Input Validation / Upload of Malicious Files
Description
The application allows the attacker to upload or transfer malicious files that can be automatically processed within the product's environment. The application should be able to fend off bogus and malicious files in a way to keep the application and the users safe.
Risk
An attacker could be able to upload executable code which could allow them to execute operating system commands, read and modify information in the filesystem, access the back end database and fully compromise the server. Malicious files could also be downloaded by unsuspecting users and trigger further client-side attacks.
Solution
Malicious files should be detected and stopped at various points of the application architecture.
The following principles should be followed to reach a secure file upload implementation:
- List allowed extensions. Only allow safe and critical extensions for business functionality
- Ensure that input validation is applied before validating the extensions.
- Validate the file type, don't trust the Content-Type header as it can be spoofed
- Change the filename to something generated by the application
- Set a filename length limit. Restrict the allowed characters if possible
- Set a file size limit
- Only allow authorised users to upload files
- Store the files on a different server. If that's not possible, store them outside of the webroot
- In the case of public access to the files, use a handler that gets mapped to filenames inside the application (someid -> file.ext)
- Run the file through an antivirus or a sandbox if available to validate that it doesn't contain malicious data
- Ensure that any libraries used are securely configured and kept up to date
- Protect the file upload from CSRF attacks
Description
The application allows the attacker to upload or transfer malicious files that can be automatically processed within the product's environment. The application should be able to fend off bogus and malicious files in a way to keep the application and the users safe.
Risk
An attacker could be able to upload executable code which could allow them to execute operating system commands, read and modify information in the filesystem, access the back end database and fully compromise the server. Malicious files could also be downloaded by unsuspecting users and trigger further client-side attacks.
Solution
Malicious files should be detected and stopped at various points of the application architecture.
The following principles should be followed to reach a secure file upload implementation:
- List allowed extensions. Only allow safe and critical extensions for business functionality
- Ensure that input validation is applied before validating the extensions.
- Validate the file type, don't trust the Content-Type header as it can be spoofed
- Change the filename to something generated by the application
- Set a filename length limit. Restrict the allowed characters if possible
- Set a file size limit
- Only allow authorised users to upload files
- Store the files on a different server. If that's not possible, store them outside of the webroot
- In the case of public access to the files, use a handler that gets mapped to filenames inside the application (someid -> file.ext)
- Run the file through an antivirus or a sandbox if available to validate that it doesn't contain malicious data
- Ensure that any libraries used are securely configured and kept up to date
- Protect the file upload from CSRF attacks