnerability in certain pieces of server software. Attackers can potentially cause damages like deface the website, perform denial of service attack, remote code execution.

What can be done to prevent this?

Any input coming from a user ought to be treated with suspicion(Zero trust environment) until it has been guaranteed to be safe. Simply don’t trust any file getting uploaded to your application. At minimum, add the following security checks to defend against them.

Whitelist File types based on True file type, Don’t rely on extensions Restrict executable files Limit the size of the filename Limit the size of the file Scan the file content using Anti-malware software.

Secplugs has a collection of plugins and tool kits for a variety of platforms to provide this compelling Security value add to the file upload functionality.. Secplugs custom plugin/tool kits are very easy to integrate to your application - takes a few mins to test and rollout for Secplugs to start scanning all the incoming files through File upload functionality in your application.

References:

OWASP: Unrestricted file upload