If a web application with client-side file upload capability isn’t designed with stringent enough content verification policies, it can become an easy target for arbitrary file upload (also referred to as unrestricted file upload) attacks.
In this article, we’ll take a closer look at how these attacks work, what outcomes they can have, and how they can be prevented.
Understanding File Upload Vulnerabilities
When we say a web application is vulnerable to arbitrary file upload threats, we mean it doesn’t adequately validate and restrict the files it allows client-side users to submit to the web server.
Generally speaking, the capabilities of web servers responsible for processing client-side file uploads are limited by rational cost-efficiency considerations (such as memory usage, energy consumption, etc.). As a result, most web server processes will “assume” incoming files have been investigated to ensure they conform to a certain set of standards regarding important properties like file name, file type, file size, and file content. Processing files with unexpected properties can lead to unpredictable outcomes that may give untrusted clients some level of control over privileged server-side processes.
Let’s use a basic image processing web application as an example, and let's say this application is designed to handle client-side file uploads in JPG format. When a legitimate and properly sized JPG file is uploaded to the image processing web application server, the server will carry out a normal series of actions to satisfy the client request. It might parse and render the image for display in some location on a web page, and/or it might submit that file to a certain storage location.
If that server is asked to process a greatly oversized JPG file instead, however, it might over-consume its allocated resources and fail while attempting to carry out its normal series of parsing, rendering, or storing actions, leading to an application crash or out-of-bounds memory overwrite.
Further, if the server receives a disguised script or executable file instead of a valid JPG file (e.g., “sample_image.php.jpg”), it might take a few different actions depending on how the server is specifically configured to handle scripts or executables. It might return an error message to the client that divulges sensitive information about the server, it might execute the file’s contents outright, or it might indiscriminately pass the file on to the usual sensitive storage location.
Understanding Outcomes from Arbitrary File Upload Attacks
The outcomes of unrestricted file upload attacks vary depending on the way servers handle unexpected content.
Carrying on the earlier example, a server crashing from processing an oversized JPG file might result in a Denial-of-Service (DOS) attack. The threat actor responsible for this attack might be aiming to damage the reputation of the web application’s proprietor or otherwise disrupt operations in a meaningful way.
Processing scripts or executables might have far more severe consequences.
If a threat actor receives a detailed error message from submitting an executable file to the web server, they might learn crucial information about the server’s configuration which can help them plan and execute a subsequent targeted attack.
If the target server is configured to execute a certain type of script outright, they might be able to execute arbitrary commands and take control of the server with very little effort. If the attacker's executable file is stored in a sensitive location, they might be able to remotely trigger the file’s executable content through a later HTTP request and take some degree of control over the web server. This may give the attacker the ability to steal or delete sensitive data and possibly launch subsequent attacks using the compromised server as part of a larger network (i.e., Botnet attacks).
Preventing Arbitrary File Upload Attacks
Mitigating unrestricted file upload attacks is easier said than done. When web application developers set out to build applications with client-side upload capabilities, they typically implement what they believe to be a rigorous set of controls to protect the web server from file upload attacks. Sometimes these controls are adequate, and sometimes they leave applications with gaps that threat actors can exploit if they look hard enough.
It’s critical that developers keep technologies up to date and incorporate redundancy into their security controls to prevent unrestricted file upload attacks from occurring.
Defending Against Arbitrary File Upload Attacks with Cloudmersive
The Cloudmersive Advanced Virus Scan API offers 360-degree content verification to identify arbitrary file upload threats before files reach target applications and/or after files reach sensitive cloud storage locations. Available as a no-code or low-code solution, this API detects and provides the option set custom rules against threats including scripts, executables, invalid files, HTML, insecure deserialization, unsafe archives, and more.
For more information on the Cloudmersive Advanced Virus Scan API, please feel free to reach out to a member of our team.