Secure File Upload: Blocking Malicious Uploads

 

Does your website allow users to upload files? Learn secure file upload best practices and prevent dangerous vulnerabilities and attacks.

Almost every web application accepts user input, and one of the most common types of input is in the form of file uploads. Whether it’s a consumer application where users are uploading photos, or a business application that accepts pdfs and word documents, file uploads are an essential feature. However, they also open up the site to a host of potential risks and vulnerabilities.

Exploited by a hacker, a file upload vulnerability can open up a site to malware, unauthorized server access, attacks to website visitors, the hosting of illegal files, and much more.

Table of Contents

• Types of file upload attacks
• Important questions to ask
• How to secure file uploads
  • Option 1: How to use a third party
  • Option 2: DIY secure file upload
• How to secure file uploads yourself
• Attack prevention tips

Types of file upload attacks

File upload attacks can be grouped into 4 categories. When creating a system that accepts files from users, it’s important to evaluate the risks associated with each category and add security checks to defend against them:

1. File metadata attacks – The path and file name can trick an application into copying the file to an unexpected location that could overwrite an important file and cause unexpected behavior. For example, an attacker could use control characters in the filename to trick the system into overwriting an important configuration file.
2. File size attacks – An unexpectedly large file can cause an application to overload or fail. For example, an attacker could use a botnet to trigger the simultaneous uploads of very large (or very small!) files that result in legitimate requests not being fulfilled.
3. File content attacks – The content of the file can be use to manipulate the behavior of the application. The outcome of this attack depends entirely on how the file is used and processed. For example, uploaded and executed malware could be used to reveal a key that gives an attacker access to the system.
4. File access attacks – The access rules around uploaded files can be misconfigured, resulting in unauthorized. For example, a misconfigured AWS S3 configuration could result in private user photos being accessible to the public.

To get a more detailed look into the types of attacks that are possible, this talk by Yahoo security researcher Ebrahim Hegazy goes over 15 common scenarios in exploiting file upload pages:

Important questions to ask yourself

Now you that you know what attacks you are up against, it’s time to start asking questions about your system. Go through the following checklist of questions to identify potential vulnerabilities and prevent malicious uploaders from exploiting your system. The answers will give you insight into the risks that you are currently facing and help you determine the cost of a project to secure any existing vulnerabilities.

• Which users should have the ability to upload a file?
• Which users should have the ability to read the file?
• Is the file displayed anywhere, and if so, where?
• What kind of files can be uploaded?
• How is the metadata (file name and path) processed by the application?
• Is the file or any part of the file executed, and if so, where?
• What third party libraries interact with the file?

How to secure your file uploads

After you’ve answered the above questions for your system, or if you are dealing with a project where you are developing a file upload feature from the ground up, there are technical decisions to make. Mainly, deciding whether it is better to use an off-the-shelf system to secure file uploads, or build it in-house.

Option 1: Use a third party system

Using an off-the-shelf file upload system can be a fast way to achieve highly secure file uploads with minimal effort. If there are no special storage requirements or legacy systems to migrate, this option can be a great way for organizations to support file uploads by users. Especially if development resources are constrained.

These services usually offer enterprise-grade security with features such as antivirus scanning, user access controls, and well-documented and updated libraries in many common languages. Creating a secure file upload system using a third party is as easy as integrating their JavaScript library into the application’s frontend, then using the backend libraries to access the files as necessary by the system.

There are many services on the market that are available for developers. The most popular include:

Filestack – Previously Filepicker.io, Filestack was/is one of the first popular file uploading services. Since then, they’ve added advanced enterprise-level features while still maintaining an accessible free plan.

Transloadit – Transloadit offers an open-source uploader widget that can optionally pair with their paid file hosting and processing services.

Cloudinary – Specializing in publishers where uploaded content mostly comes from within the organization, Cloudinary offers an image and video upload service that specializes in advanced transformations.

Uploadcare – A more affordable upstart that provides uploads, media processing, and adaptive delivery for web and mobile.

Third party security considerations

Because a third party is handling the upload, storage, and delivery, the security risks are significantly reduced. Files are no longer saved on your system’s infrastructure and this reduces the chances of a system-wide vulnerability. However, access control to the files and how the files are processed by the system after the upload are still potential risks that must be assessed.

When making the decision to use a third party, there are a couple important considerations:

Pros of using third party file upload

• Achieve a high level of security that is constantly being improved and updated to reflect the latest best practices
• Reduce monetary and time costs to maintain a system by using a third party that specializes in file uploads
• Increased scalability working with a specialist that powers file uploading for

Cons of using third party file upload

• Less control as you do not have direct access to the infrastructure behind file storage
• Cannot be used for information that must be on-premises
• Up front cost to switch to a third party if there is an existing legacy file upload system

Option 2: DIY secure file upload

The other option is to handle file uploads in-house and build protections against the most common vulnerabilities. Choosing an in-house solution is a good option for organizations that have special requirements for their data that prevent third-party vendors from being used (for example, highly sensitive documents). An in-house solution is also a good option if the file upload system is part of a larger legacy system that would result in a prohibitively expensive migration.

Pros of DIY File Uploads

• More control and extensibility for custom workflows
• Can be used for on-premises information

Cons of DIY File Uploads

• Security must be constantly updated to reflect new best practices
• More expensive to maintain as it requires in-house expertise
• Harder to scale out since infrastructure needs to be put together from scratch

How to secure file uploads yourself

If you do decide to implement the security yourself, these recommendations will help you avoid the 4 types of file upload attacks that were mentioned above:

• Use a whitelist of allowed file types
  • Note: Conversely, blacklisting file extensions is not recommended as there are many ways that this weak protection method can be bypassed.
• Verify file type against the whitelist before upload
• Use input validation to prevent the whitelist from being bypassed using the filename
• Use input validation to prevent the metadata from being exploited. For example, remove any unnecessary metadata such as exif data from images and remove control characters from filenames and extensions.
• Remove any unnecessary file evaluation
• Limit the size of the filename
• Limit the size of the file (unexpectedly small files and large files can both be used in denial of service attacks)
• Limit the directory to which files are uploaded
• Scan all files with antivirus software (most commonly ClamAV, an open-source AV engine, or using an API such as AttachmentScanner)
• Name the files randomly or using a hash instead of by the user’s input. This will prevent an attacker from scripting access to uploaded files using the file’s name as an attack vector.
• Simplify error messages. Remove any directory paths and server configurations from error messages that attackers could use.
• Check the uploaded directory to make sure the read/write/execute user permissions are correct.

Additional attack prevention tips

The tips above cover the basics when it comes to keeping file uploads safe. However, when developing an application that requires high-security, it can be worth building in additional protection. The following recommendations go over more advanced techniques for applications that require enterprise-grade security.

• Use a Captcha to prevent uploads from bots and scripts
• Remove threats that are embedded in documents such as PDFs and DOCX files using content disarm and reconstruction techniques
• Protect yourself from Cross Site Request Forgery attacks using these CSRF security methods
• Use POST methods instead of PUT. Read more about HTTP method exploits here.
• Log user activities, and protect the logging mechanism from code injection and log forgery
• When decompressing files, check all uncompressed files individually in the same way that all files are checked
• Audit write access to key configuration files such as “.htaccess” or “web.config” to make sure that the file uploading system cannot access them
• Defend against Flash or PDF-based cross-site content-hijacking by adding the “Content-Disposition: Attachment” and “X-Content-Type-Options: nosniffrest” headers
• Disable browser caching for clientaccesspolicy.xml and corssdomain.xml files in order to be able to quickly restrict access to certain web services without having to wait for clients’ caches to invalidate.
• Validate CORS headers to ensure that they are only enabled for publicly accessible data. All other data should return CORS headers that only have authorized URLs. Only use “Access-Control-Allow-Credentials” when necessary, and the “Access-Control-Allow-Headers” and “Access-Control-Allow-Methods” headers should be reviewed as well.

Creating a secure file upload system can be challenging even without having to think of security. However, investments made in creating a secure system prevent costly security breaches that can have a significant impact on an organization’s reputation and bottom line. As a developer, it’s important to identify cost-effective ways to handle file upload security and evaluate the tradeoffs between an in-house and third-party solution. If you are interested in exploring the benefits of using a third-party, call us today at 1-888-415-1885 or:

Contact Sales