File Upload Vulnerability of Web Applications
In this article, we are going to learn about one more attack vector in detail which are very important to learn in this world of lots of Web and Mobile Apps.
File Upload Vulnerability:
In almost every web application there is functionality for uploading files. This file may be in the form of text, video, image, etc. However many web application does not have proper security check during uploading files and this results in a vulnerability called File Upload Vulnerability. This one simple vulnerability leads to server-side scripting, arbitrary code execution, cross-site scripting, and CSRF attacks.
Even though some applications have proper checks on uploading files but still these security checks have bypass methods to exploit this vulnerability. These bypasses are as follows.
1. Case-sensitive extension bypass: Web/Mobile application developers may add a blacklist of certain extensions which are harmful according to the developer. But sometimes developers forgot whether their extension security check is case sensitive or not and anyone can bypass security checks by making extensions of files as a combination of lowercase and uppercase character to bypass security checks. As a developer, it is good practice to check extension verification and always consider the case sensitivity of file extension. Example: .PDF, .XML, .Sh, php.
2. Image content Verification bypass: As a security concern developers always check the content of the image to match with one of the valid file types. In PHP there are many functions to validate files. One of the function is getimagesize() which basically read the file and return the size. In case of an invalid file, it returns the error message. There are techniques that can bypass this protection. Consider the following code which uploads a file.
An attacker can bypass such checks by embedding PHP code inside the comment section of the JPG file and after that uploading file with a .php extension, this can easily bypass the checks mentioned in the above code. There are more techniques available for File verification bypasses. A developer always takes care of all these bypasses during implementing the feature of file upload.
Pixel Flood Using Malicious Image File:
This is sub attack under the File Upload Vulnerability, this attack mainly exploits the method of image parsing. During performing this attack malicious user takes a valid JPG or JPEG file with the original dimension then the attacker changes the dimension of the image to a very large scale like 1000000 ×1000000 by using some automated tool by uploading such a large file image parser to allocate very large memory to it and results into server crash or out of memory situation.
Malicious zTXT field of PNG files:
The PNG file format contains a section, called zTXT, that allows Zlib compressed data to be added to a PNG file. The technique here is that a large amount of repeated data, such as a series of zeros, are created, weighing over 70MB, and then are DEFLATE compressed through zlib, resulting in compressed data of a few KBs. This is then added to the zTXT section of any regular PNG file. Sending repeated requests of this kind causes similar memory exhaustion as we’ve seen in the previous two examples. This issue affected the Paperclip gem as well.
Malicious GIF file – frame flood:
This technique is similar to the previous technique, a malicious GIF is used to allocate a large amount of memory, and eventually, uses a large amount of server memory. A GIF file contains a set of animations in the form of various image frames. Instead of flipping the pixels, we add a very large amount of GIF frames, say 45,000-90,000. When parsing each frame, memory is allocated and eventually chokes up the server.
How To Avoid File Upload Vulnerability:
- Always check the extension of files with their case sensitivity.
- Filter the content of the file before uploading it to the server.
- Don’t give the executable permission to upload the file.
- Always store the uploaded file in the non-public directory.
Please Login to comment...