2. The need for File Upload
Indispensable way of file sharing
Dropbox, 4shared.com etc
Added functionality
Increases business efficiency, enhances interaction between
end users and corporate employees
Social Networking
Facebook, Twitter, MySpace, Instagram et al
2
4. Cases of File Upload Security
Case 1: Simple File upload form with no validation
Exploit: Simply upload shell (without any modification) in
server language format (asp, jsp, php, py)
Case 2: Mime Type Validation
Idea: This checks the content type. $_FILES[‘uploaded’][‘type’]
Exploit: Use of web proxies such as Burpsuite to intercept
and alter content type.
Case 3: Black listing extension types
Not good for hosted environment (running several scripting
languages)
Exploit: Impossible to predict all possible random
extensions (shell.php.345)
4
5. Cases of File Upload Security
Case 4: Check the image header
Idea: Using getimagesize() to determine if it is an
actual image
Exploit: Bypassed with Image editing tools
Case 5: Protection with .htaccess
Idea: To restrict the execution of script files in this
folder
Exploit: Use of web proxies such as Burpsuite to
intercept
and alter content type.
Case 6: Client Side validation
Idea: Better performance and client side checks
Exploit: Can be easily bypassed with web application
proxies
5
6. Tools
BurpSuite
Apache Server running PHP in Linux
OS.
Any Web browser
Fairly secure server side PHP upload
script.
6
7. Mitigation
•
.htaccess file should not be in the same
directory as uploaded files. Can be in parent.
•
Upload files in a directory outside the server
root
•
Avoid absolute reliance on client-side
validation
•
Create a copy of the file with random name
and add corresponding extension
7