File upload is the first step in many attacks to get code into a system according to OWASP Foundation.
Many business models, both consumer and buiness to buisness, rely on document or file transfer from the client. This often occurs at the start of the relationship, i.e. as a part of the sign up process or an on going flow of information and transactions.
File upload represents an easy way for the malicious files entering into your application or servers. This can happen accidentally by a customer/end user unknowingly uploading the infected files or deliberately by an attacker to inject a malicious code. It is imperative for any organization with File upload functionality in their application to fully secure this else there is a risk of creating an easy route to having their systems compromised.
Custom Applications(Home grown or CMS based) are fast growing with digital transactions becoming mainstream for many businesses in COVID/Post COVID era, customers/end users uploading files to the application/servers for business processing is a standard feature. The diversity of these applications is ever increasing, with compaines implementing custom solutions and work flows in a cloud hosted world.
It is also an opportunity for an attacker to deliberately upload a malicious file to exploit vulnerabilities and execute the malicious code. Uploading a malformed file might trigger a vulnerability in certain pieces of server software. Attackers can potentially cause damages like deface the website, perform denial of service attack, remote code execution.
If the file uploader feature in the application does not have any validation for the files content, there is a possibility that users may accidentally upload an infected file to your applications. If the server is not properly configured or if anyone in your organization opens the infected file, the file can get executed on the server which can lead to Lateral movement, data exfiltration and can cause significant damage to the business data.
You have a duty of care to your customers to protect thier data wether the threat comes from files they upload or form files another customer has uploaded.
Any input coming from a user ought to be treated with suspicion. Zero trust. Until it has been guaranteed to be safe. Simply don’t trust any file getting uploaded to your application. At minimum, add the following security checks to defend against them.
- Basic Content Checks
- Whitelist File types based on True file type, Don’t rely on extensions
- Restrict executable files
- Limit the size of the filename
- Limit the size of the file
- Scan the file content using Anti-malware software.
These types of check are best practice these days and you’ll see detailed check list like this from regulatory compliances bodies.
The ‘Basic Content Checks’ are relatively to implement, there is plenty of advice and sample code available, for example the advice page from Hungred Dot Com below in or reference page.
The second is harder. Do you really have to install and manage a Virus Scanner on your infrastructure? Which one? Will it be effective? Do you know its working? Can you keep it up to date? Can you change it of the threat landscape changes?
Secplugs has a collection of tool kits for a variety of platforms to provide this compelling Security value add to the file upload functionality.. Secplugs custom plugin/tool kits are very easy to integrate to your application - takes a few mins to test and rollout for Secplugs to start scanning all the incoming files through File upload functionality in your application.