Introduction to unrestricted file upload vulnerabilities
Why do we need file uploads in a website ?
File upload is the operation of transferring a file from a computer system to another, in other words; it is to send a file to another device that is set up to receive it. It is mainly very essential in any application since it allows the user to upload a photo, video, audio file, CV or a document, etc.
However file uploads bring a notable risk that not many are aware of, except computer hackers, which makes it easier for them to hijack your site and take control .
Understanding arbitrary file upload vulnerability
Intro
Having the ability to upload files into the server with no restriction would mean that you could upload a script that, when executed, connects back to your machine and gives you the ability to run commands on the server. The script has to be written in a language that the server can execute, PHP is a good choice for this as most websites are using PHP. It is unlikely to find no such restriction but it is fairly common to see flawed filters.
Client-side filter
Client-side filter is the easiest to bypass and it’s made for convenience and better user experience.
Just by inspecting the HTML form you can get the HTML endpoint and the named parameter for that file, we’ll need that for later.
You can use a tool to build requests such as Postman or Insomnia, to upload any file without the browser’s restriction.
Some websites uses more difficult mechanism to bypass, like injecting a token into the HTML so that only the original form is valid also known as CSRF token, or accepting requests only from the same website domain, for that we’ll have to be a bit trickier, we’ll change our script extension to a format the website likes, from malicious-code.php to malicious-code.png then we’ll use burp-suite to intercept the request and change the file back to .php
First you need an extension on the browser to make working with burp-suite proxy easier, foxy proxy is a good choice. This will give you the ability to analyze and modify your browsers traffic. (get set up with burp proxy).
After starting burp suite, open Firefox, click on the FoxyProxy browser extension, and select “Burp” — this will now proxy your traffic to burp-suite.
Now let’s try to upload our malicious-code.png
We can see the request but more importantly we can modify it then send it to the server.
When implementing an upload system, it’s good practice to upload the files to a directory that can’t be accessed remotely. Unfortunately, this is often not the case, and the script is uploaded to a subfolder on the server (often something like /images, /uploads). For example we can find our uploaded script at https://example.com/uploads/malicious-code.php, just by visiting the link we can get our code to execute.
Server-side filter
One of the ways to filter uploaded files is by checking the file extension against a list of allowed extensions, if the uploaded file’s extension isn’t on that whitelist, the file is rejected. Many extension filters split a filename at the dot (.) and check what comes after it against the list. This makes it very easy to bypass by uploading a double-barrelled extension (e.g. .jpg.php). The filter splits by the dot and checks what it thinks is the extension, if .jpg is on the list the upload will be successful.
Some server uses a blacklist for allowed extension instead of a whitelist the main difference is that the server will allow everything except those on the list, here we can try to upload different file types that still can run on the server such as .php .php3 .php4 .php5 and .phtml
Another way to filter file types is by checking it’s headers, the Linux file command does exactly that, by running file malicious-code.php we get
If we checked some other file format that may be allowed on the server we’ll get a different response.
Our mission now is to make our code to seem like another file format, we can simply look for our desired format’s header (also known as magic numbers) and append them to our file. For GIF files the numbers are 47 49 46 38 37 61 I use hex editor to add them to my file
Now if we check the file type again we’ll see that it’s a GIF while still having .php extension
Mitigation techniques of file upload vulnerability
In order to prevent this type of vulnerability and make servers more secure, here are some special recommendations for the developers and webmasters :
1. File type verification
Document types are typically characterized by their file extensions that allow the OS and users to recognize the sort of file. However, hackers can make a malicious .exe file look like a legitimate-looking .pdf file and bypass security systems. To prevent this, you must verify the file type before allowing upload.
2. Limit file extensions
Making an allow list filter that excludes executables, scripts, but includes any other file type of permitted files enables you to keep away from uploads with any possible malicious content to your web app.
3. Malware and virus avoidance
To prevent malware attacks, you should check all transferred documents with numerous anti-malware tools. Each tool utilizes various algorithms that specialize in different classifications. For the virus scanning, you’ll need first to store the file under a random name without any extension on the server then use a virus scanner to check if this file is malicious, once the file is valid it can be renamed to its particular name and expansion.
4. Store files in an external directory
Upload files to external directories that don’t have any “execute” permission and all the script handlers should be removed from these directories. This technique prevents attackers from executing malicious files through a website URL.
5. Simple error messages
In order to give more information, the error messages show server configuration settings or directory paths, which lets the cyber criminal use that information to exploit vulnerabilities in uploaded files, that’s why error messages should be as simple as possible.
6. File size restriction
Set a file size range that should be respected when uploading a file to the web app in order to prevent denial of service attacks.
7. Compressed file check
When using extract functions, each substance of the compressed file must be checked individually as another document.
For additional protection levels, you should also :
- Remove all the control and special characters from the filenames and their extensions without any exception. The Unicode characters should be discarded as well.
- Select encoded methods like POST instead of using the HTTP PUT Method because this method can be used to upload malicious resources.
- Limit the file name and extension length.
- Track users’ activities on the website using Web Analytics Tools.
