File upload security recommendations

In my security career, I have always found file upload module to be one of the most favorite playground for hackers. There are many detailed documents mentioning the guidelines for following secure upload mechanism. Going through them will surely give you a sense of high level of insecurity in file upload module.

So jotted down points which I would take care or recommend for secure uploads.

Proper file type checks: Check for atleast basic parameters like filesize, mime-type etc and allow only a selected MIME type wherever possible. Make a white-list of file extensions to be allowed for upload. Try to keep away from executable files and scripts where possible. Set minimum and maximum file size for upload. This will prevent Dosing the webserver by uploading huge files and exhaust the storage space.
Random filenames and folder: Do not allow user input to specify the destination directory or file name of uploaded documents. Good practice is to rename the document to some random value and track them in your Database. In short guessing the name of the uploaded file should be made difficult for the attacker.

Upload Directory Security: Upload all files outside your web directory. Possibly separate the upload directory from application and system directories/drive. This can help mitigate issues related to resource exhaustion & directory traversal. Set proper folder permissions (chroot() ). Do not allow user to choose the upload folder. Avoid giving writable permissions to users. Instead webserver like apache can be given writable permissions while preventing users from RWX access on the upload folder.

Prevent users from directly accessing the files in the upload directory. Files can directly be stored on the server or other alternative would be to store the files as blobs in database instead. However blobbing for very large files can affect DB performance and also the malicious data if uploaded will be directly saved in database without validating.

Neutering the file like renaming it to some random value or XORing or compressing the file in some way so that the OS doesn’t interpret it as executable etc. will help increase the security barrier.

Anti Virus Scan: Scan the upload files for any virus or malicious content. You can even try out ModSecurity which has a feature for inspecting files on upload, which you can combine with some antivirus. The advantage is that you get to block the HTTP request before the file even gets into your system. Alternatively files can also be scanned immediately just after it is uploaded. Both are affective in their own way and can be adapted accordingly depending on their implementation challenges. Other content filtering techniques include icap or CVP which are worth a thought.

File name Validation: While allowing users to upload the files, we allow them to specify the name the files should be referred to. Application should validate these file names for any XSS attacks.

Uploading and saving uploaded sensitive documents in encrypted form: Sensitive data needs to be uploaded via SSL and saved on the server in encrypted form to protect against eavesdropping. The file can also be encrypted while uploading instead of doing so while saving on the server. There are different products which can help you do this like AspEncrypt etc.

 

Page tokens: Use unique tokens for upload forms. This can help mitigate the less known Cross-site File Upload Attacks. Thus the attacker cannot upload malicious or illegal content on victim’s account. And if the victim is a web-admin, attacker can help himself upload any malicious file to the directories which is otherwise restricted to other users.

Error page: Do not reveal too much info in the error page like the directory path etc which can help attacker in further attack. Use customized error page.

Proper verb: HTTP POST verb is preferred over HTTP PUT or GET verb as it is comparatively more secure.

ACL: Limit “upload module” access to required users or groups wherever possible.

Logging user activities: Log all activities of the user like in this case, IP of user, size of the file, directory to which file was uploaded etc. This is help us know if any attacks were made against your server and if they were successful.

Share
  • Blaque

    Oh come on. BLOBing is dirty, and should be avoided at all costs.

  • Prashant Verma

    Here is my piece to the topic :
    1. Don’t just upload the files based on their extensions.
    Always verify the file headers before uploading the file.
    Meaning, a .doc file being upload should have .doc headers and not .jpeg, .mov extension.
    2. Applications should also verify the contents of the file being uploaded and any file with malicious characters in it should be dropped. I have seen an attack where a user uploaded an HTML file containing java script. This upload was available to other users for download. The users downloading/opening it, have unknowingly run a javascript.
    3. Also, when we talk about upload directory security, the upload path should not only have strict access permissions but also the path should not be revealed to users. A wrong pattern of revealing the path in URL is noticed.

  • http://maestro-sec.com w0lf

    @ Blaque : Hehe.. I kow it is really dirty if you have a large number of huge files to be uploaded daily. But well its fine for small uploads. Both file directory and blobing have their own pros and cons. :)

    @ Prashant : Thanks for the info sir. I guess It has all been covered in the blog. Any other tip/info is most welcomed :)

  • Pingback: Wampiryczny blog

  • Pingback: Wampiryczny blog

  • SquirreliT

    What are your recommendations when uploading Office 2007 documents which are essentially zip files? do you check the contents of the archive before verifying the file is suitable for upload?

  • http://maxishare.net maxishare

    nice work useful article thanks

  • Anil

    Nice Article and we are planning to do exactly the same. However, i do have trouble on implementing some of the things in here,

    @Prashant- Don’t just upload the files based on their extensions. Always verify the file headers before uploading the file. Meaning, a .doc file being upload should have .doc headers and not .jpeg, .mov extension.

    Question: How can i do this? I only get a stream for the file content, and I have no clue how to get the header of the file? and secondly, is there any utility that scans for valid header types?

    @Prashant- Applications should also verify the contents of the file being uploaded and any file with malicious characters in it should be dropped. I have seen an attack where a user uploaded an HTML file containing java script. This upload was available to other users for download. The users downloading/opening it, have unknowingly run a javascript.

    Question: We have implemented scanning for Virus though Clam AV running as a daemon service, however, i am not able to make it flag for XSS, like the one mentioned above. Is there any other utility out there which i can use here?

    Any solutions or pointers in .

  • Anil

    .. are greatly greatly appreaciated.

    Thanks again for the nice article.

  • http://tripleplayenterprises.com/ leoAugust

    great post. currently i have a task for one of my college subject to secure DVWA and this post really helped me to secure file upload. very appreciated

  • Abhinav Srivastava

    cvvv