Vulnerable File Upload Attack

What is the ‘File Upload’ vulnerability?

Many websites allow users to upload their profile photo, or sometimes also their resume and educational documents in case of Educational institutes or Universities, or address proofs, identity proofs, financial documents, etc. in case of banking websites. Such file upload fields should only accept .png, .jpg, .docx, .pdf files depending on what type of file is expected.

However, due to lack of security measures, sometimes the attacker is able to upload malicious files such as .js, .php, .exe, etc. and also double extensions such as filename.exe.pdf or filename.php.docx where the attacker fools the system by adding the expected extension to a malicious script and succeeds in uploading the file. If a user is able to upload any file type other than the required extensions, it is listed as a ‘Vulnerable File Upload’ vulnerability’.

What is the impact of this attack?

Once the attacker is successful in uploading a malicious file to the webserver or database and later when that uploaded file gets executed on webserver or database. The hacker can either gain administrative rights on webserver or if hacker has uploaded a .js or .php reverse-shell script then this may lead to unauthorized access to local files as well as system, gaining control over the server or deletion of records, etc.

If the file that is uploaded has the same filename and extension as an existing file on the server, the newly uploaded file may overwrite the previous file. If the attacker succeeds in overwriting a system file, the new file can be used to launch a potentially harmful server-side attack. This may allow the attacker to manipulate the security and privacy settings of the server or stop the functioning of the server entirely.

File upload sometimes restricts the user with a certain file size. If the attacker is able to manipulate the file-size restriction, using an hacking tool, then he might cause a Buffer-overflow or DoS (Denial of Service) attack by uploading an extremely large file size to crash the webserver.

How to secure your system against such attacks?

  • White-listing : You can white-list the allowed file extensions so as to filter-out the malicious scripts or other executable file on both i.e. client as well a server side

  • Client and Server-side verification of uploaded file: Verifying the filename and extension being uploaded for the allowed formatfrom the client-side is the same as the one being saved on the server-side will ensure that attacker is not able to intercept the request and change the filename or extension.

  • Restricting the name-length and file-size: Imposing restrictions on the name-length and file size will help to prevent a DoS attack.

  • Storage location of the uploaded files : The files uploaded by the user should be stored in a separate directory outside the Webroot or the public directory of the website. This will ensure that even if the attacker succeeds in uploading a malicious file, he will not be able to execute it using a web URL.

  • Error Handling for Wrong File Upload: While displaying errors for wrong file uploads, directory paths should be excluded so that the attacker does not gain access to the server using directory traversal attacks.

  • Scanning the files for malware and other malicious content : All uploaded files should be scanned for malware and other malicious scripts before saving them to the desired location.
CSRF attack