How to Secure Anonymous File Upload From Attacks

File upload security best practices: Cake a malicious file upload

Do your Web app users upload files to your servers? Notice out the dangers of malicious file uploads and learn six steps to stop file-upload attacks.

We need to permit our customers to upload files for one of our Web applications. What are the security implications of allowing users to upload files on our website?

The ability to upload files on a website is a common characteristic, often used to enable users or customers to upload documents and images. While this is useful in many situations, the security implications of hosting a file-upload facility are pregnant. Hither are some file upload security best practices.

Malicious file uploads
An ordinary user may employ the facility to upload the type of files expected. However, an assailant could take advantage of the facility with malicious file uploads.

There are two primal ways a website can be attacked by a file upload. The first fashion involves the type of file uploaded. A file could overwrite another file that already exists with the exact same name on the server. If this were a critical file, the new file could cause the website to function incorrectly, or not at all. The new file could be used to deface the website by replacing an existing page, or information technology could be used to edit the list of allowed file types in order to brand farther attacks simpler.

The 2nd way a website could be attacked by a malicious file upload involves the content of the uploaded file. The uploaded file could incorporate malicious code in the form of an exploit, virus, Trojan or malware, which could be used to gain control of the Web server. For example, it is possible to hide PHP code inside an image file and withal have it appear to be an prototype. When the image is opened, it as well executes the code hidden in the file. The file could contain scripts or tags that exploit other well-known Web awarding vulnerabilities, such every bit cross-site scripting (XSS).

Alternatively, the file space of the Web server could be exhausted past the aggressor uploading a huge file.

If the uploaded file can be accessed by entering a specific URL path, it could be especially dangerous because the file could be executed immediately after uploading.

Defending against file upload attacks
There are half dozen steps to protecting a website from file-upload attacks.

1. The application should use a whitelist of allowed file types. This listing determines the types of files that can be uploaded, and rejects all files that practise not friction match approved types.
2. The application should use client- or server-side input validation to ensure evasion techniques accept non been used to bypass the whitelist filter. These evasion techniques could include appending a 2d file type to the file name (e.g. prototype.jpg.php) or using trailing space or dots in the file name.
3. The application should set a maximum length for the file name, and a maximum size for the file itself.
4. The directory to which files are uploaded should be outside of the website root.
5. All uploaded files should exist scanned by antivirus software before they are opened.
6. The application should not use the file name supplied by the user. Instead, the uploaded file should be renamed according to a predetermined convention.

While these techniques cannot guarantee a website will never exist attacked from a malicious file upload, they volition get a long way toward protecting the website while still providing users with the benefits of uploading files when needed.

Related Q&A from Rob Shapland

Techniques for preventing a fauna forcefulness login attack

A beast force login attack can enable an assailant to log in to an application and steal information. Rob Shapland explains how to foreclose brute force ...  Continue Reading

File upload security all-time practices: Block a malicious file upload

Exercise your Spider web app users upload files to your servers? Find out the dangers of malicious file uploads and acquire six steps to finish file-upload attacks.  Continue Reading

Session fixation protection: How to stop session fixation attacks

Session fixation attacks rely on poorly managed Spider web awarding cookies. Rob Shapland answers a reader'due south question on session fixation protection.  Go on Reading

Read more than on Hackers and cybercrime prevention

• 

  Node.js file upload example with Ajax and JavaScript

  

  By: Cameron McKenzie

• 

  An instance Ajax file upload with pure JavaScript

  

  By: Cameron McKenzie

• 

  A simple Struts 2 file upload case

  

  By: Cameron McKenzie

• 

  How to create an HTML5 and PHP file upload form for Apache

  

  Past: Cameron McKenzie

munozcaved1955.blogspot.com

Source: https://www.computerweekly.com/answer/File-upload-security-best-practices-Block-a-malicious-file-upload

Share this post