Protecting Your File Uploads

File uploads represent a easy way for an attacker to inject malicious code into your application. You need to ensure uploaded files are kept at arm’s length until they are fully secured, or else you risk creating an easy route to having your systems compromised.

Risks

Prevalence Common
Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354
Exploitability Moderate
Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b
Impact Harmful
Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd

Sophisticated hackers typically exploit a combination of vulnerabilities when attacking your site – uploading malicious code to a server is step one in the hacker playbook. The next step is finding a way to execute the malicious code.

Even big companies fall foul to this vulnerability, particularly if they are running complex, legacy code bases.

Protection

Any input coming from a user ought to be treated with suspicion until it has been guaranteed to be safe. This is particularly true of uploaded files, because your application will typically treat them as a big blob of data at first, allowing an attacker to smuggle any kind of malicious code they desire onto your system.

Segregate Your Uploads

File uploads are generally intended to be inert. Unless you are building a very particular type of website, you are typically expecting images, videos, or document files, rather than executable code. If this is the case, making sure uploaded files are kept separate from application code is a key security consideration.

Consider using cloud-based storage or a content management system to store uploaded files. Alternatively, if you are sure of your ability to scale your backend, you could write uploaded files to your database. Both of these approaches prevent accidental execution of an executable file.

Even storing uploaded files on a remote file server or in a separate disk partition helps, by isolating the potential damage a malicious file can do.

Ensure Upload Files Cannot Be Executed

However you end up storing your uploaded files, if they are written to disk, ensure they are written in such a way that the operating system knows not to treat them as executable code. Your web server process should have read and write permissions on the directories used to store uploaded content, but should not be able to execute any files there. If you are using a Unix-based operating system, make sure uploaded files are written without the “executable” flag in the file permissions.

Rename Files on Upload

Rewriting or obfuscating file names will make it harder for an attacker to locate a malicious file once they have uploaded it. Uploaded files are generally made available back over HTTP – what’s the point of uploading an image if it isn’t available anywhere on your site, for instance? Implement a method of indirection when serving the uploaded content back in the browser, so the content is not referenced by its name from the original upload.

Validate File Formats and Extensions

Make sure you check the file extension of uploaded files against a white-list of permitted file types. Do this on the server-side, since client-side checks can be circumvented.

Validate the Content-Type Header

Files uploaded from a browser will be accompanied by a Content-Type header. Make sure the supplied type belongs to a white-listed list of permitted file types. (Be aware that simple scripts or proxies can spoof the file type, though, so this protection, while useful, is not enough to dissuade a sophisticated attacker.)

Use a Virus Scanner

Virus scanners are very adept at spotting malicious files masquerading as a different file type, so if you are accepting file uploads, running up-to-date virus scanning is strongly recommended.

Other Considerations

Check File Sizes

A cheap and easy way to perform a denial-of-service attack is to upload a very large file, in the hope that the server runs out of space. Make sure you put a maximum size on the size of the files you accept.

Sanitize Filenames

Overlong filenames could be abused to exploit buffer overflow vulnerabilities. Similarly, files with special characters in the name can cause weird behaviour, depending on how they are treated by your software. It is good practice to ensure file names are sanitized before being written to disk.

Be Careful with Compressed Files

If your site accepts compressed content, such as zip files, be aware that it is possible to create malicious archive files designed to crash or render useless the program or system reading them. A zip bomb is crafted so that unpacking it will take up a large amount of time, disk space, or memory – typically, the zip will expand to be huge on disk when unpacked. Don’t deal with compressed content unless you absolutely have to, and make sure to run an anti-virus scanner if you do!

Further Reading

Is your file upload function safe?

Netsparker n 834848961a0bf6ec5556448ff47f421d0b1204a572877a59717064b1088e8c43 Check today. Scan your website for File Upload Vulnerabilities and other vulnerabilities with the