File upload vulnerabilities are a devastating category of web application vulnerabilities. Without secure coding and configuration, an attacker can quickly compromise an affected system.
This presentation will discuss types, how to discover, exploit, and how to mitigate file upload vulnerabilities.
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
1. THE CASE OF CWE-434
ISACA - Accra Chapter
May 2019
Adam Nurudini
Netwatch.com.gh
UNRESTRICTED FILE UPLOAD
2. Project Consultant, ISA. Ltd
Lead Security consultant @Netwatch Tech.
Web Application Security Researcher.
President GIMPA SOT Student Association.
Twitter: @Bra__Qwesi
Email: adam at netwatch dot com dot gh
3. Introduction to file upload security
Types of file upload vulnerability
Finding file upload vulnerabilities
The Impact of file upload vulnerabilities
How to prevent file upload vulnerabilities
Bonus zero days in demo!
4. Uploading files to a web application can be a
key feature to many web applications. Without
it, cloud backup services, photograph sharing
and other functions would not be
possible.
5. File upload vulnerabilities are a devastating
category of web application vulnerabilities.
Without secure coding and configuration, an
attacker can quickly compromise an affected
system.
This presentation will discuss types, how to
discover, exploit, and how to mitigate file
upload vulnerabilities.
6. File upload functionality introduces a substantial
risk to the web application and requires unexpected
additional validation and system configuration to
protect the web application.
In the WPScan WordPress Vulnerability Database
alone, there are approximately 240 file upload
related vulnerabilities (The WPScan Team,
2015).
7. Several distinct types of web application file
upload vulnerabilities exist. The Common
Weakness Enumeration (CWE), offers an
industry standard list of unique types of software
weaknesses.
1. Unrestricted File Upload (CWE-434)
2. Arbitrary file upload (CWE-862)
3. Denial of Service (CWE-400)
8. Allows the attacker to upload or transfer files of
dangerous types that can be automatically
processed within the product's environment.
9. An attacker can access the upload function of the
application without authenticating to the
application.
Although it is not specifically described by
a CWE, indirectly through CWE-862
“Missing authorization”. Arbitrary file upload can
create a denial of service condition by allowing a
remote, unauthenticated user to fill the available
storage of the application with files.
10. CWE-400 describes an attacker utilizing more
resources than intended.
If a web application contains a file upload feature
and does not verify file size, an attacker may be
able to upload exceedingly large files or uploading
numerous smaller files.
If an attacker can generate an excessive number of
requests without restriction, it’s possible to crash
the application or the underlying operating system.
11. File upload vulnerabilities can be identified in two
(2) ways which are;
Static Analysis – (Source code review)
Manual and automated review of application source
code to highlight possible vulnerabilities.
Dynamic Analysis – (Fuzzing)
Dynamic analysis describes finding vulnerabilities
in a running application.
16. Unrestricted Malicious File upload. (Low)
File Content-Type validation bypass. (Medium)
File Type and Content-Type validation bypass.
TOOLS
Burp suite – proxy tool
Weevely – php web shell (backdoor) generator
Any Browser
17. Direct File system access and Remote
Code Execution (RCE)
Placing backdoors or making it more vulnerable
Uploading phishing pages
Hosting dangerous or malicious files
Hosting illegal contents
Denial of Service by consuming the resources
Denial of Service by manipulating the files
Damaging website (company) reputation
18. Internal External
Content-Type (mime-type) Firewall: Request Header Detection
File Name and Extension Firewall: Request Body Detection
File Header (FileType Detector) Web Server Configurations
Content Format Permissions on File system
Compression (Image) Antivirus Application
Name Randomization Storing data in another domain
Storing files out of accessible web
directory
Storing files in the database
20. A BIG thank you to everyone
And, to the people who helped me to prepare this
talk.
Here are my contact details:
Twitter: @Bra__Qwesi
Email: adam.nurudini at gmail dot com
Editor's Notes
About my self
about self
takeaways
File upload is the functionality in application or services that allows us to upload and share resources. without it it will be very difficult or impossible to have services like cloud storage backup services, photo sharing etc
File upload are one of the critical vulns that malicious users or attackers can leverage on to compromise an affected system.
they introduce substancial risk with our apps hence advisable to incorporate security into our SDLC.
Client Side Protections: These protections can be simply bypassed. Client side validation only is being used to help users! It does not provide any security.
Web Server: .htaccess, web.xml, ApplicationHost.config, Web.config
WhitelistBlacklistOthers: Encoding/Compression/Permission