Introduction
Imagine a bustling marketplace, where merchants display their goods, and guards stand at the gate, screening each visitor. Suddenly, a finely crafted gift is left at the entrance—a beautiful, polished box with ribbons and seals. The guards, trusting the box based on its appearance, bring it inside without inspecting its contents. But this box is no ordinary gift; it hides a Trojan horse waiting to unleash chaos from within.
In the digital world, your business faces a similar challenge with file uploads.
Many businesses use websites and other systems that allow file uploads to carry out their day-to-day business. That "innocent" file an employee or customer uploads may contain hidden dangers, masked by familiar file extensions or disguised through malicious means. Just like the guards at the gate, your systems need a way to determine if a file is safe or a threat or you are taking a huge risk.
What Are Upload Vulnerabilities?
Upload vulnerability occurs when a system inadequately verifies uploading files which could potentially be malicious, allowing it to sneak past defences and cause havoc. For businesses, exploitation of existing vulnerabilities can allow malicious files to be uploaded, once malicious uploads are in the system this can cause data breaches, further malware infections, and unauthorized access – with consequences that could harm brand reputation, cause loss of revenue, fines, and loss of customer trust, not to mention legal consequences and system downtime. The stuff of nightmares?
Understanding File Extensions and Magic Numbers
File extensions: These are the characters after the dot in a file name, like .jpg or .pdf, and are intended to indicate a file’s type, but they're not foolproof. Bad actors can easily change a file's extension to disguise its true nature. To counteract this, "magic numbers" are very useful.
Think of magic numbers in this context, as a unique fingerprint embedded within a file that indicates its format regardless of the extension. It is a hexadecimal number which identifies the file type. Systems can use magic number "fingerprints" to verify if a .jpg file really is an image or something else entirely.
For example, the magic number to identify a jpg is FF D8 FF. An attacker may try to upload a windows executable file (.exe, magic number starting with 4D 5A) but changes the file extension to .jpg. A simple check of magic number would pick up on this discrepancy and prevent the upload.
Client-Side vs. Server-Side Checks: Ensuring Upload Security
When handling file uploads, security measures can be implemented both on the client side (in the user’s browser) and on the server side (where files are processed and stored). While both play a role, it’s crucial to understand their strengths and limitations.
Client-Side Checks: Convenience, But Not Security
Client-side checks, like JavaScript functions that validate file types and sizes, provide a quick way to enforce basic rules before files even reach the server. For instance, a simple JavaScript function might check a file's extension before allowing it to be uploaded:
Example Psuedo code:
function validateFileType(file) {
const allowedExtensions = ['jpg', 'jpeg', 'png', 'pdf'];
const fileExtension = file.name.split('.').pop().toLowerCase();
if (!allowedExtensions.includes(fileExtension)) {
alert('Invalid file type');
return false;
}
return true;
}
However, client-side checks are easily bypassed. Since these checks run in the user’s browser, an attacker can use a range of options to deceive:
Disable JavaScript: Simply use software to turn it off!
Use a software tool (e.g. Burpsuite, postman) to:
Modify/remove JavaScript checks, so any file type they choose can be downloaded, or to forge server requests (!) or bypass the browser entirely, so file goes directly to the server without JavaScript intervention.
Server-Side Checks: The Critical Line of Defence
While client-side checks improve user experience by quickly identifying issues, they are no substitute for secure server-side validation. An attacker can manipulate client-side checks in multiple ways, but they cannot directly alter server-side logic. Without strong server-side checks, a system becomes highly vulnerable to malicious files, as attackers can bypass client-side validation with ease.
Server-side checks are where true security enforcement happens. Unlike client-side checks, server-side controls can’t be bypassed by manipulating the browser, making them much more difficult to bypass and essential for effective file validation. Typical server-side checks:
File Extension and Magic Number Validation: Rather than trusting the file extension provided by the user, the server should inspect the file's contents. Magic numbers are far harder to fake than extensions, providing a more reliable check.
Server-Side Antivirus Scanning: Scanning files upon upload for known malware signatures can detect many malicious files before they’re stored or processed.
Setting File Size Limits: Enforcing a maximum file size on the server can prevent denial-of-service (DoS) attacks, where extremely large files are uploaded to overwhelm the server.
Authentication and Permissions Checks: Limiting file upload permissions to authenticated and authorized users helps prevent unauthorized file submissions.
Server-Side Checks: Stronger, But Not Un-hackable
While server-side checks form the backbone of upload security, it's essential to recognize that no system is completely un-hackable. Skilled attackers may find ways to bypass even the best server-side defences. For example:
Exploiting Software Vulnerabilities: Attackers may exploit vulnerabilities in the server software or libraries used for file handling, gaining unauthorized access or injecting malicious code.
Complex Payloads: Sophisticated attackers can embed malware within legitimate files or use less common file types to sneak harmful code through.
Therefore, although server-side checks raise the bar significantly, maintaining vigilance is still key - monitoring, patching, and regular audits are essential to identify and address any potential weak points in file upload handling.
Real-World Impact of Upload Vulnerabilities on Businesses
If a business does somehow allow unfiltered or improperly screened files into their system, they risk:
· Malware Attacks: Attackers might upload files with harmful scripts, like a hidden executable masquerading as an image.
· Data Theft: Some files can contain malicious code that, when opened, can steal data or capture login credentials.
· Privilege Escalation: A malicious file might exploit a system vulnerability to gain unauthorized access, leading to full system compromise.
Imagine that a cybercriminal has managed to upload a malicious PDF file into an SME which then exploits an unpatched vulnerability! The file could then enable the attacker to penetrate the SMEs systems, compromising customer data and damaging internal resources. Not good!
Securing File Uploads: Summary of Best Practices
1. Magic Number Validation: Always check the file's magic number to verify its true type. If the magic number doesn’t match the expected file extension, block the upload.
2. Whitelist File Types: Limit uploads to specific, safe file types (e.g., .pdf, .jpg). Avoid allowing potentially dangerous types like .exe or .js unless absolutely necessary.
3. Sanitize File Names: Strip out or validate special characters and long names to prevent injection attacks via file names.
4. Limit File Size: Large files can be used in denial-of-service (DoS) attacks. Set reasonable file size limits based on the business use case.
5. Implement Antivirus Scanning: Use antivirus software to scan files upon upload for known malware signatures.
6. Use Sandboxing: Open files in an isolated environment to detect any harmful behaviour before allowing further processing.
7. Do Regular Security Audits: Consistently review/update protocols for handling uploads, as threats evolve and new vulnerabilities arise.
Conclusion
The file upload feature in your business’s digital ecosystem is much like an entry gate, that encourages tempting “harmless” gifts. Robust security practices applied rigorously to those “gifts” are essential e.g. checking each gift file that arrives with magic numbers, using file-type whitelisting, server-side checks, and more.
With the right tools and processes, and user education, an SME can relatively cheaply protect its business from unexpected Trojan horses. In today’s cybersecurity landscape, diligent file screening isn’t just a safeguard; it’s an essential strategy to keep your organization and clients safe.
Useful links
Article on file Upload vulnerabilities:
Magic Number file extensions:
OWASP article on Unrestricted file uploads:
OWASP Cheat sheet on File upload best practices:
Comments