When it comes to site security, file upload functionality can be very dangerous if not used and maintained correctly. This essay will examine several kinds of file upload vulnerabilities, examine actual attack scenarios, and go over practical mitigation techniques.
What vulnerabilities exist in file uploads?
Vulnerabilities related to file uploads occur when a web server permits users to upload files to its filesystem without properly verifying attributes such as filename, type, contents, or size.
If these limitations are not appropriately enforced, even a simple picture upload feature may be used to upload random and maybe harmful files. Even script files on the server side that provide remote code execution may fall under this category. There are very typical types of Categories in File Upload Vulnerabilities.
Let’s examine a few prevalent kinds of file upload vulnerabilities:
- Malicious File Execution: This vulnerability arises when servers run files that users upload, which can result in the execution of arbitrary commands or remote code execution. To take advantage of this vulnerability, attackers upload executables or scripts like PHP or JavaScript.
<?php
$output = shell_exec(‘ls -la’);
echo “<pre>$output</pre>”;
?>
- Denial of Service (DoS): When an attacker uploads an extremely big file or loads the server with a significant number of uploads, the server becomes unavailable or crashes, interrupting legitimate users’ access to services.
- Path Traversal Attacks: In this case, malicious actors take advantage of security holes to navigate directory structures and obtain private files that are not in the upload directory that was intended, granting them access to data without authorization.
<?php echo file_get_contents(‘/path/to/target/file’); ?>
- File Content Vulnerabilities: These could include files that have been uploaded that contain viruses or that unintentionally reveal sensitive information.
- Bypassing File Type Content: Manipulating file extensions or content types allows attackers to get around security checks and upload harmful files in spite of constraints.
- Flawed Validations of file contents: Certain vulnerabilities arise due to insufficient validation of file contents, which permits malicious files to evade security protocols.
Exploits on file upload vulnerabilities
Exploring different types of attack scenarios on File upload vulnerabilities:
- Exif Metadata Not Removed: Upload the picture file with the metadata in it. After the upload is successful, retrieve the image file and use the Exif tool or a website to check if the metadata has been deleted.
$image = imagecreatefromjpeg($_FILES[‘uploaded_file’][‘tmp_name’]);
imagejpeg($image, ‘/path/to/uploaded_image.jpg’);
imagedestroy($image);
- XSS via image: To create the payload needed to carry out this attack, use Exif tool. Use the following command to insert the XSS payload into the picture metadata after installing the tool.
exiftool -Comment='”><img src=x onmouseover=alert(1)>’ /path/to/image.jpg
- Unrestricted File Upload: Each upload feature has a purpose, and only specified file formats have to be permitted in accordance with that goal. For example, only image files as opposed to other file types like PHP or HTML should be allowed on a website that has a user profile feature that allows for image uploads. Attempting to alter the file’s MIME type to one that the server allows is one way to get around such tests. By changing a PHP file’s extension to variations like .PHP,.pHp,.PhP,.php5, or other combinations, we may also determine whether the file extension is blocked.
- Size Restrictions: The purpose of a file should be taken into consideration when determining its size, and no file larger than the specified limit should be permitted. For example, a profile image file shouldn’t be larger than 5 MB. By uploading a larger file that could result in a DOS assault on the storage level, we can verify this.
- RCE by PHP File Upload: One of the most well-known PHP file-related exploits is remote code execution. Using this method, we upload a PHP WEB Shell file that contains the payload, which causes the server to run code.
<?php
if (isset($_POST[“cmd”])) {
$cmd = $_POST[“cmd”];
$output = shell_exec($cmd);
echo “<pre>$output</pre>”;
}
?>
- Double File extension: By appending several file extensions to malformed files, one can evade file type checks. Attack Scenario: To circumvent server-side validation procedures, malicious persons alter infected files by attaching additional file extensions (like “jpg.php”).
- SVG: An XSS can be initiated by a file with the following content if the application permits the upload of files with the SVG file extension, which is also an image type.
<svg xmlns=”http://www.w3.org/2000/svg” onload=”alert(document.domain)”/>
- Null Byte: Adding special characters like ;%$& right after the file name, as shell;.php, can help order webservers get around file extension whitelists php%00.gif
Securing from file upload vulnerabilities
Developers may strengthen the security posture of their online apps and guard against frequent file upload vulnerabilities and exploitation attempts by putting these mitigation measures into practice.
- Whitelist-Based File Uploads: Use a whitelist strategy to limit the kinds of files that can be uploaded according to their intended usage. Give clear guidelines for permitted file extensions and MIME types. Reject any uploads that don’t meet the specified requirements.
- Input Validation and Sanitization: Apply strong input validation and sanitization procedures to make sure uploaded files satisfy predetermined standards for content, size, and type. To supplement client-side checks and stop security measures from being circumvented, use server-side validation.
- Secure File Storage Practices: To avoid user direct access, store uploaded data in a secure location outside the site root directory. Limit file access to just authorised users and processes by implementing the appropriate access controls and permissions. To prevent unwanted access, think about encrypting critical files while they are in use and while they are being transferred.
- Content Inspection and Malware Scanning: Examine uploaded files carefully for dangerous information, such as malware, executable scripts, and other security risks, and take appropriate action to remove it. Incorporate anti-malware scanning programmes into the upload procedure to automatically check files for malware signatures and known vulnerabilities.
- Implementing File Size Limits: Establish and implement upper bounds on file sizes in order to stop misuse and lessen the possibility of DoS attacks brought on by uploading excessively big files. Use server-side validation to verify file sizes prior to processing and refuse uploads larger than the specified limitations.