Describe How to Protect a Server From Malicious Content When a User Uploads a File.

File upload security best practices: Cake a malicious file upload

Do your Web app users upload files to your servers? Find out the dangers of malicious file uploads and larn six steps to stop file-upload attacks.

We need to allow our customers to upload files for one of our Web applications. What are the security implications of allowing users to upload files on our website?

The ability to upload files on a website is a mutual feature, often used to enable users or customers to upload documents and images. While this is useful in many situations, the security implications of hosting a file-upload facility are significant. Here are some file upload security best practices.

Malicious file uploads
An ordinary user may use the facility to upload the type of files expected. However, an attacker could take advantage of the facility with malicious file uploads.

There are two fundamental means a website tin exist attacked by a file upload. The outset way involves the type of file uploaded. A file could overwrite another file that already exists with the exact aforementioned name on the server. If this were a critical file, the new file could cause the website to function incorrectly, or not at all. The new file could be used to deface the website by replacing an existing page, or it could exist used to edit the list of allowed file types in order to make further attacks simpler.

The second style a website could exist attacked by a malicious file upload involves the content of the uploaded file. The uploaded file could contain malicious code in the form of an exploit, virus, Trojan or malware, which could be used to gain control of the Web server. For instance, information technology is possible to hide PHP code inside an image file and withal accept it appear to be an image. When the image is opened, information technology also executes the lawmaking subconscious in the file. The file could contain scripts or tags that exploit other well-known Web application vulnerabilities, such as cross-site scripting (XSS).

Alternatively, the file infinite of the Web server could be exhausted by the assailant uploading a huge file.

If the uploaded file can be accessed by entering a specific URL path, it could be especially dangerous because the file could be executed immediately afterward uploading.

Defending against file upload attacks
There are six steps to protecting a website from file-upload attacks.

1. The awarding should apply a whitelist of allowed file types. This list determines the types of files that tin be uploaded, and rejects all files that exercise not lucifer approved types.
2. The application should use client- or server-side input validation to ensure evasion techniques accept not been used to bypass the whitelist filter. These evasion techniques could include appending a second file type to the file name (due east.k. image.jpg.php) or using abaft space or dots in the file proper noun.
3. The application should prepare a maximum length for the file name, and a maximum size for the file itself.
4. The directory to which files are uploaded should exist outside of the website root.
5. All uploaded files should be scanned past antivirus software before they are opened.
6. The application should non use the file name supplied past the user. Instead, the uploaded file should exist renamed according to a predetermined convention.

While these techniques cannot guarantee a website will never be attacked from a malicious file upload, they will go a long way toward protecting the website while still providing users with the benefits of uploading files when needed.

Related Q&A from Rob Shapland

Techniques for preventing a animate being force login set on

A brute forcefulness login attack can enable an assaulter to log in to an application and steal data. Rob Shapland explains how to forestall brute force ...  Go on Reading

File upload security best practices: Cake a malicious file upload

Practise your Web app users upload files to your servers? Observe out the dangers of malicious file uploads and learn half dozen steps to stop file-upload attacks.  Go along Reading

Session fixation protection: How to terminate session fixation attacks

Session fixation attacks rely on poorly managed Web application cookies. Rob Shapland answers a reader's question on session fixation protection.  Continue Reading

Read more on Hackers and cybercrime prevention

• 

  Node.js file upload example with Ajax and JavaScript

  

  By: Cameron McKenzie

• 

  An example Ajax file upload with pure JavaScript

  

  Past: Cameron McKenzie

• 

  A simple Struts 2 file upload example

  

  By: Cameron McKenzie

• 

  How to create an HTML5 and PHP file upload course for Apache

  

  Past: Cameron McKenzie

jacksonyoulderven.blogspot.com

Source: https://www.computerweekly.com/answer/File-upload-security-best-practices-Block-a-malicious-file-upload

Share this post