https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Soroush+DaliliOWASP - User contributions [en]2026-05-28T10:11:16ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=222893Unrestricted File Upload2016-11-01T15:52:31Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Vulnerability}}<br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.<br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored. <br />
<br />
There are really two classes of problems here. The first is with the file metadata, like the path and file name. These are generally provided by the transport, such as HTTP multi-part encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it.<br />
<br />
The other class of problem is with the file size or content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyse everything your application does with files and think carefully about what processing and interpreters are involved.<br />
<br />
== Risk Factors ==<br />
<br />
* The impact of this vulnerability is high, supposed code can be executed in the server context or on the client side. The likelihood of detection for the attacker is high. The prevalence is common. As a result the severity of this type of vulnerability is high.<br />
* It is important to check a file upload module's access controls to examine the risks properly.<br />
* Server-side attacks: The web server can be compromised by uploading and executing a web-shell which can run commands, browse system files, browse local resources, attack other servers, or exploit the local vulnerabilities, and so forth.<br />
* Client-side attacks: Uploading malicious files can make the website vulnerable to client-side attacks such as [[Cross-site Scripting (XSS)|XSS]] or Cross-site Content Hijacking.<br />
* Uploaded files can be abused to exploit other vulnerable sections of an application when a file on the same or a trusted server is needed (can again lead to client-side or server-side attacks)<br />
* Uploaded files might trigger vulnerabilities in broken libraries/applications on the client side (e.g. iPhone MobileSafari LibTIFF Buffer Overflow).<br />
* Uploaded files might trigger vulnerabilities in broken libraries/applications on the server side (e.g. ImageMagick flaw that called ImageTragick!).<br />
* Uploaded files might trigger vulnerabilities in broken real-time monitoring tools (e.g. Symantec antivirus exploit by unpacking a RAR file)<br />
* A malicious file such as a Unix shell script, a windows virus, an Excel file with a dangerous formula, or a reverse shell can be uploaded on the server in order to execute code by an administrator or webmaster later -- on the victim's machine.<br />
* An attacker might be able to put a phishing page into the website or deface the website.<br />
* The file storage server might be abused to host troublesome files including malwares, illegal software, or adult contents. Uploaded files might also contain malwares' command and control data, violence and harassment messages, or steganographic data that can be used by criminal organisations.<br />
* Uploaded sensitive files might be accessible by unauthorised people.<br />
* File uploaders may disclose internal information such as server internal paths in their error messages.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
* Upload .jsp file into web tree - jsp code executed as the web user <br />
* Upload .gif file to be resized - image library flaw exploited <br />
* Upload huge files - file space denial of service <br />
* Upload file using malicious path or name - overwrite a critical file <br />
* Upload file containing personal data - other users access it <br />
* Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
* Upload .rar file to be scanned by antivirus - command executed on a server running the vulnerable antivirus software<br />
<br />
=== Attacks on other systems ===<br />
<br />
* Upload .exe file into web tree - victims download trojaned executable <br />
* Upload virus infected file - victims' machines infected <br />
* Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
* Upload .jpg file containing a Flash object - victim experiences Cross-site Content Hijacking.<br />
* Upload .rar file to be scanned by antivirus - command executed on a client running the vulnerable antivirus software<br />
<br />
<br />
== Weak Protections and Bypassing Methods ==<br />
<br />
=== Blacklisting File Extensions ===<br />
<br />
This protection might be bypassed by:<br />
<br />
* Finding missed extensions that can be executed on the server side or can be dangerous on the client side (e.g. ".php5", ".pht", ".phtml", ".shtml", ".asa", ".cer", ".asax", ".swf", or ".xap").<br />
* Finding flaws in a web server configuration when it parses files with double extensions or it executes them by providing a sensitive extension after a delimiter such as "/" or ";" character (e.g. "/file.jpg/index.php" when the "file.jpg" file contains PHP code and has been uploaded)<br />
** In Apache, a php file might be executed using the double extension technique such as "file.php.jpg" when ".jpg" is allowed. <br />
** In IIS6 (or prior versions), a script file can be executed by using one of these two methods:<br />
*** by adding a semi-colon character after the forbidden extension and before the permitted one (e.g. "file.asp;.jpg")<br />
*** by renaming a script file's extension (e.g. ".asp") to an allowed extension (e.g. ".txt") in a folder that its name ends with the script's extension (e.g. "folder.asp\file.txt"). In Windows, it is possible to create a directory by using a file uploader and ADS (Alternate Data Stream). In this method, a filename that ends with "::$Index_Allocation" or ":$I30:$Index_Allocation" makes the file uploader to create a directory rather than a file (e.g. "folder.asp::$Index_Allocation" creates "folder.asp" as a directory).<br />
* Changing a number of letters to their capital forms to bypass case sensitive rules (e.g. "file.aSp" or "file.PHp3").<br />
* Using Windows 8.3 feature, it is possible to replace the existing files by using their shortname (e.g. "web.config" can be replaced by "web~1.con" or ".htaccess" can be replaced by "HTACCE~1")<br />
* Finding characters that are converted to other useful characters during the file upload process. For instance, when running PHP on IIS, the ">", "<", and double quote " characters respectively convert to "?", "*", and "." characters that can be used to replace existing files (e.g. "web<<" can replace the "web.config" file). In order to include the double quote character in the filename in a normal file upload request, the filename in the "Content-Disposition" header should use single quotes (e.g. filename='web"config' to replace the "web.config" file).<br />
* Finding neutral characters after a filename such as trailing spaces and dots in Windows filesystem or dot and slash characters in a Linux filesystem. These characters at the end of a filename will be removed automatically (e.g. "file.asp ... ... . . .. ..", "file.asp ", or "file.asp."). Although slash or backslash characters are also normally problematic characters, they can be ignored in a normal file upload request as anything before these characters may count as the directory name on the server-side; that said, they should be tried for a thorough test (e.g. "test.php/" or "test.php.\").<br />
* Finding flaws in extension detection techniques. A web server may use the first extension after the first dot (".") in the provided filename or use a flawed algorithm to detect the extension when there is none or multiple dot characters (e.g. "file.txt.jpg.php"). <br />
* Using control characters such as null character (0x00) after a forbidden extension and before a permitted one may lead to a bypass. In this method, all the strings after the Null character will be discarded when saving the files. Both URL-encoded and decoded version of the null character should be tried in a file upload request for a thorough test. <br />
* Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. "file.asax:.jpg"). This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "file.asp::$data.")<br />
* Flaws in the protection mechanism when it replaces dangerous extensions. For instance, "file.p.phphp" might be changed to "file.php" after going through this functionality.<br />
* Flaws in the uploaded file usage for instance when a PHP application uses the "include" function to show the uploaded images.<br />
* Combination of the above techniques.<br />
<br />
=== Whitelisting File Extensions ===<br />
<br />
Applications that check the file extensions using a whitelist method also need to validate the full filename to prevent any bypass. <br />
<br />
* The list of permitted extensions should be reviewed as it can contain malicious extensions as well. For instance, in case of having ".shtml" in the list, the application can be vulnerable to SSI attacks.<br />
* Some of the bypass techniques for the blacklist methods such as using double extensions are also applicable here and should be checked. <br />
<br />
=== "Content-Type" Header Validation ===<br />
<br />
"Content-Type" entity in the header of the request indicates the Internet media type of the message content. Sometimes web applications use this parameter in order to recognise a file as a valid one. For instance, they only accept the files with the "Content-Type" of "text/plain". <br />
<br />
* It is possible to bypass this protection by changing this parameter in the request header using a web proxy.<br />
<br />
=== Using a File Type Detector ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the file types in order to process them further. For instance, when an application resize an image file, it may just show an error message when non-image files are uploaded without saving them on the server. <br />
<br />
* If it reads the few first characters (or headers), it can be bypassed by inserting malicious code after some valid header or within the file's metadata. <br />
* Inserting code in the comments section or those section that have no effect on the main file can also lead to a bypass.<br />
* The inserted data can be obfuscated or encoded if the application detects a malicious code using specific patterns or signatures.<br />
* Uploaded file can be crafted to create a malicious code in case of being compressed by the application.<br />
<br />
=== Other Interesting Test Cases ===<br />
<br />
* Uploading a file when another file with the same name already exists. This may show interesting error messages that can lead to information disclosure. Logical flaws might be found if the application renames the new file to keep it on the server.<br />
* Uploading a file when another folder with the same name already exists. This may show interesting error messages that can lead to information disclosure. <br />
* Uploading a file with a long name. This may show interesting error messages that can lead to information disclosure.<br />
* Uploading a file multiple times at the same time. This may show interesting error messages that can lead to information disclosure. <br />
* Uploading valid and invalid files in different formats such as compressed or XML files to detect any possible processing on the server side. <br />
* Uploading a file with ".", "..", or "..." as its name. For instance, in Apache in Windows, if the application saves the uploaded files in "/www/uploads/" directory, the "." filename will create a file called "uploads" in the "/www/" directory.<br />
* Uploading files that may not be deleted easily such as "...:.jpg" in NTFS that makes the "..." file (this file can be deleted using command line). This may show interesting error messages that can lead to information disclosure.<br />
* Uploading a file in Windows with invalid characters such as |<>*?" in its name. This may show interesting error messages that can lead to information disclosure. <br />
* Uploading a file in Windows using reserved (forbidden) names such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9. This may show interesting error messages that can lead to information disclosure. Uploading a file with a reserved name may lead to denial of service if the application keeps the name and tries to save it with another extension (detecting it wrongly as an existing file).<br />
* Cross-site content hijacking issues can be exploited by uploading a file with allowed name and extension but with Flash, PDF, or Silverlight contents. <br />
* Uploading a "crossdomain.xml" or "clientaccesspolicy.xml" file can make a website vulnerable to cross-site content hijacking. These files should be uploaded to the root of the website to work. However, the "crossdomain.xml" file can be in a subdirectory as long as it is allowed in the root "crossdomain.xml" file.<br />
<br />
=== Important Notes in Testing File Uploaders ===<br />
<br />
* Do not try to replace the existing files during testing unless it is safe to proceed. For instance, replacing configuration files such as "web.config" or ".htaccess" file can lead to a denial of service attack for the whole website.<br />
<br />
<br />
<br />
== Prevention Methods (Solutions to be more secure) ==<br />
In order to make a Windows server more secure, it is very important to follow the Microsoft security best practices first. For this purpose, some of the useful links are:<br />
* IIS 6.0 Security Best Practices[http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
* Securing Sites with Web Site Permissions[http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
* IIS 6.0 Operations Guide[http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
* Improving Web Application Security: Threats and Countermeasures[http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
* Understanding the Built-In User and Group Accounts in IIS 7.0[http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
* IIS Security Checklist[http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
And some special recommendations for the developers and webmasters:<br />
* The file types allowed to be uploaded should be restricted to only those that are necessary for business functionality.<br />
* Never accept a filename and its extension directly without having a whitelist filter.<br />
* The application should perform filtering and content checking on any files which are uploaded to the server. Files should be thoroughly scanned and validated before being made available to other users. If in doubt, the file should be discarded.<br />
* It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a "select case" syntax (in case of having VBScript) to choose the file extension in regards to the real file extension.<br />
* All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as ";", ":", ">", "<", "/" ,"\", additional ".", "*", "%", "$", and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).<br />
* Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.<br />
* It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.<br />
* Uploaded directory should not have any "execute" permission and all the script handlers should be removed from these directories.<br />
* Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).<br />
* Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.<br />
* Use Cross Site Request Forgery protection methods.<br />
* Prevent from overwriting a file in case of having the same hash for both.<br />
* Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.<br />
* Try to use POST method instead of PUT (or GET!)<br />
* Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.<br />
* In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.<br />
* If it is possible, consider saving the files in a database rather than on the filesystem.<br />
* If files should be saved in a filesystem, consider using an isolated server with a different domain to serve the uploaded files. <br />
* File uploaders should be only accessible to authenticated and authorised users if possible.<br />
* Write permission should be removed from files and folders other than the upload folders. The upload folders should not serve any <br />
* Ensure that configuration files such as ".htaccess" or "web.config" cannot be replaced using file uploaders. Ensure that appropriate settings are available to ignore the ".htaccess" or "web.config" files if uploaded in the upload directories.<br />
* Ensure that files with double extensions (e.g. "file.php.txt") cannot be executed especially in Apache.<br />
* Ensure that uploaded files cannot be accessed by unauthorised users.<br />
* Adding the "Content-Disposition: Attachment" and "X-Content-Type-Options: nosniff" headers to the response of static files will secure the website against Flash or PDF-based cross-site content-hijacking attacks. It is recommended that this practice be performed for all of the files that users need to download in all the modules that deal with a file download. Although this method does not fully secure the website against attacks using Silverlight or similar objects, it can mitigate the risk of using Adobe Flash and PDF objects, especially when uploading PDF files is permitted.<br />
* Flash/PDF (crossdomain.xml) or Silverlight (clientaccesspolicy.xml) cross-domain policy files should be removed if they are not in use and there is no business requirement for Flash or Silverlight applications to communicate with the website.<br />
* Browser caching should be disabled for the corssdomain.xml and clientaccesspolicy.xml files. This enables the website to easily update the file or restrict access to the Web services if necessary. Once the client access policy file is checked, it remains in effect for the browser session so the impact of non-caching to the end-user is minimal. This can be raised as a low or informational risk issue based on the content of the target website and security and complexity of the policy file(s).<br />
* CORS headers should be reviewed to only be enabled for static or publicly accessible data. Otherwise, the "Access-Control-Allow-Origin" header should only contain authorised addresses. Other CORS headers such as "Access-Control-Allow-Credentials" should only be used when they are required. Items within the CORS headers such as "Access-Control-Allow-Methods" or "Access-Control-Allow-Headers" should be reviewed and removed if they are not required.<br />
<br />
<br />
== Related [[Attacks]] ==<br />
<br />
* [[Path Traversal]]<br />
* [[Path Manipulation]]<br />
* [[Relative Path Traversal]]<br />
* [[Windows_::DATA_alternate_data_stream]]<br />
<br />
==Related [[Vulnerabilities]]==<br />
<br />
* [[:Category:Input Validation Vulnerability]]<br />
<br />
== Related [[Controls]] ==<br />
<br />
* [[:Category:Input Validation]]<br />
<br />
== Related [[Threat Agent]] ==<br />
<br />
* [[:Category:External Threat Agent]]<br />
* [[:Category:Internal Threat Agent]]<br />
* [[:Category:Internet attacker]]<br />
* [[:Category:Intranet attacker]]<br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
* [[System Access]]<br />
* [[Security Bypass]]<br />
* [[Exposure of system information]]<br />
* [[Exposure of sensitive information]]<br />
* [[Client Side Threat]]<br />
<br />
== References ==<br />
<br />
* Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 [http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ ]<br />
* 8 basic rules to implement secure file uploads - SANS - [http://software-security.sans.org/blog/2009/12/28/8-basic-rules-to-implement-secure-file-uploads]<br />
* IIS6/ASP & file upload for fun and profit [http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/]<br />
* Secure file upload in PHP web applications [http://www.net-security.org/dl/articles/php-file-upload.pdf]<br />
* Potentially Dangerous File Types [http://www.windowsitpro.com/Files/18/27072/Webtable_01.pdf]<br />
* Image Upload XSS [http://ha.ckers.org/blog/20070603/image-upload-xss/]<br />
* Code Execution Through Filenames in Uploads [http://ha.ckers.org/blog/20070620/code-execution-through-filenames-in-uploads/]<br />
* Secure File Upload Check List With PHP [http://hungred.com/useful-information/secure-file-upload-check-list-php/]<br />
* NTFS in WikiPedia [http://en.wikipedia.org/wiki/NTFS]<br />
* NTFS Streams [http://msdn.microsoft.com/en-us/library/ff469210(v=PROT.10).aspx]<br />
* NTFS - Glossary [http://inform.pucp.edu.pe/~inf232/Ntfs/ntfs_doc_v0.5/help/glossary.html]<br />
* IIS 6.0 Security Best Practices [http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
* Securing Sites with Web Site Permissions [http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
* IIS 6.0 Operations Guide [http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
* Improving Web Application Security: Threats and Countermeasures [http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
* Understanding the Built-In User and Group Accounts in IIS 7.0 [http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
* IIS Security Checklist [http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
* Microsoft IIS ASP Multiple Extensions Security Bypass [http://secunia.com/advisories/37831/]<br />
* CVE-2009-4444 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4444]<br />
* CVE-2009-4445 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4445]<br />
* CVE-2009-1535 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535]<br />
* MSDN - Naming Files, Paths, and Namespaces [https://msdn.microsoft.com/en-gb/library/windows/desktop/aa365247(v=vs.85).aspx]<br />
* Even uploading a JPG file can lead to Cross-Site Content Hijacking (client-side attack) [https://soroush.secproject.com/blog/2014/05/even-uploading-a-jpg-file-can-lead-to-cross-domain-data-hijacking-client-side-attack/]<br />
* Cross-Site Content (Data) Hijacking (XSCH) PoC Project [https://github.com/nccgroup/CrossSiteContentHijacking]<br />
* iPhone MobileSafari LibTIFF Buffer Overflow [https://www.exploit-db.com/exploits/16862/]<br />
* ImageMagick Is On Fire-CVE-2016–3714 [https://imagetragick.com/]<br />
* Symantec Antivirus multiple remote memory corruption unpacking RAR CVE-2016-2207 [https://bugs.chromium.org/p/project-zero/issues/detail?id=810]<br />
* File in the hole - HackPra Nov. 2012 [https://www.nds.rub.de/media/attachments/files/2012/11/File-in-the-hole.pdf]<br />
* Self contained web shells and other attacks via .htaccess files [https://github.com/wireghoul/htshells]<br />
* Upload a web.config File for Fun & Profit [https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/]<br />
* PHP filesystem attack vectors - Take Two [http://www.ush.it/2009/07/26/php-filesystem-attack-vectors-take-two/]<br />
* File Upload and PHP on IIS: >=? and <=* and "=. [https://soroush.secproject.com/blog/2014/07/file-upload-and-php-on-iis-wildcards/]<br />
<br />
<br />
== Authors ==<br />
* [[User:Soroush Dalili|Soroush Dalili]]<br />
* [[User:Dirk Wetter|Dirk Wetter]]<br />
* [[User:Landon Mayo|Landon Mayo]]<br />
* [[User:OWASP|OWASP]]<br />
<br />
__NOTOC__<br />
<br />
[[Category:OWASP ASDR Project]]<br />
[[Category:File System]]<br />
[[Category:Windows]]<br />
[[Category:Unix]]<br />
[[Category:Use of Dangerous API]]<br />
[[Category:Vulnerability]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=222892Unrestricted File Upload2016-11-01T15:48:34Z<p>Soroush Dalili: Updating the materials to include more test cases / recommendations / references</p>
<hr />
<div>{{Template:Vulnerability}}<br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.<br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored. <br />
<br />
There are really two classes of problems here. The first is with the file metadata, like the path and file name. These are generally provided by the transport, such as HTTP multi-part encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it.<br />
<br />
The other class of problem is with the file size or content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyse everything your application does with files and think carefully about what processing and interpreters are involved.<br />
<br />
== Risk Factors ==<br />
<br />
* The impact of this vulnerability is high, supposed code can be executed in the server context or on the client side. The likelihood of detection for the attacker is high. The prevalence is common. As a result the severity of this type of vulnerability is high.<br />
* It is important to check a file upload module's access controls to examine the risks properly.<br />
* Server-side attacks: The web server can be compromised by uploading and executing a web-shell which can run commands, browse system files, browse local resources, attack other servers, or exploit the local vulnerabilities, and so forth.<br />
* Client-side attacks: Uploading malicious files can make the website vulnerable to client-side attacks such as [[Cross-site Scripting (XSS)|XSS]] or Cross-site Content Hijacking.<br />
* Uploaded files can be abused to exploit other vulnerable sections of an application when a file on the same or a trusted server is needed (can again lead to client-side or server-side attacks)<br />
* Uploaded files might trigger vulnerabilities in broken libraries/applications on the client side (e.g. iPhone MobileSafari LibTIFF Buffer Overflow).<br />
* Uploaded files might trigger vulnerabilities in broken libraries/applications on the server side (e.g. ImageMagick flaw that called ImageTragick!).<br />
* Uploaded files might trigger vulnerabilities in broken real-time monitoring tools (e.g. Symantec antivirus exploit by unpacking a RAR file)<br />
* A malicious file such as a Unix shell script, a windows virus, an Excel file with a dangerous formula, or a reverse shell can be uploaded on the server in order to execute code by an administrator or webmaster later -- on the victim's machine.<br />
* An attacker might be able to put a phishing page into the website or deface the website.<br />
* The file storage server might be abused to host troublesome files including malwares, illegal software, or adult contents. Uploaded files might also contain malwares' command and control data, violence and harassment messages, or steganographic data that can be used by criminal organisations.<br />
* Uploaded sensitive files might be accessible by unauthorised people.<br />
* File uploaders may disclose internal information such as server internal paths in their error messages.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
* Upload .jsp file into web tree - jsp code executed as the web user <br />
* Upload .gif file to be resized - image library flaw exploited <br />
* Upload huge files - file space denial of service <br />
* Upload file using malicious path or name - overwrite a critical file <br />
* Upload file containing personal data - other users access it <br />
* Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
* Upload .rar file to be scanned by antivirus - command executed on a server running the vulnerable antivirus software<br />
<br />
=== Attacks on other systems ===<br />
<br />
* Upload .exe file into web tree - victims download trojaned executable <br />
* Upload virus infected file - victims' machines infected <br />
* Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
* Upload .jpg file containing a Flash object - victim experiences Cross-site Content Hijacking.<br />
* Upload .rar file to be scanned by antivirus - command executed on a client running the vulnerable antivirus software<br />
<br />
<br />
== Weak Protection Methods and Methods of Bypassing ==<br />
<br />
=== Blacklisting File Extensions ===<br />
<br />
This protection might be bypassed by:<br />
<br />
* Finding missed extensions that can be executed on the server side or can be dangerous on the client side (e.g. ".php5", ".pht", ".phtml", ".shtml", ".asa", ".cer", ".asax", ".swf", or ".xap").<br />
* Finding flaws in a web server configuration when it parses files with double extensions or it executes them by providing a sensitive extension after a delimiter such as "/" or ";" character (e.g. "/file.jpg/index.php" when the "file.jpg" file contains PHP code and has been uploaded)<br />
** In Apache, a php file might be executed using the double extension technique such as "file.php.jpg" when ".jpg" is allowed. <br />
** In IIS6 (or prior versions), a script file can be executed by using one of these two methods:<br />
*** by adding a semi-colon character after the forbidden extension and before the permitted one (e.g. "file.asp;.jpg")<br />
*** by renaming a script file's extension (e.g. ".asp") to an allowed extension (e.g. ".txt") in a folder that its name ends with the script's extension (e.g. "folder.asp\file.txt"). In Windows, it is possible to create a directory by using a file uploader and ADS (Alternate Data Stream). In this method, a filename that ends with "::$Index_Allocation" or ":$I30:$Index_Allocation" makes the file uploader to create a directory rather than a file (e.g. "folder.asp::$Index_Allocation" creates "folder.asp" as a directory).<br />
* Changing a number of letters to their capital forms to bypass case sensitive rules (e.g. "file.aSp" or "file.PHp3").<br />
* Using Windows 8.3 feature, it is possible to replace the existing files by using their shortname (e.g. "web.config" can be replaced by "web~1.con" or ".htaccess" can be replaced by "HTACCE~1")<br />
* Finding characters that are converted to other useful characters during the file upload process. For instance, when running PHP on IIS, the ">", "<", and double quote " characters respectively convert to "?", "*", and "." characters that can be used to replace existing files (e.g. "web<<" can replace the "web.config" file). In order to include the double quote character in the filename in a normal file upload request, the filename in the "Content-Disposition" header should use single quotes (e.g. filename='web"config' to replace the "web.config" file).<br />
* Finding neutral characters after a filename such as trailing spaces and dots in Windows filesystem or dot and slash characters in a Linux filesystem. These characters at the end of a filename will be removed automatically (e.g. "file.asp ... ... . . .. ..", "file.asp ", or "file.asp."). Although slash or backslash characters are also normally problematic characters, they can be ignored in a normal file upload request as anything before these characters may count as the directory name on the server-side; that said, they should be tried for a thorough test (e.g. "test.php/" or "test.php.\").<br />
* Finding flaws in extension detection techniques. A web server may use the first extension after the first dot (".") in the provided filename or use a flawed algorithm to detect the extension when there is none or multiple dot characters (e.g. "file.txt.jpg.php"). <br />
* Using control characters such as null character (0x00) after a forbidden extension and before a permitted one may lead to a bypass. In this method, all the strings after the Null character will be discarded when saving the files. Both URL-encoded and decoded version of the null character should be tried in a file upload request for a thorough test. <br />
* Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. "file.asax:.jpg"). This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "file.asp::$data.")<br />
* Flaws in the protection mechanism when it replaces dangerous extensions. For instance, "file.p.phphp" might be changed to "file.php" after going through this functionality.<br />
* Flaws in the uploaded file usage for instance when a PHP application uses the "include" function to show the uploaded images.<br />
* Combination of the above techniques.<br />
<br />
=== Whitelisting File Extensions ===<br />
<br />
Applications that check the file extensions using a whitelist method also need to validate the full filename to prevent any bypass. <br />
<br />
* The list of permitted extensions should be reviewed as it can contain malicious extensions as well. For instance, in case of having ".shtml" in the list, the application can be vulnerable to SSI attacks.<br />
* Some of the bypass techniques for the blacklist methods such as using double extensions are also applicable here and should be checked. <br />
<br />
=== "Content-Type" Header Validation ===<br />
<br />
"Content-Type" entity in the header of the request indicates the Internet media type of the message content. Sometimes web applications use this parameter in order to recognise a file as a valid one. For instance, they only accept the files with the "Content-Type" of "text/plain". <br />
<br />
* It is possible to bypass this protection by changing this parameter in the request header using a web proxy.<br />
<br />
=== Using a File Type Detector ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the file types in order to process them further. For instance, when an application resize an image file, it may just show an error message when non-image files are uploaded without saving them on the server. <br />
<br />
* If it reads the few first characters (or headers), it can be bypassed by inserting malicious code after some valid header or within the file's metadata. <br />
* Inserting code in the comments section or those section that have no effect on the main file can also lead to a bypass.<br />
* The inserted data can be obfuscated or encoded if the application detects a malicious code using specific patterns or signatures.<br />
* Uploaded file can be crafted to create a malicious code in case of being compressed by the application.<br />
<br />
=== Other Interesting Test Cases ===<br />
<br />
* Uploading a file when another file with the same name already exists. This may show interesting error messages that can lead to information disclosure. Logical flaws might be found if the application renames the new file to keep it on the server.<br />
* Uploading a file when another folder with the same name already exists. This may show interesting error messages that can lead to information disclosure. <br />
* Uploading a file with a long name. This may show interesting error messages that can lead to information disclosure.<br />
* Uploading a file multiple times at the same time. This may show interesting error messages that can lead to information disclosure. <br />
* Uploading valid and invalid files in different formats such as compressed or XML files to detect any possible processing on the server side. <br />
* Uploading a file with ".", "..", or "..." as its name. For instance, in Apache in Windows, if the application saves the uploaded files in "/www/uploads/" directory, the "." filename will create a file called "uploads" in the "/www/" directory.<br />
* Uploading files that may not be deleted easily such as "...:.jpg" in NTFS that makes the "..." file (this file can be deleted using command line). This may show interesting error messages that can lead to information disclosure.<br />
* Uploading a file in Windows with invalid characters such as |<>*?" in its name. This may show interesting error messages that can lead to information disclosure. <br />
* Uploading a file in Windows using reserved (forbidden) names such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9. This may show interesting error messages that can lead to information disclosure. Uploading a file with a reserved name may lead to denial of service if the application keeps the name and tries to save it with another extension (detecting it wrongly as an existing file).<br />
* Cross-site content hijacking issues can be exploited by uploading a file with allowed name and extension but with Flash, PDF, or Silverlight contents. <br />
* Uploading a "crossdomain.xml" or "clientaccesspolicy.xml" file can make a website vulnerable to cross-site content hijacking. These files should be uploaded to the root of the website to work. However, the "crossdomain.xml" file can be in a subdirectory as long as it is allowed in the root "crossdomain.xml" file.<br />
<br />
=== Important Notes in Testing File Uploaders ===<br />
<br />
* Do not try to replace the existing files during testing unless it is safe to proceed. For instance, replacing configuration files such as "web.config" or ".htaccess" file can lead to a denial of service attack for the whole website.<br />
<br />
<br />
<br />
== Prevention Methods (Solutions to be more secure) ==<br />
In order to make a Windows server more secure, it is very important to follow the Microsoft security best practices first. For this purpose, some of the useful links are:<br />
* IIS 6.0 Security Best Practices[http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
* Securing Sites with Web Site Permissions[http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
* IIS 6.0 Operations Guide[http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
* Improving Web Application Security: Threats and Countermeasures[http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
* Understanding the Built-In User and Group Accounts in IIS 7.0[http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
* IIS Security Checklist[http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
And some special recommendations for the developers and webmasters:<br />
* The file types allowed to be uploaded should be restricted to only those that are necessary for business functionality.<br />
* Never accept a filename and its extension directly without having a whitelist filter.<br />
* The application should perform filtering and content checking on any files which are uploaded to the server. Files should be thoroughly scanned and validated before being made available to other users. If in doubt, the file should be discarded.<br />
* It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a "select case" syntax (in case of having VBScript) to choose the file extension in regards to the real file extension.<br />
* All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as ";", ":", ">", "<", "/" ,"\", additional ".", "*", "%", "$", and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).<br />
* Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.<br />
* It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.<br />
* Uploaded directory should not have any "execute" permission and all the script handlers should be removed from these directories.<br />
* Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).<br />
* Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.<br />
* Use Cross Site Request Forgery protection methods.<br />
* Prevent from overwriting a file in case of having the same hash for both.<br />
* Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.<br />
* Try to use POST method instead of PUT (or GET!)<br />
* Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.<br />
* In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.<br />
* If it is possible, consider saving the files in a database rather than on the filesystem.<br />
* If files should be saved in a filesystem, consider using an isolated server with a different domain to serve the uploaded files. <br />
* File uploaders should be only accessible to authenticated and authorised users if possible.<br />
* Write permission should be removed from files and folders other than the upload folders. The upload folders should not serve any <br />
* Ensure that configuration files such as ".htaccess" or "web.config" cannot be replaced using file uploaders. Ensure that appropriate settings are available to ignore the ".htaccess" or "web.config" files if uploaded in the upload directories.<br />
* Ensure that files with double extensions (e.g. "file.php.txt") cannot be executed especially in Apache.<br />
* Ensure that uploaded files cannot be accessed by unauthorised users.<br />
* Adding the "Content-Disposition: Attachment" and "X-Content-Type-Options: nosniff" headers to the response of static files will secure the website against Flash or PDF-based cross-site content-hijacking attacks. It is recommended that this practice be performed for all of the files that users need to download in all the modules that deal with a file download. Although this method does not fully secure the website against attacks using Silverlight or similar objects, it can mitigate the risk of using Adobe Flash and PDF objects, especially when uploading PDF files is permitted.<br />
* Flash/PDF (crossdomain.xml) or Silverlight (clientaccesspolicy.xml) cross-domain policy files should be removed if they are not in use and there is no business requirement for Flash or Silverlight applications to communicate with the website.<br />
* Browser caching should be disabled for the corssdomain.xml and clientaccesspolicy.xml files. This enables the website to easily update the file or restrict access to the Web services if necessary. Once the client access policy file is checked, it remains in effect for the browser session so the impact of non-caching to the end-user is minimal. This can be raised as a low or informational risk issue based on the content of the target website and security and complexity of the policy file(s).<br />
* CORS headers should be reviewed to only be enabled for static or publicly accessible data. Otherwise, the "Access-Control-Allow-Origin" header should only contain authorised addresses. Other CORS headers such as "Access-Control-Allow-Credentials" should only be used when they are required. Items within the CORS headers such as "Access-Control-Allow-Methods" or "Access-Control-Allow-Headers" should be reviewed and removed if they are not required.<br />
<br />
<br />
== Related [[Attacks]] ==<br />
<br />
* [[Path Traversal]]<br />
* [[Path Manipulation]]<br />
* [[Relative Path Traversal]]<br />
* [[Windows_::DATA_alternate_data_stream]]<br />
<br />
==Related [[Vulnerabilities]]==<br />
<br />
* [[:Category:Input Validation Vulnerability]]<br />
<br />
== Related [[Controls]] ==<br />
<br />
* [[:Category:Input Validation]]<br />
<br />
== Related [[Threat Agent]] ==<br />
<br />
* [[:Category:External Threat Agent]]<br />
* [[:Category:Internal Threat Agent]]<br />
* [[:Category:Internet attacker]]<br />
* [[:Category:Intranet attacker]]<br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
* [[System Access]]<br />
* [[Security Bypass]]<br />
* [[Exposure of system information]]<br />
* [[Exposure of sensitive information]]<br />
* [[Client Side Threat]]<br />
<br />
== References ==<br />
<br />
* Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 [http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ ]<br />
* 8 basic rules to implement secure file uploads - SANS - [http://software-security.sans.org/blog/2009/12/28/8-basic-rules-to-implement-secure-file-uploads]<br />
* IIS6/ASP & file upload for fun and profit [http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/]<br />
* Secure file upload in PHP web applications [http://www.net-security.org/dl/articles/php-file-upload.pdf]<br />
* Potentially Dangerous File Types [http://www.windowsitpro.com/Files/18/27072/Webtable_01.pdf]<br />
* Image Upload XSS [http://ha.ckers.org/blog/20070603/image-upload-xss/]<br />
* Code Execution Through Filenames in Uploads [http://ha.ckers.org/blog/20070620/code-execution-through-filenames-in-uploads/]<br />
* Secure File Upload Check List With PHP [http://hungred.com/useful-information/secure-file-upload-check-list-php/]<br />
* NTFS in WikiPedia [http://en.wikipedia.org/wiki/NTFS]<br />
* NTFS Streams [http://msdn.microsoft.com/en-us/library/ff469210(v=PROT.10).aspx]<br />
* NTFS - Glossary [http://inform.pucp.edu.pe/~inf232/Ntfs/ntfs_doc_v0.5/help/glossary.html]<br />
* IIS 6.0 Security Best Practices [http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
* Securing Sites with Web Site Permissions [http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
* IIS 6.0 Operations Guide [http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
* Improving Web Application Security: Threats and Countermeasures [http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
* Understanding the Built-In User and Group Accounts in IIS 7.0 [http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
* IIS Security Checklist [http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
* Microsoft IIS ASP Multiple Extensions Security Bypass [http://secunia.com/advisories/37831/]<br />
* CVE-2009-4444 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4444]<br />
* CVE-2009-4445 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4445]<br />
* CVE-2009-1535 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535]<br />
* MSDN - Naming Files, Paths, and Namespaces [https://msdn.microsoft.com/en-gb/library/windows/desktop/aa365247(v=vs.85).aspx]<br />
* Even uploading a JPG file can lead to Cross-Site Content Hijacking (client-side attack) [https://soroush.secproject.com/blog/2014/05/even-uploading-a-jpg-file-can-lead-to-cross-domain-data-hijacking-client-side-attack/]<br />
* Cross-Site Content (Data) Hijacking (XSCH) PoC Project [https://github.com/nccgroup/CrossSiteContentHijacking]<br />
* iPhone MobileSafari LibTIFF Buffer Overflow [https://www.exploit-db.com/exploits/16862/]<br />
* ImageMagick Is On Fire-CVE-2016–3714 [https://imagetragick.com/]<br />
* Symantec Antivirus multiple remote memory corruption unpacking RAR CVE-2016-2207 [https://bugs.chromium.org/p/project-zero/issues/detail?id=810]<br />
* File in the hole - HackPra Nov. 2012 [https://www.nds.rub.de/media/attachments/files/2012/11/File-in-the-hole.pdf]<br />
* Self contained web shells and other attacks via .htaccess files [https://github.com/wireghoul/htshells]<br />
* Upload a web.config File for Fun & Profit [https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/]<br />
* PHP filesystem attack vectors - Take Two [http://www.ush.it/2009/07/26/php-filesystem-attack-vectors-take-two/]<br />
* File Upload and PHP on IIS: >=? and <=* and "=. [https://soroush.secproject.com/blog/2014/07/file-upload-and-php-on-iis-wildcards/]<br />
<br />
<br />
== Authors ==<br />
* [[User:Soroush Dalili|Soroush Dalili]]<br />
* [[User:Dirk Wetter|Dirk Wetter]]<br />
* [[User:Landon Mayo|Landon Mayo]]<br />
* [[User:OWASP|OWASP]]<br />
<br />
__NOTOC__<br />
<br />
[[Category:OWASP ASDR Project]]<br />
[[Category:File System]]<br />
[[Category:Windows]]<br />
[[Category:Unix]]<br />
[[Category:Use of Dangerous API]]<br />
[[Category:Vulnerability]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=User:Soroush_Dalili&diff=159809User:Soroush Dalili2013-10-06T13:16:03Z<p>Soroush Dalili: </p>
<hr />
<div>== General Info ==<br />
<br />
My full name is “Soroush Dalili”. My field of expertise is web application security. Please visit my weblog to find more information.<br />
<br />
== OWASP Activities ==<br />
* [[Unrestricted File Upload]]<br />
<br />
== Main Links ==<br />
<br />
* Blog - Direct Link: [http://soroush.secproject.com/blog/ Soroush.SecProject.com/blog/]<br />
* Advisories - Direct Link: [http://soroush.secproject.com/blog/my-advisories/ Soroush.SecProject.com/blog/my-advisories/]<br />
* Twitter: [http://www.twitter.com/irsdl www.twitter.com/irsdl]<br />
* Linkedin: [http://uk.linkedin.com/in/irsdl uk.linkedin.com/in/irsdl]<br />
* Me & Google!: [http://www.google.com/search?q=soroush%20dalili www.google.com/search?q=soroush dalili]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=User:Soroush_Dalili&diff=159808User:Soroush Dalili2013-10-06T13:15:49Z<p>Soroush Dalili: </p>
<hr />
<div>== General Info ==<br />
<br />
My full name is “Soroush Dalili”. My field of expertise is web application security. Please visit my weblog to find more information.<br />
<br />
== OWASP Activities ==<br />
* [[Unrestricted File Upload]]<br />
<br />
== Main Links ==<br />
<br />
* Website: [http://soroush.secproject.com/ Soroush.SecProject.com]<br />
* Blog - Direct Link: [http://soroush.secproject.com/blog/ Soroush.SecProject.com/blog/]<br />
* Advisories - Direct Link: [http://soroush.secproject.com/blog/my-advisories/ Soroush.SecProject.com/blog/my-advisories/]<br />
* Twitter: [http://www.twitter.com/irsdl www.twitter.com/irsdl]<br />
* Linkedin: [http://uk.linkedin.com/in/irsdl uk.linkedin.com/in/irsdl]<br />
* Me & Google!: [http://www.google.com/search?q=soroush%20dalili www.google.com/search?q=soroush dalili]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=User:Soroush_Dalili&diff=159807User:Soroush Dalili2013-10-06T13:11:25Z<p>Soroush Dalili: </p>
<hr />
<div>== General Info ==<br />
<br />
My full name is “Soroush Dalili”. My field of expertise is web application security. Please visit my weblog to find more information.<br />
<br />
== OWASP Activities ==<br />
* [[Unrestricted File Upload]]<br />
<br />
== Main Links ==<br />
<br />
* Website: [http://soroush.secproject.com/ Soroush.SecProject.com]<br />
* Blog - Direct Link: [http://soroush.secproject.com/blog/ Soroush.SecProject.com/blog/]<br />
* Advisories - Direct Link: [http://soroush.secproject.com/blog/my-advisories/ Soroush.SecProject.com/blog/my-advisories/]<br />
* Wiki User Page: [http://en.wikipedia.org/wiki/User:Irsdl Wiki User Page]<br />
* Twitter: [http://www.twitter.com/irsdl www.twitter.com/irsdl]<br />
* Linkedin: [http://uk.linkedin.com/in/irsdl uk.linkedin.com/in/irsdl]<br />
* Google me: [http://www.google.com/search?q=soroush%20dalili www.google.com/search?q=soroush dalili]<br />
<br />
== Other Backup Links ==<br />
<br />
* [http://www.soroush.me/ www.soroush.me]<br />
* [http://www.sdl.me/ www.sdl.me]<br />
* [http://dalili.soroush.me/ dalili.soroush.me]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=User:Soroush_Dalili&diff=159806User:Soroush Dalili2013-10-06T13:09:42Z<p>Soroush Dalili: </p>
<hr />
<div>== General Info ==<br />
<br />
My full name is “Soroush Dalili” and my usual instant name in web is SDL or IRSDL. I’m working on the computer security stuffs, and my field of expertise is penetration testing and especially web application security.<br />
<br />
== OWASP Activities ==<br />
* [[Unrestricted File Upload]]<br />
<br />
== Main Links ==<br />
<br />
* Website: [http://soroush.secproject.com/ Soroush.SecProject.com]<br />
* Blog - Direct Link: [http://soroush.secproject.com/blog/ Soroush.SecProject.com/blog/]<br />
* Advisories - Direct Link: [http://soroush.secproject.com/blog/my-advisories/ Soroush.SecProject.com/blog/my-advisories/]<br />
* Wiki User Page: [http://en.wikipedia.org/wiki/User:Irsdl Wiki User Page]<br />
* Twitter: [http://www.twitter.com/irsdl www.twitter.com/irsdl]<br />
* Linkedin: [http://uk.linkedin.com/in/irsdl uk.linkedin.com/in/irsdl]<br />
* Google me: [http://www.google.com/search?q=soroush%20dalili www.google.com/search?q=soroush dalili]<br />
<br />
== Other Backup Links ==<br />
<br />
* [http://www.soroush.me/ www.soroush.me]<br />
* [http://www.sdl.me/ www.sdl.me]<br />
* [http://dalili.soroush.me/ dalili.soroush.me]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=OWASP_Risk_Rating_Methodology&diff=133450OWASP Risk Rating Methodology2012-07-24T23:06:17Z<p>Soroush Dalili: Skill level section fixed. Still not sure how can we have "5" in the example for the Skill level.</p>
<hr />
<div>{{Template:OWASP Testing Guide v3}}<br />
<br />
<br />
==The OWASP Risk Rating Methodology== <br />
<br />
Discovering vulnerabilities is important, but just as important is being able to estimate the associated risk to the business. Early in the lifecycle, you may identify security concerns in the architecture or design by using [[threat modeling]]. Later, you may find security issues using [[code review]] or [[penetration testing]]. Or you may not discover a problem until the application is in production and is actually compromised.<br />
<br />
By following the approach here, you'll be able to estimate the severity of all of these risks to your business, and make an informed decision about what to do about them. Having a system in place for rating risks will save time and eliminate arguing about priorities. This system will help to ensure that you don't get distracted by minor risks while ignoring more serious risks that are less well understood.<br />
<br />
Ideally, there would be a universal risk rating system that would accurately estimate all risks for all organizations. But a vulnerability that is critical to one organization may not be very important to another. So a basic framework is presented here that you ''should customize'' for your organization.<br />
<br />
The authors have tried hard to make this model simple enough to use, while keeping enough detail for accurate risk estimates to be made. Please reference the section below on customization for more information about tailoring the model for use in your organization.<br />
<br />
==Approach==<br />
<br />
There are many different approaches to risk analysis. See the reference section below for some of the most common ones. The OWASP approach presented here is based on these standard methodologies and is customized for application security.<br />
<br />
Let's start with the standard risk model:<br />
<br />
'''Risk = Likelihood * Impact'''<br />
<br />
In the sections below, we break down the factors that make up "likelihood" and "impact" for application security and show how to combine them to determine the overall severity for the risk.<br />
<br />
* [[#Step 1: Identifying a Risk]]<br />
* [[#Step 2: Factors for Estimating Likelihood]]<br />
* [[#Step 3: Factors for Estimating Impact]]<br />
* [[#Step 4: Determining Severity of the Risk]]<br />
* [[#Step 5: Deciding What to Fix]]<br />
* [[#Step 6: Customizing Your Risk Rating Model]]<br />
<br />
==Step 1: Identifying a Risk==<br />
<br />
The first step is to identify a security risk that needs to be rated. You'll need to gather information about the [[threat agent]] involved, the [[attack]] they're using, the [[vulnerability]] involved, and the [[impact]] of a successful exploit on your business. There may be multiple possible groups of attackers, or even multiple possible business impacts. In general, it's best to err on the side of caution by using the worst-case option, as that will result in the highest overall risk.<br />
<br />
==Step 2: Factors for Estimating Likelihood==<br />
<br />
Once you've identified a potential risk, and want to figure out how serious it is, the first step is to estimate the "likelihood". At the highest level, this is a rough measure of how likely this particular vulnerability is to be uncovered and exploited by an attacker. We do not need to be over-precise in this estimate. Generally, identifying whether the likelihood is low, medium, or high is sufficient.<br />
<br />
There are a number of factors that can help us figure this out. The first set of factors are related to the [[threat agent]] involved. The goal is to estimate the likelihood of a successful attack from a group of possible attackers. Note that there may be multiple threat agents that can exploit a particular vulnerability, so it's usually best to use the worst-case scenario. For example, an insider may be a much more likely attacker than an anonymous outsider - but it depends on a number of factors.<br />
<br />
Note that each factor has a set of options, and each option has a likelihood rating from 0 to 9 associated with it. We'll use these numbers later to estimate the overall likelihood.<br />
<br />
===[[Threat Agent]] Factors===<br />
<br />
The first set of factors are related to the [[threat agent]] involved. The goal here is to estimate the likelihood of a successful attack by this group of threat agents. Use the worst-case threat agent.<br />
<br />
; Skill level<br />
: How technically skilled is this group of threat agents? Security penetration skills (1), network and programming skills (3), advanced computer user (4), some technical skills (6), no technical skills (9)<br />
<br />
; Motive<br />
: How motivated is this group of threat agents to find and exploit this vulnerability? Low or no reward (1), possible reward (4), high reward (9)<br />
<br />
; Opportunity<br />
: What resources and opportunity are required for this group of threat agents to find and exploit this vulnerability? full access or expensive resources required (0), special access or resources required (4), some access or resources required (7), no access or resources required (9)<br />
<br />
; Size<br />
: How large is this group of threat agents? Developers (2), system administrators (2), intranet users (4), partners (5), authenticated users (6), anonymous Internet users (9)<br />
<br />
===[[Vulnerability]] Factors===<br />
<br />
The next set of factors are related to the [[vulnerability]] involved. The goal here is to estimate the likelihood of the particular vulnerability involved being discovered and exploited. Assume the threat agent selected above.<br />
<br />
; Ease of discovery<br />
: How easy is it for this group of threat agents to discover this vulnerability? Practically impossible (1), difficult (3), easy (7), automated tools available (9)<br />
<br />
; Ease of exploit<br />
: How easy is it for this group of threat agents to actually exploit this vulnerability? Theoretical (1), difficult (3), easy (5), automated tools available (9)<br />
<br />
; Awareness<br />
: How well known is this vulnerability to this group of threat agents? Unknown (1), hidden (4), obvious (6), public knowledge (9)<br />
<br />
; Intrusion detection<br />
: How likely is an exploit to be detected? Active detection in application (1), logged and reviewed (3), logged without review (8), not logged (9)<br />
<br />
==Step 3: Factors for Estimating Impact==<br />
<br />
When considering the impact of a successful attack, it's important to realize that there are two kinds of impacts. The first is the "technical impact" on the application, the data it uses, and the functions it provides. The other is the "business impact" on the business and company operating the application.<br />
<br />
Ultimately, the business impact is more important. However, you may not have access to all the information required to figure out the business consequences of a successful exploit. In this case, providing as much detail about the technical risk will enable the appropriate business representative to make a decision about the business risk.<br />
<br />
Again, each factor has a set of options, and each option has an impact rating from 0 to 9 associated with it. We'll use these numbers later to estimate the overall impact.<br />
<br />
<br />
===Technical Impact Factors===<br />
<br />
Technical impact can be broken down into factors aligned with the traditional security areas of concern: confidentiality, integrity, availability, and accountability. The goal is to estimate the magnitude of the impact on the system if the vulnerability were to be exploited.<br />
<br />
<br />
; Loss of confidentiality<br />
: How much data could be disclosed and how sensitive is it? Minimal non-sensitive data disclosed (2), minimal critical data disclosed (6), extensive non-sensitive data disclosed (6), extensive critical data disclosed (7), all data disclosed (9)<br />
<br />
; Loss of integrity<br />
: How much data could be corrupted and how damaged is it? Minimal slightly corrupt data (1), minimal seriously corrupt data (3), extensive slightly corrupt data (5), extensive seriously corrupt data (7), all data totally corrupt (9)<br />
<br />
; Loss of availability<br />
: How much service could be lost and how vital is it? Minimal secondary services interrupted (1), minimal primary services interrupted (5), extensive secondary services interrupted (5), extensive primary services interrupted (7), all services completely lost (9)<br />
<br />
; Loss of accountability<br />
: Are the threat agents' actions traceable to an individual? Fully traceable (1), possibly traceable (7), completely anonymous (9)<br />
<br />
===Business Impact Factors===<br />
<br />
The business impact stems from the technical impact, but requires a deep understanding of what is important to the company running the application. In general, you should be aiming to support your risks with business impact, particularly if your audience is executive level. The business risk is what justifies investment in fixing security problems.<br />
<br />
Many companies have an asset classification guide and/or a business impact reference to help formalize what is important to their business. These standards can help you focus on what's truly important for security. If these aren't available, then talk with people who understand the business to get their take on what's important.<br />
<br />
The factors below are common areas for many businesses, but this area is even more unique to a company than the factors related to threat agent, vulnerability, and technical impact.<br />
<br />
; Financial damage<br />
: How much financial damage will result from an exploit? Less than the cost to fix the vulnerability (1), minor effect on annual profit (3), significant effect on annual profit (7), bankruptcy (9)<br />
<br />
; Reputation damage<br />
: Would an exploit result in reputation damage that would harm the business? Minimal damage (1), Loss of major accounts (4), loss of goodwill (5), brand damage (9)<br />
<br />
; Non-compliance<br />
: How much exposure does non-compliance introduce? Minor violation (2), clear violation (5), high profile violation (7)<br />
<br />
; Privacy violation<br />
: How much personally identifiable information could be disclosed? One individual (3), hundreds of people (5), thousands of people (7), millions of people (9)<br />
<br />
==Step 4: Determining the Severity of the Risk== <br />
<br />
In this step we're going to put together the likelihood estimate and the impact estimate to calculate an overall severity for this risk. All you need to do here is figure out whether the likelihood is LOW, MEDIUM, or HIGH and then do the same for impact. We'll just split our 0 to 9 scale into three parts.<br />
<br />
<table border="1" width="40%" align="center"><br />
<tr><br />
<td align="center" colspan="2"><b>Likelihood and Impact Levels</b></td><br />
</tr><br />
<tr><br />
<td align="center" width="50%">0 to &lt;3</td><br />
<td align="center" width="50%" bgcolor="lightgreen">LOW</td><br />
</tr><br />
<tr><br />
<td align="center">3 to &lt;6</td><br />
<td align="center" bgcolor="yellow">MEDIUM</td><br />
</tr><br />
<tr><br />
<td align="center">6 to 9</td><br />
<td align="center" bgcolor="red">HIGH</td><br />
</tr><br />
</table><br />
<br />
<br />
===Informal Method===<br />
<br />
In many environments, there is nothing wrong with "eyeballing" the factors and simply capturing the answers. You should think through the factors and identify the key "driving" factors that are controlling the result. You may discover that your initial impression was wrong by considering aspects of the risk that weren't obvious.<br />
<br />
===Repeatable Method===<br />
<br />
If you need to defend your ratings or make them repeatable, then you may want to go through a more formal process of rating the factors and calculating the result. Remember that there is quite a lot of uncertainty in these estimates, and that these factors are intended to help you arrive at a sensible result. This process can be supported by automated tools to make the calculation easier. <br />
<br />
The first step is to select one of the options associated with each factor and enter the associated number in the table. Then you simply take the average of the scores to calculate the overall likelihood. For example:<br />
<br />
<table border="1" align="center"><br />
<tr><br />
<td colspan="4" align="center"><b>Threat agent factors</b></td><br />
<td></td><br />
<td colspan="4" align="center"><b>Vulnerability factors</b></td><br />
</tr><br />
<tr><br />
<td align="center" width="10%">Skill level</td><br />
<td align="center" width="10%">Motive</td><br />
<td align="center" width="10%">Opportunity</td><br />
<td align="center" width="10%">Size</td><br />
<td align="center" width="2%"></td><br />
<td align="center" width="10%">Ease of discovery</td><br />
<td align="center" width="10%">Ease of exploit</td><br />
<td align="center" width="10%">Awareness</td><br />
<td align="center" width="10%">Intrusion detection</td><br />
</tr><br />
<tr><br />
<td align="center">5</td><br />
<td align="center">2</td><br />
<td align="center">7</td><br />
<td align="center">1</td><br />
<td align="center"></td><br />
<td align="center">3</td><br />
<td align="center">6</td><br />
<td align="center">9</td><br />
<td align="center">2</td><br />
</tr><br />
<tr><br />
<td colspan="9" align="center" bgcolor="lightblue">Overall likelihood=4.375 (MEDIUM)</td><br />
</tr><br />
</table><br />
<br />
<br />
Next, we need to figure out the overall impact. The process is similar here. In many cases the answer will be obvious, but you can make an estimate based on the factors, or you can average the scores for each of the factors. Again, less than 3 is LOW, 3 to less than 6 is MEDIUM, and 6 to 9 is HIGH. For example:<br />
<br />
<br />
<table border="1" align="center"><br />
<tr><br />
<td colspan="4" align="center"><b>Technical Impact</b></td><br />
<td></td><br />
<td colspan="4" align="center"><b>Business Impact</b></td><br />
</tr><br />
<tr><br />
<td align="center" width="10%">Loss of confidentiality</td><br />
<td align="center" width="10%">Loss of integrity</td><br />
<td align="center" width="10%">Loss of availability</td><br />
<td align="center" width="10%">Loss of accountability</td><br />
<td align="center" width="2%"></td><br />
<td align="center" width="10%">Financial damage</td><br />
<td align="center" width="10%">Reputation damage</td><br />
<td align="center" width="10%">Non-compliance</td><br />
<td align="center" width="10%">Privacy violation</td><br />
</tr><br />
<tr><br />
<td align="center">9</td><br />
<td align="center">7</td><br />
<td align="center">5</td><br />
<td align="center">8</td><br />
<td align="center"></td><br />
<td align="center">1</td><br />
<td align="center">2</td><br />
<td align="center">1</td><br />
<td align="center">5</td><br />
</tr><br />
<tr><br />
<td colspan="4" align="center" bgcolor="lightblue">Overall technical impact=7.25 (HIGH)</td><br />
<td></td><br />
<td colspan="4" align="center" bgcolor="lightblue">Overall business impact=2.25 (LOW)</td><br />
</tr><br />
</table><br />
<br />
===Determining Severity===<br />
<br />
However we arrived at the likelihood and impact estimates, we can now combine them to get a final severity rating for this risk. Note that if you have good business impact information, you should use that instead of the technical impact information. But if you have no information about the business, then technical impact is the next best thing.<br />
<br />
<br />
<table border="1" align="center"><br />
<tr><br />
<td align="center" colspan="5"><b>Overall Risk Severity</b></td><br />
</tr><br />
<tr><br />
<td align="center" width="15%" rowspan="4"><b>Impact</b></td><br />
<td align="center" width="15%">HIGH</td><br />
<td align="center" width="15%" bgcolor="orange">Medium</td><br />
<td align="center" width="15%" bgcolor="red">High</td><br />
<td align="center" width="15%" bgcolor="pink">Critical</td><br />
</tr><br />
<tr><br />
<td align="center">MEDIUM</td><br />
<td align="center" bgcolor="yellow">Low</td><br />
<td align="center" bgcolor="orange">Medium</td><br />
<td align="center" bgcolor="red">High</td><br />
</tr><br />
<tr><br />
<td align="center">LOW</td><br />
<td align="center" bgcolor="lightgreen">Note</td><br />
<td align="center" bgcolor="yellow">Low</td><br />
<td align="center" bgcolor="orange">Medium</td><br />
</tr><br />
<tr><br />
<td align="center">&nbsp;</td><br />
<td align="center">LOW</td><br />
<td align="center">MEDIUM</td><br />
<td align="center">HIGH</td><br />
</tr><br />
<tr><br />
<td align="center">&nbsp;</td><br />
<td align="center" colspan="4"><b>Likelihood</b></td><br />
</tr><br />
</table><br />
<br />
<br />
<br />
In the example above, the likelihood is MEDIUM, and the technical impact is HIGH, so from a purely technical perspective, it appears that the overall severity is HIGH. However, note that the business impact is actually LOW, so the overall severity is best described as LOW as well. This is why understanding the business context of the vulnerabilities you are evaluating is so critical to making good risk decisions. Failure to understand this context can lead to the lack of trust between the business and security teams that is present in many organizations.<br />
<br />
==Step 5: Deciding What to Fix==<br />
<br />
After you've classified the risks to your application, you'll have a prioritized list of what to fix. As a general rule, you should fix the most severe risks first. It simply doesn't help your overall risk profile to fix less important risks, even if they're easy or cheap to fix.<br />
<br />
Remember, not all risks are worth fixing, and some loss is not only expected, but justifiable based upon the cost of fixing the issue. For example, if it would cost $100,000 to implement controls to stem $2,000 of fraud per year, it would take 50 years return on investment to stamp out the loss. But remember there may be reputation damage from the fraud that could cost the organization much more.<br />
<br />
<br />
<br />
==Step 6: Customizing Your Risk Rating Model==<br />
<br />
Having a risk ranking framework that's customizable for a business is critical for adoption. A tailored model is much more likely to produce results that match people's perceptions about what is a serious risk. You can waste lots of time arguing about the risk ratings if they're not supported by a model like this. There are several ways to tailor this model for your organization.<br />
<br />
===Adding factors===<br />
<br />
You can choose different factors that better represent what's important for your organization. For example, a military application might add impact factors related to loss of human life or classified information. You might also add likelihood factors, such as the window of opportunity for an attacker or encryption algorithm strength.<br />
<br />
===Customizing options===<br />
<br />
There are some sample options associated with each factor, but the model will be much more effective if you customize these options to your business. For example, use the names of the different teams and your names for different classifications of information. You can also change the scores associated with the options. The best way to identify the right scores is to compare the ratings produced by the model with ratings produced by a team of experts. You can tune the model by carefully adjusting the scores to match.<br />
<br />
===Weighting factors===<br />
<br />
The model above assumes that all the factors are equally important. You can weight the factors to emphasize the factors that are more significant for your business. This makes the model a bit more complex, as you'll need to use a weighted average. But otherwise everything works the same. Again, you can tune the model by matching it against risk ratings you agree are accurate.<br />
<br />
==References==<br />
<br />
* NIST 800-30 Risk Management Guide for Information Technology Systems [http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf]<br />
<br />
* AS/NZS 4360 Risk Management [http://www.saiglobal.com/shop/script/Details.asp?docn=AS564557616854]<br />
<br />
* Industry standard vulnerability severity and risk rankings (CVSS) [http://www.first.org/cvss/]<br />
<br />
* Security-enhancing process models (CLASP) [http://www.owasp.org/index.php/Category:OWASP_CLASP_Project]<br />
<br />
* Microsoft Web Application Security Frame [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/TMWA.asp]<br />
<br />
* Security In The Software Lifecycle from DHS [https://buildsecurityin.us-cert.gov/daisy/bsi/87/version/12/part/4/data/Draft+Security+in+the+Software+Lifcycle+v1.2.pdf?branch=main&language=default]<br />
<br />
* [[Threat_Risk_Modeling|Threat Risk Modeling]]<br />
<br />
* Pratical Threat Analysis [http://www.ptatechnologies.com/]<br />
<br />
* A Platform for Risk Analysis of Security Critical Systems [http://www2.nr.no/coras/]<br />
<br />
* Model-driven Development and Analysis of Secure Information Systems [http://heim.ifi.uio.no/~ketils/securis/the-securis-technical-description.htm]<br />
<br />
* Value Driven Security Threat Modeling Based on Attack Path Analysis[http://sunset.usc.edu/events/2006/CSSE_Convocation/publications/ChenValueBasedSecurityThreatModel.pdf]<br />
<br />
== Project Sponsors ==<br />
<br />
This project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=User:Soroush_Dalili&diff=126279User:Soroush Dalili2012-03-14T20:46:50Z<p>Soroush Dalili: </p>
<hr />
<div>== General Info ==<br />
<br />
My full name is “Soroush Dalili” and my usual instant name in web is SDL or IRSDL. I’m working on the computer security stuffs, and my field of expertise is penetration testing and especially web application security.<br />
<br />
== OWASP Activities ==<br />
* [[Unrestricted File Upload]]<br />
<br />
== Main Links ==<br />
<br />
* Website: [http://soroush.secproject.com/ Soroush.SecProject.com]<br />
* Blog - Direct Link: [http://soroush.secproject.com/blog/ Soroush.SecProject.com/blog/]<br />
* Advisories - Direct Link: [http://soroush.secproject.com/blog/my-advisories/ Soroush.SecProject.com/blog/my-advisories/]<br />
* Mirror Blog: [http://irsdl1.wordpress.com/ irsdl1.wordpress.com] (as my main web hosting (GoDaddy) has filtered some countries such as Iran)<br />
* Wiki User Page: [http://en.wikipedia.org/wiki/User:Irsdl Wiki User Page]<br />
* Twitter: [http://www.twitter.com/irsdl www.twitter.com/irsdl]<br />
* Linkedin: [http://uk.linkedin.com/in/irsdl uk.linkedin.com/in/irsdl]<br />
* Google me: [http://www.google.com/search?q=soroush%20dalili www.google.com/search?q=soroush dalili]<br />
<br />
== Other Backup Links ==<br />
<br />
* [http://www.soroush.me/ www.soroush.me]<br />
* [http://www.sdl.me/ www.sdl.me]<br />
* [http://dalili.soroush.me/ dalili.soroush.me]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Talk:Windows_::DATA_alternate_data_stream&diff=100985Talk:Windows ::DATA alternate data stream2011-01-19T13:06:20Z<p>Soroush Dalili: Created page with 'Please check if it's an attack. It didn't have any special category.'</p>
<hr />
<div>Please check if it's an attack. It didn't have any special category.</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Windows_::DATA_alternate_data_stream&diff=100984Windows ::DATA alternate data stream2011-01-19T13:03:07Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Attack}}<br />
<br />
Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''<br />
<br />
<br />
[[Category:OWASP ASDR Project]]<br />
<br />
==Description==<br />
The NTFS file system includes support for alternate data streams. This is not a well known feature and was included, primarily, to provide compatibility with files in the Macintosh file system. Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called :$DATA.<br />
<br />
Windows Explorer doesn't provide a way of seing what alternate data streams are in a file (or a way to remove them without deleting the file) but they can be created and accessed easily. Because they are difficult to find they are often used by hackers to hide files on machines that they've compromised (perhaps files for a rootkit). Executables in alternate data streams can be executed from the command line but they will not show up in Windows Explorer (or the Console). Reference Example 1 for information on creating and accessing alternate data streams.<br />
<br />
Since the :$DATA alternate stream exists for every file it can be an alternate way to access any file. Reference Example 2 for information on accessing the :$DATA alternate data stream in a text file. Any application that creates files or looks at or depends on the end of the file name (or the extension) should be aware of the possibility of these alternate data streams. If unsanitized user input is used to create or reference a file name an attacker could use the :$DATA stream to change the behavior of the software. A well-known vulnerability of this nature existed in older versions of IIS. When IIS saw a request for a file with an ASP extension it sent the ASP file to the application associated with the extension. This application would run the server-side code in the ASP file and generate the HTML response for the request. Due to a flaw in the extension parsing of these versions of IIS, filename.asp::$DATA did not match the extension and since there was no application registered for the asp::$DATA extension, the asp source code was returned to the attacker.<br />
<br />
Proper user input sanitation is the best defense against this type of attack.<br />
<br />
==Examples ==<br />
===Example 1 - Creating Alternate Data Streams===<br />
<pre><br />
C:\> type C:\windows\system32\notepad.exe > c:\windows\system32\calc.exe:notepad.exe<br />
C:\> start c:\windows\system32\calc.exe:notepad.exe<br />
</pre><br />
<br />
===Example 2 - Accessing the :$DATA Alternate Data Stream===<br />
<pre><br />
C:\> start c:\textfile.txt::$DATA<br />
</pre><br />
<br />
===Example 3 - Exploiting the ASP Alternate Data Stream Show Code Vulnerability===<br />
<pre><br />
Normal access:<br />
http://www.alternate-data-streams.com/default.asp<br />
<br />
Show code bypass accessing the :$DATA alternate data stream:<br />
http://www.alternate-data-streams.com/default.asp::$DATA<br />
</pre><br />
In the vulnerable versions, IIS parsed the extension of this file as asp::$DATA, not ASP. As such the application associated with the ASP extension was not invoked and the ASP source code was viewable by the attacker.<br />
<br />
==Related Threats==<br />
<br />
==Related Attacks==<br />
<br />
==Related Vulnerabilities==<br />
* [[Unrestricted File Upload]]<br />
<br />
==Related Countermeasures==<br />
<br />
* [[:Category:Input Validation]]<br />
<br />
==Categories==<br />
<br />
[[Category:Attack]]<br />
[[Category:Windows]]<br />
[[Category:Input Validation]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=User:Soroush_Dalili&diff=100983User:Soroush Dalili2011-01-19T12:50:20Z<p>Soroush Dalili: </p>
<hr />
<div>== General Info ==<br />
<br />
My full name is “Soroush Dalili” and my usual instant name in web is SDL or IRSDL. I’m working on the computer security stuffs, and my field of expertise is penetration testing and especially web application security.<br />
<br />
== OWASP Activities ==<br />
* [[Unrestricted File Upload]]<br />
<br />
== Main Links ==<br />
<br />
* Website: [http://soroush.secproject.com/ Soroush.SecProject.com]<br />
* Blog - Direct Link: [http://soroush.secproject.com/blog/ Soroush.SecProject.com/blog/]<br />
* Advisories - Direct Link: [http://soroush.secproject.com/blog/my-advisories/ Soroush.SecProject.com/blog/my-advisories/]<br />
* Mirror Blog: [http://irsdl1.wordpress.com/ irsdl1.wordpress.com] (as my main web hosting (GoDaddy) has filtered some countries such as Iran)<br />
* Wiki User Page: [http://en.wikipedia.org/wiki/User:Irsdl Wiki User Page]<br />
* Twitter: [http://www.twitter.com/irsdl www.twitter.com/irsdl]<br />
* Linkedin: [http://uk.linkedin.com/in/irsdl uk.linkedin.com/in/irsdl]<br />
* Google me: [http://www.google.com/search?q=soroush%20dalili www.google.com/search?q=soroush dalili]<br />
<br />
== Other Backup Links ==<br />
<br />
* [http://www.soroush.me/ www.soroush.me]<br />
* [http://www.sdl.me/ www.sdl.me]<br />
* [http://dalili.soroush.me/ dalili.soroush.me]<br />
* [http://www.plaincipher.com/ www.plaincipher.com]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=User:Soroush_Dalili&diff=100982User:Soroush Dalili2011-01-19T12:48:32Z<p>Soroush Dalili: </p>
<hr />
<div>== General Info ==<br />
<br />
My full name is “Soroush Dalili” and my usual instant name in web is SDL or IRSDL. I’m working on the computer security stuffs, and my field of expertise is penetration testing and especially web application security.<br />
<br />
== Main Links ==<br />
<br />
* Website: [http://soroush.secproject.com/ Soroush.SecProject.com]<br />
* Blog - Direct Link: [http://soroush.secproject.com/blog/ Soroush.SecProject.com/blog/]<br />
* Advisories - Direct Link: [http://soroush.secproject.com/blog/my-advisories/ Soroush.SecProject.com/blog/my-advisories/]<br />
* Mirror Blog: [http://irsdl1.wordpress.com/ irsdl1.wordpress.com] (as my main web hosting (GoDaddy) has filtered some countries such as Iran)<br />
* Wiki User Page: [http://en.wikipedia.org/wiki/User:Irsdl Wiki User Page]<br />
* Twitter: [http://www.twitter.com/irsdl www.twitter.com/irsdl]<br />
* Linkedin: [http://uk.linkedin.com/in/irsdl uk.linkedin.com/in/irsdl]<br />
* Google me: [http://www.google.com/search?q=soroush%20dalili www.google.com/search?q=soroush dalili]<br />
<br />
== Other Backup Links ==<br />
<br />
* [http://www.soroush.me/ www.soroush.me]<br />
* [http://www.sdl.me/ www.sdl.me]<br />
* [http://dalili.soroush.me/ dalili.soroush.me]<br />
* [http://www.plaincipher.com/ www.plaincipher.com]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=100980Unrestricted File Upload2011-01-19T12:30:53Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Vulnerability}} <br />
<br />
Author(s): <br />
*[[User:Soroush Dalili|Soroush Dalili]]<br />
*[[User:OWASP|OWASP]]<br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
[[ASDR TOC Vulnerabilities|Vulnerabilities Table of Contents]] <br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. <br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. <br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. <br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. <br />
<br />
<br />
== Risk Factors ==<br />
<br />
*The impact of this vulnerability is high but the likelihood is low. So, the severity of this type of vulnerability is Medium. <br />
*The website can be defaced. <br />
*The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on. <br />
*This vulnerability can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]]. <br />
*An attacker might be able to put a phishing page into the website. <br />
*Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server. <br />
*Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file. <br />
*A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later. <br />
*The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
*Upload .jsp file into web tree - jsp code executed as web user <br />
*Upload .gif to be resized - image library flaw exploited <br />
*Upload huge files - file space denial of service <br />
*Upload file using malicious path or name - overwrite critical file <br />
*Upload file containing personal data - other users access it <br />
*Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
=== Attacks on other systems ===<br />
<br />
*Upload .exe file into web tree - victims download trojaned executable <br />
*Upload virus infected file - victims' machines infected <br />
*Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br />
== Weak Protection Methods and Methods of Bypassing ==<br />
<br />
=== Using Black-List for Files’ Extensions ===<br />
<br />
Some web applications still use only a black-list of extensions to prevent from uploading a malicious file. <br />
<br />
*It is possible to bypass this protection by using some extensions which are executable on the server but are not mentioned in the list. (Example: “file.php5”, “file.shtml”, “file.asa”, or “file.cer”) <br />
*Sometimes it is possible to bypass this protection by changing some letters of extension to the capital form (example: “file.aSp” or “file.PHp3”). <br />
*Using trailing spaces and/or dots at the end of the filename can sometimes cause bypassing the protection. These spaces and/or dots at the end of the filename will be removed when the file wants to be saved on the hard disk automatically. The filename can be sent to the server by using a local proxy or using a simple script (example: “file.asp ... ... . . .. ..”, “file.asp ”, or “file.asp.”).<br />
*A web-server may use the first extension after the first dot (“.”) in the file name or use a specific priority algorithm to detect the file extension. Therefore, protection can be bypassed by uploading a file with two extensions after the dot character. The first one is forbidden, and the second one is permitted (example: “file.php.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by adding a semi-colon after the forbidden extension and before the permitted extension (example: “file.asp;.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by putting an executive file such as ASP with another extension in a folder which ends with an executive extension such as “.asp” (example: “folder.asp\file.txt”). Besides, it is possible to create a directory just by using a file uploader and ADS (Alternate Data Stream). In this method, filename should end with “::$Index_Allocation” or “:$I30:$Index_Allocation” to create a directory instead of a file (example: “newfolder.asp::$Index_Allocation” creates “newfolder.asp” as a new directory).<br />
*This protection can be completely bypassed by using the most famous control character which is Null character (0x00) after the forbidden extension and before the permitted one. In this method, during the saving process all the strings after the Null character will be discarded. Putting a Null character in the filename can be simply done by using a local proxy or by using a script (example: “file.asp%00.jpg”). Besides, it would be perfect if the Null character is inserted directly by using the Hex view option of a local proxy such as Burpsuite or Webscarab in the right place (without using&nbsp;%). <br />
*It is also possible to create a file with a forbidden extension by using NTFS alternate data stream (ADS). In this case, a “:” sign will be inserted after the forbidden extension and before the permitted one. As a result, an empty file with the forbidden extension will be created on the server (example: “file.asp:.jpg”). Attacker can try to edit this file later to execute his/her malicious codes. However, an empty file is not always good for an attacker. So, there is an invented method by the author of this paper in which an attacker can upload a non-empty shell file by using the ADS. In this method, a forbidden file can be uploaded by using this pattern: “file.asp::$data.”.<br />
*In Windows Servers, it is possible to replace the files by using their short-name (8.3). (example: “web.config” can be replaced by uploading “web~1.con”)<br />
*Sometimes combination of the above can lead to bypassing the protections.<br />
<br />
=== Using White-List for Files’ Extensions ===<br />
<br />
Many web applications use a white-list to accept the files’ extensions. Although using white-list is one of the recommendations, it is not enough on its own. Without having input validation, there is still a chance for an attacker to bypass the protections. <br />
<br />
*the 3rd, 4th, 5th, and 6th methods of last section apply here as well. <br />
*The list of permitted extensions should be reviewed as it can contain malicious extension as well. For instance, in case of having “.shtml” in the list, the application can be vulnerable to SSI attacks.<br />
<br />
=== Using “Content-Type” from the Header ===<br />
<br />
“Content-Type” entity in the header of the request indicates the Internet media type of the message content . Sometimes web applications use this parameter in order to recognize a file as a good one. For instance, they only accept the files with the “Content-Type” of “text/plain”. <br />
<br />
*It is possible to bypass this protection by changing this parameter in the request header by using a local proxy.<br />
<br />
=== Using a File Type Recogniser ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the type of the file in order to do further process. For instance, in case of having image resizing, it is probable to have image type recogniser. <br />
<br />
*Sometimes the recognisers just read the few first characters (or header) of the files in order to check them. In this case, an attacker can insert the malicious code after some valid header. <br />
*There are always some places in the structure of the files which are for the comments section and have no effect on the main file. And, an attacker can insert malicious codes in these points. <br />
*Also, it is not impossible to think about a file modifier (for example an image resizer) which produces malicious codes itself in case of receiving special input.<br />
<br />
<br />
<br />
== Prevention Methods (Solutions to be more secure) ==<br />
In order to make a Windows server more secure, it is very important to follow the Microsoft security best practices first. For this purpose, some of the useful links are:<br />
*IIS 6.0 Security Best Practices[http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
*Securing Sites with Web Site Permissions[http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
*IIS 6.0 Operations Guide[http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
*Improving Web Application Security: Threats and Countermeasures[http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0[http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
*IIS Security Checklist[http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
And some special recommendations for the developers and webmasters:<br />
*Never accept a filename and its extension directly without having a white-list filter.<br />
*It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a “select case” syntax (in case of having VBScript) to choose the file extension in regard to the real file extension.<br />
*All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).<br />
*Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.<br />
*It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.<br />
*Uploaded directory should not have any “execute” permission.<br />
*Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).<br />
*Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.<br />
*Use Cross Site Request Forgery protection methods.<br />
*Prevent from overwriting a file in case of having the same hash for both.<br />
*Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.<br />
*Try to use POST method instead of PUT (or GET!)<br />
*Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.<br />
*In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.<br />
<br />
<br />
== Related [[Attacks]] ==<br />
<br />
* [[Path Traversal]]<br />
* [[Path Manipulation]]<br />
* [[Relative Path Traversal]]<br />
* [[Windows_::DATA_alternate_data_stream]]<br />
<br />
==Related [[Vulnerabilities]]==<br />
<br />
* [[:Category:Input Validation Vulnerability]]<br />
<br />
== Related [[Controls]] ==<br />
<br />
* [[:Category:Input Validation]]<br />
<br />
== Related [[Threat Agent]] ==<br />
<br />
* [[:Category:External Threat Agent]]<br />
* [[:Category:Internal Threat Agent]]<br />
* [[:Category:Internet attacker]]<br />
* [[:Category:Intranet attacker]]<br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
* [[System Access]]<br />
* [[Security Bypass]]<br />
* [[Exposure of system information]]<br />
* [[Exposure of sensitive information]]<br />
* [[Client Side Threat]]<br />
<br />
== References ==<br />
<br />
*Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ <br />
*IIS6/ASP & file upload for fun and profit http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/<br />
*Secure file upload in PHP web applications http://www.net-security.org/dl/articles/php-file-upload.pdf<br />
*Potentially Dangerous File Types http://www.windowsitpro.com/Files/18/27072/Webtable_01.pdf<br />
*Image Upload XSS http://ha.ckers.org/blog/20070603/image-upload-xss/<br />
*Code Execution Through Filenames in Uploads http://ha.ckers.org/blog/20070620/code-execution-through-filenames-in-uploads/<br />
*Secure File Upload Check List With PHP http://hungred.com/useful-information/secure-file-upload-check-list-php/<br />
*NTFS in WikiPedia http://en.wikipedia.org/wiki/NTFS<br />
*NTFS Streams http://msdn.microsoft.com/en-us/library/ff469210(v=PROT.10).aspx<br />
*NTFS - Glossary http://inform.pucp.edu.pe/~inf232/Ntfs/ntfs_doc_v0.5/help/glossary.html<br />
*IIS 6.0 Security Best Practices http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx<br />
*Securing Sites with Web Site Permissions http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx<br />
*IIS 6.0 Operations Guide http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx<br />
*Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/en-us/library/ms994921.aspx<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0 http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/<br />
*IIS Security Checklist http://windows.stanford.edu/docs/IISsecchecklist.htm<br />
*Microsoft IIS ASP Multiple Extensions Security Bypass http://secunia.com/advisories/37831/<br />
*CVE-2009-4444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4444<br />
*CVE-2009-4445 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4445<br />
*CVE-2009-1535 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535<br />
<br />
__NOTOC__<br />
<br />
[[Category:OWASP ASDR Project]]<br />
[[Category:File System]]<br />
[[Category:Windows]]<br />
[[Category:Unix]]<br />
[[Category:Use of Dangerous API]]<br />
[[Category:Vulnerability]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=96288Unrestricted File Upload2010-12-14T13:17:12Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Vulnerability}} <br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
[[ASDR TOC Vulnerabilities|Vulnerabilities Table of Contents]] <br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. <br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. <br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. <br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. <br />
<br />
<br><br />
<br />
== Risk Factors ==<br />
<br />
*The impact of this vulnerability is high but the likelihood is low. So, the severity of this type of vulnerability is Medium. <br />
*The website can be defaced. <br />
*The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on. <br />
*This vulnerability can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]]. <br />
*An attacker might be able to put a phishing page into the website. <br />
*Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server. <br />
*Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file. <br />
*A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later. <br />
*The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
*Upload .jsp file into web tree - jsp code executed as web user <br />
*Upload .gif to be resized - image library flaw exploited <br />
*Upload huge files - file space denial of service <br />
*Upload file using malicious path or name - overwrite critical file <br />
*Upload file containing personal data - other users access it <br />
*Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
=== Attacks on other systems ===<br />
<br />
*Upload .exe file into web tree - victims download trojaned executable <br />
*Upload virus infected file - victims' machines infected <br />
*Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br><br />
<br />
== Weak Protection Methods and Methods of Bypassing ==<br />
<br />
=== Using Black-List for Files’ Extensions ===<br />
<br />
Some web applications still use only a black-list of extensions to prevent from uploading a malicious file. <br />
<br />
*It is possible to bypass this protection by using some extensions which are executable on the server but are not mentioned in the list. (Example: “file.php5”, “file.shtml”, “file.asa”, or “file.cer”) <br />
*Sometimes it is possible to bypass this protection by changing some letters of extension to the capital form (example: “file.aSp” or “file.PHp3”). <br />
*Using trailing spaces and/or dots at the end of the filename can sometimes cause bypassing the protection. These spaces and/or dots at the end of the filename will be removed when the file wants to be saved on the hard disk automatically. The filename can be sent to the server by using a local proxy or using a simple script (example: “file.asp ... ... . . .. ..“).<br />
*A web-server may use the first extension after the first dot (“.”) in the file name or use a specific priority algorithm to detect the file extension. Therefore, protection can be bypassed by uploading a file with two extensions after the dot character. The first one is forbidden, and the second one is permitted (example: “file.php.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by adding a semi-colon after the forbidden extension and before the permitted extension (example: “file.asp;.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by putting an executive file such as ASP with another extension in a folder which ends with an executive extension such as “.asp” (example: “folder.asp\file.txt”). Besides, it is possible to create a directory just by using a file uploader and ADS (Alternate Data Stream). In this method, filename should end with “::$Index_Allocation” or “:$I30:$Index_Allocation” to create a directory instead of a file (example: “newfolder.asp::$Index_Allocation” creates “newfolder.asp” as a new directory).<br />
*This protection can be completely bypassed by using the most famous control character which is Null character (0x00) after the forbidden extension and before the permitted one. In this method, during the saving process all the strings after the Null character will be discarded. Putting a Null character in the filename can be simply done by using a local proxy or by using a script (example: “file.asp%00.jpg”). Besides, it would be perfect if the Null character is inserted directly by using the Hex view option of a local proxy such as Burpsuite or Webscarab in the right place (without using&nbsp;%). <br />
*It is also possible to create a file with a forbidden extension by using NTFS alternate data stream (ADS). In this case, a “:” sign will be inserted after the forbidden extension and before the permitted one. As a result, an empty file with the forbidden extension will be created on the server (example: “file.asp:.jpg”). Attacker can try to edit this file later to execute his/her malicious codes. However, an empty file is not always good for an attacker. So, there is an invented method by the author of this paper in which an attacker can upload a non-empty shell file by using the ADS. In this method, a forbidden file can be uploaded by using this pattern: “file.asp::$data.”. <br />
*Sometimes combination of the above can lead to bypassing the protections.<br />
<br />
=== Using White-List for Files’ Extensions ===<br />
<br />
Many web applications use a white-list to accept the files’ extensions. Although using white-list is one of the recommendations, it is not enough on its own. Without having input validation, there is still a chance for an attacker to bypass the protections. <br />
<br />
*the 3rd, 4th, 5th, and 6th methods of last section apply here as well. <br />
*The list of permitted extensions should be reviewed as it can contain malicious extension as well. For instance, in case of having “.shtml” in the list, the application can be vulnerable to SSI attacks.<br />
<br />
=== Using “Content-Type” from the Header ===<br />
<br />
“Content-Type” entity in the header of the request indicates the Internet media type of the message content . Sometimes web applications use this parameter in order to recognize a file as a good one. For instance, they only accept the files with the “Content-Type” of “text/plain”. <br />
<br />
*It is possible to bypass this protection by changing this parameter in the request header by using a local proxy.<br />
<br />
=== Using a File Type Recogniser ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the type of the file in order to do further process. For instance, in case of having image resizing, it is probable to have image type recogniser. <br />
<br />
*Sometimes the recognisers just read the few first characters (or header) of the files in order to check them. In this case, an attacker can insert the malicious code after some valid header. <br />
*There are always some places in the structure of the files which are for the comments section and have no effect on the main file. And, an attacker can insert malicious codes in these points. <br />
*Also, it is not impossible to think about a file modifier (for example an image resizer) which produces malicious codes itself in case of receiving special input.<br />
<br />
<br><br />
<br />
<br />
== Prevention Methods (Solutions to be more secure) ==<br />
In order to make a Windows server more secure, it is very important to follow the Microsoft security best practices first. For this purpose, some of the useful links are:<br />
*IIS 6.0 Security Best Practices[http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
*Securing Sites with Web Site Permissions[http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
*IIS 6.0 Operations Guide[http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
*Improving Web Application Security: Threats and Countermeasures[http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0[http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
*IIS Security Checklist[http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
And some special recommendations for the developers and webmasters:<br />
*Never accept a filename and its extension directly without having a white-list filter.<br />
*It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a “select case” syntax (in case of having VBScript) to choose the file extension in regard to the real file extension.<br />
*All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).<br />
*Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.<br />
*It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.<br />
*Uploaded directory should not have any “execute” permission.<br />
*Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).<br />
*Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.<br />
*Use Cross Site Request Forgery protection methods.<br />
*Prevent from overwriting a file in case of having the same hash for both.<br />
*Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.<br />
*Try to use POST method instead of PUT (or GET!)<br />
*Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.<br />
*In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.<br />
<br />
<br><br />
<br />
== Related [[Attacks]] ==<br />
<br />
*[[Attack 1]] <br />
*[[Attack 2]]<br />
<br />
<br><br />
<br />
== Related [[Vulnerabilities]] ==<br />
<br />
*[[Vulnerability 1]] <br />
*[[Vulnerabiltiy 2]]<br />
<br />
<br><br />
<br />
== Related [[Controls]] ==<br />
<br />
*[[Control 1]] <br />
*[[Control 2]]<br />
<br />
<br><br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
*[[Technical Impact 1]] <br />
*[[Technical Impact 2]]<br />
<br />
<br><br />
<br />
== References ==<br />
<br />
*Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ <br />
*IIS6/ASP & file upload for fun and profit http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/<br />
*Secure file upload in PHP web applications http://www.net-security.org/dl/articles/php-file-upload.pdf<br />
*Potentially Dangerous File Types http://www.windowsitpro.com/Files/18/27072/Webtable_01.pdf<br />
*Image Upload XSS http://ha.ckers.org/blog/20070603/image-upload-xss/<br />
*Code Execution Through Filenames in Uploads http://ha.ckers.org/blog/20070620/code-execution-through-filenames-in-uploads/<br />
*Secure File Upload Check List With PHP http://hungred.com/useful-information/secure-file-upload-check-list-php/<br />
*NTFS in WikiPedia http://en.wikipedia.org/wiki/NTFS<br />
*NTFS Streams http://msdn.microsoft.com/en-us/library/ff469210(v=PROT.10).aspx<br />
*NTFS - Glossary http://inform.pucp.edu.pe/~inf232/Ntfs/ntfs_doc_v0.5/help/glossary.html<br />
*IIS 6.0 Security Best Practices http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx<br />
*Securing Sites with Web Site Permissions http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx<br />
*IIS 6.0 Operations Guide http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx<br />
*Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/en-us/library/ms994921.aspx<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0 http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/<br />
*IIS Security Checklist http://windows.stanford.edu/docs/IISsecchecklist.htm<br />
*Microsoft IIS ASP Multiple Extensions Security Bypass http://secunia.com/advisories/37831/<br />
*CVE-2009-4444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4444<br />
*CVE-2009-4445 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4445<br />
*CVE-2009-1535 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535<br />
<br />
--[[User:Soroush Dalili|Soroush Dalili]] 12:38, 14 December 2010 (UTC)<br />
<br />
__NOTOC__ <br />
<br />
[[Category:FIXME|add linksIn addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki></nowiki>Availability VulnerabilityAuthorization VulnerabilityAuthentication VulnerabilityConcurrency VulnerabilityConfiguration VulnerabilityCryptographic VulnerabilityEncoding VulnerabilityError Handling VulnerabilityInput Validation VulnerabilityLogging and Auditing VulnerabilitySession Management Vulnerability]] [[Category:Error_Handling_Vulnerability]] [[Category:Vulnerability]] [[Category:OWASP_ASDR_Project]] [[Category:File_System]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=96287Unrestricted File Upload2010-12-14T13:13:49Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Vulnerability}} <br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
[[ASDR TOC Vulnerabilities|Vulnerabilities Table of Contents]] <br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. <br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. <br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. <br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. <br />
<br />
<br><br />
<br />
== Risk Factors ==<br />
<br />
*The impact of this vulnerability is high but the likelihood is low. So, the severity of this type of vulnerability is Medium. <br />
*The website can be defaced. <br />
*The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on. <br />
*This vulnerability can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]]. <br />
*An attacker might be able to put a phishing page into the website. <br />
*Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server. <br />
*Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file. <br />
*A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later. <br />
*The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
*Upload .jsp file into web tree - jsp code executed as web user <br />
*Upload .gif to be resized - image library flaw exploited <br />
*Upload huge files - file space denial of service <br />
*Upload file using malicious path or name - overwrite critical file <br />
*Upload file containing personal data - other users access it <br />
*Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
=== Attacks on other systems ===<br />
<br />
*Upload .exe file into web tree - victims download trojaned executable <br />
*Upload virus infected file - victims' machines infected <br />
*Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br><br />
<br />
== Weak Protection Methods and Methods of Bypassing ==<br />
<br />
=== Using Black-List for Files’ Extensions ===<br />
<br />
Some web applications still use only a black-list of extensions to prevent from uploading a malicious file. <br />
<br />
*It is possible to bypass this protection by using some extensions which are executable on the server but are not mentioned in the list. (Example: “file.php5”, “file.shtml”, “file.asa”, or “file.cer”) <br />
*Sometimes it is possible to bypass this protection by changing some letters of extension to the capital form (example: “file.aSp” or “file.PHp3”). <br />
*Using trailing spaces and/or dots at the end of the filename can sometimes cause bypassing the protection. These spaces and/or dots at the end of the filename will be removed when the file wants to be saved on the hard disk automatically. The filename can be sent to the server by using a local proxy or using a simple script (example: “file.asp ... ... . . .. ..“).<br />
*A web-server may use the first extension after the first dot (“.”) in the file name or use a specific priority algorithm to detect the file extension. Therefore, protection can be bypassed by uploading a file with two extensions after the dot character. The first one is forbidden, and the second one is permitted (example: “file.php.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by adding a semi-colon after the forbidden extension and before the permitted extension (example: “file.asp;.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by putting an executive file such as ASP with another extension in a folder which ends with an executive extension such as “.asp” (example: “folder.asp\file.txt”). Besides, it is possible to create a directory just by using a file uploader and ADS (Alternate Data Stream). In this method, filename should end with “::$Index_Allocation” or “:$I30:$Index_Allocation” to create a directory instead of a file (example: “newfolder.asp::$Index_Allocation” creates “newfolder.asp” as a new directory).<br />
*This protection can be completely bypassed by using the most famous control character which is Null character (0x00) after the forbidden extension and before the permitted one. In this method, during the saving process all the strings after the Null character will be discarded. Putting a Null character in the filename can be simply done by using a local proxy or by using a script (example: “file.asp%00.jpg”). Besides, it would be perfect if the Null character is inserted directly by using the Hex view option of a local proxy such as Burpsuite or Webscarab in the right place (without using&nbsp;%). <br />
*It is also possible to create a file with a forbidden extension by using NTFS alternate data stream (ADS). In this case, a “:” sign will be inserted after the forbidden extension and before the permitted one. As a result, an empty file with the forbidden extension will be created on the server (example: “file.asp:.jpg”). Attacker can try to edit this file later to execute his/her malicious codes. However, an empty file is not always good for an attacker. So, there is an invented method by the author of this paper in which an attacker can upload a non-empty shell file by using the ADS. In this method, a forbidden file can be uploaded by using this pattern: “file.asp::$data.”. <br />
*Sometimes combination of the above can lead to bypassing the protections.<br />
<br />
=== Using White-List for Files’ Extensions ===<br />
<br />
Many web applications use a white-list to accept the files’ extensions. Although using white-list is one of the recommendations, it is not enough on its own. Without having input validation, there is still a chance for an attacker to bypass the protections. <br />
<br />
*the 3rd, 4th, 5th, and 6th methods of last section apply here as well. <br />
*The list of permitted extensions should be reviewed as it can contain malicious extension as well. For instance, in case of having “.shtml” in the list, the application can be vulnerable to SSI attacks.<br />
<br />
=== Using “Content-Type” from the Header ===<br />
<br />
“Content-Type” entity in the header of the request indicates the Internet media type of the message content . Sometimes web applications use this parameter in order to recognize a file as a good one. For instance, they only accept the files with the “Content-Type” of “text/plain”. <br />
<br />
*It is possible to bypass this protection by changing this parameter in the request header by using a local proxy.<br />
<br />
=== Using a File Type Recogniser ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the type of the file in order to do further process. For instance, in case of having image resizing, it is probable to have image type recogniser. <br />
<br />
*Sometimes the recognisers just read the few first characters (or header) of the files in order to check them. In this case, an attacker can insert the malicious code after some valid header. <br />
*There are always some places in the structure of the files which are for the comments section and have no effect on the main file. And, an attacker can insert malicious codes in these points. <br />
*Also, it is not impossible to think about a file modifier (for example an image resizer) which produces malicious codes itself in case of receiving special input.<br />
<br />
<br><br />
<br />
<br />
== Prevention Methods (Solutions to be more secure) ==<br />
In order to make a Windows server more secure, it is very important to follow the Microsoft security best practices first. For this purpose, some of the useful links are:<br />
*IIS 6.0 Security Best Practices[http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
*Securing Sites with Web Site Permissions[http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
*IIS 6.0 Operations Guide[http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
*Improving Web Application Security: Threats and Countermeasures[http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0[http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
*IIS Security Checklist[http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
And some special recommendations for the developers and webmasters:<br />
*Never accept a filename and its extension directly without having a white-list filter.<br />
*It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a “select case” syntax (in case of having VBScript) to choose the file extension in regard to the real file extension.<br />
*All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).<br />
*Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.<br />
*It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.<br />
*Uploaded directory should not have any “execute” permission.<br />
*Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).<br />
*Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.<br />
*Use Cross Site Request Forgery protection methods.<br />
*Prevent from overwriting a file in case of having the same hash for both.<br />
*Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.<br />
*Try to use POST method instead of PUT (or GET!)<br />
*Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.<br />
*In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.<br />
<br />
<br><br />
<br />
== Related [[Attacks]] ==<br />
<br />
*[[Attack 1]] <br />
*[[Attack 2]]<br />
<br />
<br><br />
<br />
== Related [[Vulnerabilities]] ==<br />
<br />
*[[Vulnerability 1]] <br />
*[[Vulnerabiltiy 2]]<br />
<br />
<br><br />
<br />
== Related [[Controls]] ==<br />
<br />
*[[Control 1]] <br />
*[[Control 2]]<br />
<br />
<br><br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
*[[Technical Impact 1]] <br />
*[[Technical Impact 2]]<br />
<br />
<br><br />
<br />
== References ==<br />
<br />
*Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ <br />
*IIS6/ASP & file upload for fun and profit http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/<br />
*Secure file upload in PHP web applications http://www.net-security.org/dl/articles/php-file-upload.pdf<br />
*Potentially Dangerous File Types http://www.windowsitpro.com/Files/18/27072/Webtable_01.pdf<br />
*Image Upload XSS http://ha.ckers.org/blog/20070603/image-upload-xss/<br />
*Code Execution Through Filenames in Uploads http://ha.ckers.org/blog/20070620/code-execution-through-filenames-in-uploads/<br />
*Secure File Upload Check List With PHP http://hungred.com/useful-information/secure-file-upload-check-list-php/<br />
*NTFS in WikiPedia http://en.wikipedia.org/wiki/NTFS<br />
*NTFS - Glossary http://inform.pucp.edu.pe/~inf232/Ntfs/ntfs_doc_v0.5/help/glossary.html<br />
*IIS 6.0 Security Best Practices http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx<br />
*Securing Sites with Web Site Permissions http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx<br />
*IIS 6.0 Operations Guide http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx<br />
*Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/en-us/library/ms994921.aspx<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0 http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/<br />
*IIS Security Checklist http://windows.stanford.edu/docs/IISsecchecklist.htm<br />
*Microsoft IIS ASP Multiple Extensions Security Bypass http://secunia.com/advisories/37831/<br />
*CVE-2009-4444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4444<br />
*CVE-2009-4445 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4445<br />
*CVE-2009-1535 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535<br />
<br />
--[[User:Soroush Dalili|Soroush Dalili]] 12:38, 14 December 2010 (UTC)<br />
<br />
__NOTOC__ <br />
<br />
[[Category:FIXME|add linksIn addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki></nowiki>Availability VulnerabilityAuthorization VulnerabilityAuthentication VulnerabilityConcurrency VulnerabilityConfiguration VulnerabilityCryptographic VulnerabilityEncoding VulnerabilityError Handling VulnerabilityInput Validation VulnerabilityLogging and Auditing VulnerabilitySession Management Vulnerability]] [[Category:Error_Handling_Vulnerability]] [[Category:Vulnerability]] [[Category:OWASP_ASDR_Project]] [[Category:File_System]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=96286Unrestricted File Upload2010-12-14T12:55:11Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Vulnerability}} <br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
[[ASDR TOC Vulnerabilities|Vulnerabilities Table of Contents]] <br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. <br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. <br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. <br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. <br />
<br />
<br><br />
<br />
== Risk Factors ==<br />
<br />
*The impact of this vulnerability is high but the likelihood is low. So, the severity of this type of vulnerability is Medium. <br />
*The website can be defaced. <br />
*The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on. <br />
*This vulnerability can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]]. <br />
*An attacker might be able to put a phishing page into the website. <br />
*Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server. <br />
*Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file. <br />
*A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later. <br />
*The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
*Upload .jsp file into web tree - jsp code executed as web user <br />
*Upload .gif to be resized - image library flaw exploited <br />
*Upload huge files - file space denial of service <br />
*Upload file using malicious path or name - overwrite critical file <br />
*Upload file containing personal data - other users access it <br />
*Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
=== Attacks on other systems ===<br />
<br />
*Upload .exe file into web tree - victims download trojaned executable <br />
*Upload virus infected file - victims' machines infected <br />
*Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br><br />
<br />
== Weak Protection Methods and Methods of Bypassing ==<br />
<br />
=== Using Black-List for Files’ Extensions ===<br />
<br />
Some web applications still use only a black-list of extensions to prevent from uploading a malicious file. <br />
<br />
*It is possible to bypass this protection by using some extensions which are executable on the server but are not mentioned in the list. (Example: “file.php5”, “file.shtml”, “file.asa”, or “file.cer”) <br />
*Sometimes it is possible to bypass this protection by changing some letters of extension to the capital form (example: “file.aSp” or “file.PHp3”). <br />
*Using trailing spaces and/or dots at the end of the filename can sometimes cause bypassing the protection. These spaces and/or dots at the end of the filename will be removed when the file wants to be saved on the hard disk automatically. The filename can be sent to the server by using a local proxy or using a simple script (example: “file.asp ... ... . . .. ..“).<br />
*A web-server may use the first extension after the first dot (“.”) in the file name or use a specific priority algorithm to detect the file extension. Therefore, protection can be bypassed by uploading a file with two extensions after the dot character. The first one is forbidden, and the second one is permitted (example: “file.php.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by adding a semi-colon after the forbidden extension and before the permitted extension (example: “file.asp;.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by putting an executive file such as ASP with another extension in a folder which ends with an executive extension such as “.asp” (example: “folder.asp\file.txt”). Besides, it is possible to create a directory just by using a file uploader and ADS (Alternate Data Stream). In this method, filename should end with “::$Index_Allocation” or “:$I30:$Index_Allocation” to create a directory instead of a file (example: “newfolder.asp::$Index_Allocation” creates “newfolder.asp” as a new directory).<br />
*This protection can be completely bypassed by using the most famous control character which is Null character (0x00) after the forbidden extension and before the permitted one. In this method, during the saving process all the strings after the Null character will be discarded. Putting a Null character in the filename can be simply done by using a local proxy or by using a script (example: “file.asp%00.jpg”). Besides, it would be perfect if the Null character is inserted directly by using the Hex view option of a local proxy such as Burpsuite or Webscarab in the right place (without using&nbsp;%). <br />
*It is also possible to create a file with a forbidden extension by using NTFS alternate data stream (ADS). In this case, a “:” sign will be inserted after the forbidden extension and before the permitted one. As a result, an empty file with the forbidden extension will be created on the server (example: “file.asp:.jpg”). Attacker can try to edit this file later to execute his/her malicious codes. However, an empty file is not always good for an attacker. So, there is an invented method by the author of this paper in which an attacker can upload a non-empty shell file by using the ADS. In this method, a forbidden file can be uploaded by using this pattern: “file.asp::$data.”. <br />
*Sometimes combination of the above can lead to bypassing the protections.<br />
<br />
=== Using White-List for Files’ Extensions ===<br />
<br />
Many web applications use a white-list to accept the files’ extensions. Although using white-list is one of the recommendations, it is not enough on its own. Without having input validation, there is still a chance for an attacker to bypass the protections. <br />
<br />
*the 3rd, 4th, 5th, and 6th methods of last section apply here as well. <br />
*The list of permitted extensions should be reviewed as it can contain malicious extension as well. For instance, in case of having “.shtml” in the list, the application can be vulnerable to SSI attacks.<br />
<br />
=== Using “Content-Type” from the Header ===<br />
<br />
“Content-Type” entity in the header of the request indicates the Internet media type of the message content . Sometimes web applications use this parameter in order to recognize a file as a good one. For instance, they only accept the files with the “Content-Type” of “text/plain”. <br />
<br />
*It is possible to bypass this protection by changing this parameter in the request header by using a local proxy.<br />
<br />
=== Using a File Type Recogniser ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the type of the file in order to do further process. For instance, in case of having image resizing, it is probable to have image type recogniser. <br />
<br />
*Sometimes the recognisers just read the few first characters (or header) of the files in order to check them. In this case, an attacker can insert the malicious code after some valid header. <br />
*There are always some places in the structure of the files which are for the comments section and have no effect on the main file. And, an attacker can insert malicious codes in these points. <br />
*Also, it is not impossible to think about a file modifier (for example an image resizer) which produces malicious codes itself in case of receiving special input.<br />
<br />
<br><br />
<br />
<br />
== Prevention Methods (Solutions to be more secure) ==<br />
In order to make a Windows server more secure, it is very important to follow the Microsoft security best practices first. For this purpose, some of the useful links are:<br />
*IIS 6.0 Security Best Practices[http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
*Securing Sites with Web Site Permissions[http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
*IIS 6.0 Operations Guide[http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
*Improving Web Application Security: Threats and Countermeasures[http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0[http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
*IIS Security Checklist[http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
And some special recommendations for the developers and webmasters:<br />
*Never accept a filename and its extension directly without having a white-list filter.<br />
*It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a “select case” syntax (in case of having VBScript) to choose the file extension in regard to the real file extension.<br />
*All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).<br />
*Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.<br />
*It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.<br />
*Uploaded directory should not have any “execute” permission.<br />
*Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).<br />
*Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.<br />
*Use Cross Site Request Forgery protection methods.<br />
*Prevent from overwriting a file in case of having the same hash for both.<br />
*Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.<br />
*Try to use POST method instead of PUT (or GET!)<br />
*Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.<br />
*In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.<br />
<br />
<br><br />
<br />
== Related [[Attacks]] ==<br />
<br />
*[[Attack 1]] <br />
*[[Attack 2]]<br />
<br />
<br><br />
<br />
== Related [[Vulnerabilities]] ==<br />
<br />
*[[Vulnerability 1]] <br />
*[[Vulnerabiltiy 2]]<br />
<br />
<br><br />
<br />
== Related [[Controls]] ==<br />
<br />
*[[Control 1]] <br />
*[[Control 2]]<br />
<br />
<br><br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
*[[Technical Impact 1]] <br />
*[[Technical Impact 2]]<br />
<br />
<br><br />
<br />
== References ==<br />
<br />
*Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ <br />
*IIS6/ASP & file upload for fun and profit http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/<br />
*Secure file upload in PHP web applications http://www.net-security.org/dl/articles/php-file-upload.pdf<br />
*Potentially Dangerous File Types http://www.windowsitpro.com/Files/18/27072/Webtable_01.pdf<br />
*Image Upload XSS http://ha.ckers.org/blog/20070603/image-upload-xss/<br />
*Code Execution Through Filenames in Uploads http://ha.ckers.org/blog/20070620/code-execution-through-filenames-in-uploads/<br />
*Secure File Upload Check List With PHP http://hungred.com/useful-information/secure-file-upload-check-list-php/<br />
*Alternate Data Streams http://es.wikipedia.org/wiki/Alternate_Data_Streams<br />
*NTFS - Glossary http://inform.pucp.edu.pe/~inf232/Ntfs/ntfs_doc_v0.5/help/glossary.html<br />
*IIS 6.0 Security Best Practices http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx<br />
*Securing Sites with Web Site Permissions http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx<br />
*IIS 6.0 Operations Guide http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx<br />
*Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/en-us/library/ms994921.aspx<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0 http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/<br />
*IIS Security Checklist http://windows.stanford.edu/docs/IISsecchecklist.htm<br />
*Microsoft IIS ASP Multiple Extensions Security Bypass http://secunia.com/advisories/37831/<br />
*CVE-2009-4444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4444<br />
*CVE-2009-4445 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4445<br />
*CVE-2009-1535 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535<br />
<br />
--[[User:Soroush Dalili|Soroush Dalili]] 12:38, 14 December 2010 (UTC)<br />
<br />
__NOTOC__ <br />
<br />
[[Category:FIXME|add linksIn addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki></nowiki>Availability VulnerabilityAuthorization VulnerabilityAuthentication VulnerabilityConcurrency VulnerabilityConfiguration VulnerabilityCryptographic VulnerabilityEncoding VulnerabilityError Handling VulnerabilityInput Validation VulnerabilityLogging and Auditing VulnerabilitySession Management Vulnerability]] [[Category:Error_Handling_Vulnerability]] [[Category:Vulnerability]] [[Category:OWASP_ASDR_Project]] [[Category:File_System]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=96285Unrestricted File Upload2010-12-14T12:54:00Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Vulnerability}} <br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
[[ASDR TOC Vulnerabilities|Vulnerabilities Table of Contents]] <br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. <br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. <br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. <br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. <br />
<br />
<br><br />
<br />
== Risk Factors ==<br />
<br />
*The impact of this vulnerability is high but the likelihood is low. So, the severity of this type of vulnerability is Medium. <br />
*The website can be defaced. <br />
*The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on. <br />
*This vulnerability can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]]. <br />
*An attacker might be able to put a phishing page into the website. <br />
*Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server. <br />
*Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file. <br />
*A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later. <br />
*The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
*Upload .jsp file into web tree - jsp code executed as web user <br />
*Upload .gif to be resized - image library flaw exploited <br />
*Upload huge files - file space denial of service <br />
*Upload file using malicious path or name - overwrite critical file <br />
*Upload file containing personal data - other users access it <br />
*Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
=== Attacks on other systems ===<br />
<br />
*Upload .exe file into web tree - victims download trojaned executable <br />
*Upload virus infected file - victims' machines infected <br />
*Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br><br />
<br />
== Weak Protection Methods and Methods of Bypassing ==<br />
<br />
=== Using Black-List for Files’ Extensions ===<br />
<br />
Some web applications still use only a black-list of extensions to prevent from uploading a malicious file. <br />
<br />
*It is possible to bypass this protection by using some extensions which are executable on the server but are not mentioned in the list. (Example: “file.php5”, “file.shtml”, “file.asa”, or “file.cer”) <br />
*Sometimes it is possible to bypass this protection by changing some letters of extension to the capital form (example: “file.aSp” or “file.PHp3”). <br />
*Using trailing spaces and/or dots at the end of the filename can sometimes cause bypassing the protection. These spaces and/or dots at the end of the filename will be removed when the file wants to be saved on the hard disk automatically. The filename can be sent to the server by using a local proxy or using a simple script (example: “file.asp ... ... . . .. ..“).<br />
*A web-server may use the first extension after the first dot (“.”) in the file name or use a specific priority algorithm to detect the file extension. Therefore, protection can be bypassed by uploading a file with two extensions after the dot character. The first one is forbidden, and the second one is permitted (example: “file.php.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by adding a semi-colon after the forbidden extension and before the permitted extension (example: “file.asp;.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by putting an executive file such as ASP with another extension in a folder which ends with an executive extension such as “.asp” (example: “folder.asp\file.txt”). Besides, it is possible to create a directory just by using a file uploader and ADS (Alternate Data Stream). In this method, filename should end with “::$Index_Allocation” or “:$I30:$Index_Allocation” to create a directory instead of a file (example: “ newfolder.asp::$Index_Allocation” creates “newfolder.asp” directory).<br />
*This protection can be completely bypassed by using the most famous control character which is Null character (0x00) after the forbidden extension and before the permitted one. In this method, during the saving process all the strings after the Null character will be discarded. Putting a Null character in the filename can be simply done by using a local proxy or by using a script (example: “file.asp%00.jpg”). Besides, it would be perfect if the Null character is inserted directly by using the Hex view option of a local proxy such as Burpsuite or Webscarab in the right place (without using&nbsp;%). <br />
*It is also possible to create a file with a forbidden extension by using NTFS alternate data stream (ADS). In this case, a “:” sign will be inserted after the forbidden extension and before the permitted one. As a result, an empty file with the forbidden extension will be created on the server (example: “file.asp:.jpg”). Attacker can try to edit this file later to execute his/her malicious codes. However, an empty file is not always good for an attacker. So, there is an invented method by the author of this paper in which an attacker can upload a non-empty shell file by using the ADS. In this method, a forbidden file can be uploaded by using this pattern: “file.asp::$data.”. <br />
*Sometimes combination of the above can lead to bypassing the protections.<br />
<br />
=== Using White-List for Files’ Extensions ===<br />
<br />
Many web applications use a white-list to accept the files’ extensions. Although using white-list is one of the recommendations, it is not enough on its own. Without having input validation, there is still a chance for an attacker to bypass the protections. <br />
<br />
*the 3rd, 4th, 5th, and 6th methods of last section apply here as well. <br />
*The list of permitted extensions should be reviewed as it can contain malicious extension as well. For instance, in case of having “.shtml” in the list, the application can be vulnerable to SSI attacks.<br />
<br />
=== Using “Content-Type” from the Header ===<br />
<br />
“Content-Type” entity in the header of the request indicates the Internet media type of the message content . Sometimes web applications use this parameter in order to recognize a file as a good one. For instance, they only accept the files with the “Content-Type” of “text/plain”. <br />
<br />
*It is possible to bypass this protection by changing this parameter in the request header by using a local proxy.<br />
<br />
=== Using a File Type Recogniser ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the type of the file in order to do further process. For instance, in case of having image resizing, it is probable to have image type recogniser. <br />
<br />
*Sometimes the recognisers just read the few first characters (or header) of the files in order to check them. In this case, an attacker can insert the malicious code after some valid header. <br />
*There are always some places in the structure of the files which are for the comments section and have no effect on the main file. And, an attacker can insert malicious codes in these points. <br />
*Also, it is not impossible to think about a file modifier (for example an image resizer) which produces malicious codes itself in case of receiving special input.<br />
<br />
<br><br />
<br />
<br />
== Prevention Methods (Solutions to be more secure) ==<br />
In order to make a Windows server more secure, it is very important to follow the Microsoft security best practices first. For this purpose, some of the useful links are:<br />
*IIS 6.0 Security Best Practices[http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
*Securing Sites with Web Site Permissions[http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
*IIS 6.0 Operations Guide[http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
*Improving Web Application Security: Threats and Countermeasures[http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0[http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
*IIS Security Checklist[http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
And some special recommendations for the developers and webmasters:<br />
*Never accept a filename and its extension directly without having a white-list filter.<br />
*It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a “select case” syntax (in case of having VBScript) to choose the file extension in regard to the real file extension.<br />
*All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).<br />
*Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.<br />
*It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.<br />
*Uploaded directory should not have any “execute” permission.<br />
*Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).<br />
*Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.<br />
*Use Cross Site Request Forgery protection methods.<br />
*Prevent from overwriting a file in case of having the same hash for both.<br />
*Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.<br />
*Try to use POST method instead of PUT (or GET!)<br />
*Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.<br />
*In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.<br />
<br />
<br><br />
<br />
== Related [[Attacks]] ==<br />
<br />
*[[Attack 1]] <br />
*[[Attack 2]]<br />
<br />
<br><br />
<br />
== Related [[Vulnerabilities]] ==<br />
<br />
*[[Vulnerability 1]] <br />
*[[Vulnerabiltiy 2]]<br />
<br />
<br><br />
<br />
== Related [[Controls]] ==<br />
<br />
*[[Control 1]] <br />
*[[Control 2]]<br />
<br />
<br><br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
*[[Technical Impact 1]] <br />
*[[Technical Impact 2]]<br />
<br />
<br><br />
<br />
== References ==<br />
<br />
*Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ <br />
*IIS6/ASP & file upload for fun and profit http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/<br />
*Secure file upload in PHP web applications http://www.net-security.org/dl/articles/php-file-upload.pdf<br />
*Potentially Dangerous File Types http://www.windowsitpro.com/Files/18/27072/Webtable_01.pdf<br />
*Image Upload XSS http://ha.ckers.org/blog/20070603/image-upload-xss/<br />
*Code Execution Through Filenames in Uploads http://ha.ckers.org/blog/20070620/code-execution-through-filenames-in-uploads/<br />
*Secure File Upload Check List With PHP http://hungred.com/useful-information/secure-file-upload-check-list-php/<br />
*Alternate Data Streams http://es.wikipedia.org/wiki/Alternate_Data_Streams<br />
*NTFS - Glossary http://inform.pucp.edu.pe/~inf232/Ntfs/ntfs_doc_v0.5/help/glossary.html<br />
*IIS 6.0 Security Best Practices http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx<br />
*Securing Sites with Web Site Permissions http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx<br />
*IIS 6.0 Operations Guide http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx<br />
*Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/en-us/library/ms994921.aspx<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0 http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/<br />
*IIS Security Checklist http://windows.stanford.edu/docs/IISsecchecklist.htm<br />
*Microsoft IIS ASP Multiple Extensions Security Bypass http://secunia.com/advisories/37831/<br />
*CVE-2009-4444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4444<br />
*CVE-2009-4445 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4445<br />
*CVE-2009-1535 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535<br />
<br />
--[[User:Soroush Dalili|Soroush Dalili]] 12:38, 14 December 2010 (UTC)<br />
<br />
__NOTOC__ <br />
<br />
[[Category:FIXME|add linksIn addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki></nowiki>Availability VulnerabilityAuthorization VulnerabilityAuthentication VulnerabilityConcurrency VulnerabilityConfiguration VulnerabilityCryptographic VulnerabilityEncoding VulnerabilityError Handling VulnerabilityInput Validation VulnerabilityLogging and Auditing VulnerabilitySession Management Vulnerability]] [[Category:Error_Handling_Vulnerability]] [[Category:Vulnerability]] [[Category:OWASP_ASDR_Project]] [[Category:File_System]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=96284Unrestricted File Upload2010-12-14T12:39:32Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Vulnerability}} <br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
[[ASDR TOC Vulnerabilities|Vulnerabilities Table of Contents]] <br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. <br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. <br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. <br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. <br />
<br />
<br><br />
<br />
== Risk Factors ==<br />
<br />
*The impact of this vulnerability is high but the likelihood is low. So, the severity of this type of vulnerability is Medium. <br />
*The website can be defaced. <br />
*The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on. <br />
*This vulnerability can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]]. <br />
*An attacker might be able to put a phishing page into the website. <br />
*Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server. <br />
*Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file. <br />
*A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later. <br />
*The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
*Upload .jsp file into web tree - jsp code executed as web user <br />
*Upload .gif to be resized - image library flaw exploited <br />
*Upload huge files - file space denial of service <br />
*Upload file using malicious path or name - overwrite critical file <br />
*Upload file containing personal data - other users access it <br />
*Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
=== Attacks on other systems ===<br />
<br />
*Upload .exe file into web tree - victims download trojaned executable <br />
*Upload virus infected file - victims' machines infected <br />
*Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br><br />
<br />
== Weak Protection Methods and Methods of Bypassing ==<br />
<br />
=== Using Black-List for Files’ Extensions ===<br />
<br />
Some web applications still use only a black-list of extensions to prevent from uploading a malicious file. <br />
<br />
*It is possible to bypass this protection by using some extensions which are executable on the server but are not mentioned in the list. (Example: “file.php5”, “file.shtml”, “file.asa”, or “file.cer”) <br />
*Sometimes it is possible to bypass this protection by changing some letters of extension to the capital form (example: “file.aSp” or “file.PHp3”). <br />
*Using trailing spaces and/or dots at the end of the filename can sometimes cause bypassing the protection. These spaces and/or dots at the end of the filename will be removed when the file wants to be saved on the hard disk automatically. The filename can be sent to the server by using a local proxy or using a simple script (example: “file.asp ... ... . . .. ..“).<br />
*A web-server may use the first extension after the first dot (“.”) in the file name or use a specific priority algorithm to detect the file extension. Therefore, protection can be bypassed by uploading a file with two extensions after the dot character. The first one is forbidden, and the second one is permitted (example: “file.php.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by adding a semi-colon after the forbidden extension and before the permitted extension (example: “file.asp;.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by putting an ASP file with another extension in a folder which has “.asp” in its name (example: “folder.asp\file.txt”). Besides, it is possible to create a directory just by using a file uploader and ADS (Alternate Data Stream). In this method, filename should include “::$Index_Allocation” or “:$I30:$Index_Allocation” to create a directory instead of a file (example: “ newfolder.asp::$Index_Allocation”).<br />
*This protection can be completely bypassed by using the most famous control character which is Null character (0x00) after the forbidden extension and before the permitted one. In this method, during the saving process all the strings after the Null character will be discarded. Putting a Null character in the filename can be simply done by using a local proxy or by using a script (example: “file.asp%00.jpg”). Besides, it would be perfect if the Null character is inserted directly by using the Hex view option of a local proxy such as Burpsuite or Webscarab in the right place (without using&nbsp;%). <br />
*It is also possible to create a file with a forbidden extension by using NTFS alternate data stream (ADS). In this case, a “:” sign will be inserted after the forbidden extension and before the permitted one. As a result, an empty file with the forbidden extension will be created on the server (example: “file.asp:.jpg”). Attacker can try to edit this file later to execute his/her malicious codes. However, an empty file is not always good for an attacker. So, there is an invented method by the author of this paper in which an attacker can upload a non-empty shell file by using the ADS. In this method, a forbidden file can be uploaded by using this pattern: “file.asp::$data.”. <br />
*Sometimes combination of the above can lead to bypassing the protections.<br />
<br />
=== Using White-List for Files’ Extensions ===<br />
<br />
Many web applications use a white-list to accept the files’ extensions. Although using white-list is one of the recommendations, it is not enough on its own. Without having input validation, there is still a chance for an attacker to bypass the protections. <br />
<br />
*the 3rd, 4th, 5th, and 6th methods of last section apply here as well. <br />
*The list of permitted extensions should be reviewed as it can contain malicious extension as well. For instance, in case of having “.shtml” in the list, the application can be vulnerable to SSI attacks.<br />
<br />
=== Using “Content-Type” from the Header ===<br />
<br />
“Content-Type” entity in the header of the request indicates the Internet media type of the message content . Sometimes web applications use this parameter in order to recognize a file as a good one. For instance, they only accept the files with the “Content-Type” of “text/plain”. <br />
<br />
*It is possible to bypass this protection by changing this parameter in the request header by using a local proxy.<br />
<br />
=== Using a File Type Recogniser ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the type of the file in order to do further process. For instance, in case of having image resizing, it is probable to have image type recogniser. <br />
<br />
*Sometimes the recognisers just read the few first characters (or header) of the files in order to check them. In this case, an attacker can insert the malicious code after some valid header. <br />
*There are always some places in the structure of the files which are for the comments section and have no effect on the main file. And, an attacker can insert malicious codes in these points. <br />
*Also, it is not impossible to think about a file modifier (for example an image resizer) which produces malicious codes itself in case of receiving special input.<br />
<br />
<br><br />
<br />
<br />
== Prevention Methods (Solutions to be more secure) ==<br />
In order to make a Windows server more secure, it is very important to follow the Microsoft security best practices first. For this purpose, some of the useful links are:<br />
*IIS 6.0 Security Best Practices[http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
*Securing Sites with Web Site Permissions[http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
*IIS 6.0 Operations Guide[http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
*Improving Web Application Security: Threats and Countermeasures[http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0[http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
*IIS Security Checklist[http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
And some special recommendations for the developers and webmasters:<br />
*Never accept a filename and its extension directly without having a white-list filter.<br />
*It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a “select case” syntax (in case of having VBScript) to choose the file extension in regard to the real file extension.<br />
*All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).<br />
*Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.<br />
*It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.<br />
*Uploaded directory should not have any “execute” permission.<br />
*Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).<br />
*Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.<br />
*Use Cross Site Request Forgery protection methods.<br />
*Prevent from overwriting a file in case of having the same hash for both.<br />
*Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.<br />
*Try to use POST method instead of PUT (or GET!)<br />
*Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.<br />
*In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.<br />
<br />
<br><br />
<br />
== Related [[Attacks]] ==<br />
<br />
*[[Attack 1]] <br />
*[[Attack 2]]<br />
<br />
<br><br />
<br />
== Related [[Vulnerabilities]] ==<br />
<br />
*[[Vulnerability 1]] <br />
*[[Vulnerabiltiy 2]]<br />
<br />
<br><br />
<br />
== Related [[Controls]] ==<br />
<br />
*[[Control 1]] <br />
*[[Control 2]]<br />
<br />
<br><br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
*[[Technical Impact 1]] <br />
*[[Technical Impact 2]]<br />
<br />
<br><br />
<br />
== References ==<br />
<br />
*Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ <br />
*IIS6/ASP & file upload for fun and profit http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/<br />
*Secure file upload in PHP web applications http://www.net-security.org/dl/articles/php-file-upload.pdf<br />
*Potentially Dangerous File Types http://www.windowsitpro.com/Files/18/27072/Webtable_01.pdf<br />
*Image Upload XSS http://ha.ckers.org/blog/20070603/image-upload-xss/<br />
*Code Execution Through Filenames in Uploads http://ha.ckers.org/blog/20070620/code-execution-through-filenames-in-uploads/<br />
*Secure File Upload Check List With PHP http://hungred.com/useful-information/secure-file-upload-check-list-php/<br />
*Alternate Data Streams http://es.wikipedia.org/wiki/Alternate_Data_Streams<br />
*NTFS - Glossary http://inform.pucp.edu.pe/~inf232/Ntfs/ntfs_doc_v0.5/help/glossary.html<br />
*IIS 6.0 Security Best Practices http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx<br />
*Securing Sites with Web Site Permissions http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx<br />
*IIS 6.0 Operations Guide http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx<br />
*Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/en-us/library/ms994921.aspx<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0 http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/<br />
*IIS Security Checklist http://windows.stanford.edu/docs/IISsecchecklist.htm<br />
*Microsoft IIS ASP Multiple Extensions Security Bypass http://secunia.com/advisories/37831/<br />
*CVE-2009-4444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4444<br />
*CVE-2009-4445 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4445<br />
*CVE-2009-1535 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535<br />
<br />
--[[User:Soroush Dalili|Soroush Dalili]] 12:38, 14 December 2010 (UTC)<br />
<br />
__NOTOC__ <br />
<br />
[[Category:FIXME|add linksIn addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki></nowiki>Availability VulnerabilityAuthorization VulnerabilityAuthentication VulnerabilityConcurrency VulnerabilityConfiguration VulnerabilityCryptographic VulnerabilityEncoding VulnerabilityError Handling VulnerabilityInput Validation VulnerabilityLogging and Auditing VulnerabilitySession Management Vulnerability]] [[Category:Error_Handling_Vulnerability]] [[Category:Vulnerability]] [[Category:OWASP_ASDR_Project]] [[Category:File_System]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=96283Unrestricted File Upload2010-12-14T12:38:35Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Vulnerability}} <br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
[[ASDR TOC Vulnerabilities|Vulnerabilities Table of Contents]] <br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. <br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. <br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. <br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. <br />
<br />
<br><br />
<br />
== Risk Factors ==<br />
<br />
*The impact of this vulnerability is high but the likelihood is low. So, the severity of this type of vulnerability is Medium. <br />
*The website can be defaced. <br />
*The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on. <br />
*This vulnerability can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]]. <br />
*An attacker might be able to put a phishing page into the website. <br />
*Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server. <br />
*Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file. <br />
*A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later. <br />
*The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
*Upload .jsp file into web tree - jsp code executed as web user <br />
*Upload .gif to be resized - image library flaw exploited <br />
*Upload huge files - file space denial of service <br />
*Upload file using malicious path or name - overwrite critical file <br />
*Upload file containing personal data - other users access it <br />
*Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
=== Attacks on other systems ===<br />
<br />
*Upload .exe file into web tree - victims download trojaned executable <br />
*Upload virus infected file - victims' machines infected <br />
*Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br><br />
<br />
== Weak Protection Methods and Methods of Bypassing ==<br />
<br />
=== Using Black-List for Files’ Extensions ===<br />
<br />
Some web applications still use only a black-list of extensions to prevent from uploading a malicious file. <br />
<br />
*It is possible to bypass this protection by using some extensions which are executable on the server but are not mentioned in the list. (Example: “file.php5”, “file.shtml”, “file.asa”, or “file.cer”) <br />
*Sometimes it is possible to bypass this protection by changing some letters of extension to the capital form (example: “file.aSp” or “file.PHp3”). <br />
*Using trailing spaces and/or dots at the end of the filename can sometimes cause bypassing the protection. These spaces and/or dots at the end of the filename will be removed when the file wants to be saved on the hard disk automatically. The filename can be sent to the server by using a local proxy or using a simple script (example: “file.asp ... ... . . .. ..“).<br />
*A web-server may use the first extension after the first dot (“.”) in the file name or use a specific priority algorithm to detect the file extension. Therefore, protection can be bypassed by uploading a file with two extensions after the dot character. The first one is forbidden, and the second one is permitted (example: “file.php.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by adding a semi-colon after the forbidden extension and before the permitted extension (example: “file.asp;.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by putting an ASP file with another extension in a folder which has “.asp” in its name (example: “folder.asp\file.txt”). Besides, it is possible to create a directory just by using a file uploader and ADS (Alternate Data Stream). In this method, filename should include “::$Index_Allocation” or “:$I30:$Index_Allocation” to create a directory instead of a file (example: “ newfolder.asp::$Index_Allocation”).<br />
*This protection can be completely bypassed by using the most famous control character which is Null character (0x00) after the forbidden extension and before the permitted one. In this method, during the saving process all the strings after the Null character will be discarded. Putting a Null character in the filename can be simply done by using a local proxy or by using a script (example: “file.asp%00.jpg”). Besides, it would be perfect if the Null character is inserted directly by using the Hex view option of a local proxy such as Burpsuite or Webscarab in the right place (without using&nbsp;%). <br />
*It is also possible to create a file with a forbidden extension by using NTFS alternate data stream (ADS). In this case, a “:” sign will be inserted after the forbidden extension and before the permitted one. As a result, an empty file with the forbidden extension will be created on the server (example: “file.asp:.jpg”). Attacker can try to edit this file later to execute his/her malicious codes. However, an empty file is not always good for an attacker. So, there is an invented method by the author of this paper in which an attacker can upload a non-empty shell file by using the ADS. In this method, a forbidden file can be uploaded by using this pattern: “file.asp::$data.”. <br />
*Sometimes combination of the above can lead to bypassing the protections.<br />
<br />
=== Using White-List for Files’ Extensions ===<br />
<br />
Many web applications use a white-list to accept the files’ extensions. Although using white-list is one of the recommendations, it is not enough on its own. Without having input validation, there is still a chance for an attacker to bypass the protections. <br />
<br />
*the 3rd, 4th, 5th, and 6th methods of last section apply here as well. <br />
*The list of permitted extensions should be reviewed as it can contain malicious extension as well. For instance, in case of having “.shtml” in the list, the application can be vulnerable to SSI attacks.<br />
<br />
=== Using “Content-Type” from the Header ===<br />
<br />
“Content-Type” entity in the header of the request indicates the Internet media type of the message content . Sometimes web applications use this parameter in order to recognize a file as a good one. For instance, they only accept the files with the “Content-Type” of “text/plain”. <br />
<br />
*It is possible to bypass this protection by changing this parameter in the request header by using a local proxy.<br />
<br />
=== Using a File Type Recogniser ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the type of the file in order to do further process. For instance, in case of having image resizing, it is probable to have image type recogniser. <br />
<br />
*Sometimes the recognisers just read the few first characters (or header) of the files in order to check them. In this case, an attacker can insert the malicious code after some valid header. <br />
*There are always some places in the structure of the files which are for the comments section and have no effect on the main file. And, an attacker can insert malicious codes in these points. <br />
*Also, it is not impossible to think about a file modifier (for example an image resizer) which produces malicious codes itself in case of receiving special input.<br />
<br />
<br><br />
<br />
<br />
== Prevention Methods (Solutions to be more secure) ==<br />
In order to make a Windows server more secure, it is very important to follow the Microsoft security best practices first. For this purpose, some of the useful links are:<br />
*IIS 6.0 Security Best Practices[http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
*Securing Sites with Web Site Permissions[http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
*IIS 6.0 Operations Guide[http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
*Improving Web Application Security: Threats and Countermeasures[http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0[http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
*IIS Security Checklist[http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
And some special recommendations for the developers and webmasters:<br />
*Never accept a filename and its extension directly without having a white-list filter.<br />
*It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a “select case” syntax (in case of having VBScript) to choose the file extension in regard to the real file extension.<br />
*All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).<br />
*Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.<br />
*It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.<br />
*Uploaded directory should not have any “execute” permission.<br />
*Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).<br />
*Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.<br />
*Use Cross Site Request Forgery protection methods.<br />
*Prevent from overwriting a file in case of having the same hash for both.<br />
*Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.<br />
*Try to use POST method instead of PUT (or GET!)<br />
*Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.<br />
*In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.<br />
<br />
<br><br />
<br />
== Related [[Attacks]] ==<br />
<br />
*[[Attack 1]] <br />
*[[Attack 2]]<br />
<br />
<br><br />
<br />
== Related [[Vulnerabilities]] ==<br />
<br />
*[[Vulnerability 1]] <br />
*[[Vulnerabiltiy 2]]<br />
<br />
<br><br />
<br />
== Related [[Controls]] ==<br />
<br />
*[[Control 1]] <br />
*[[Control 2]]<br />
<br />
<br><br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
*[[Technical Impact 1]] <br />
*[[Technical Impact 2]]<br />
<br />
<br><br />
<br />
== References ==<br />
<br />
*Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ <br />
*IIS6/ASP & file upload for fun and profit http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/<br />
*Secure file upload in PHP web applications http://www.net-security.org/dl/articles/php-file-upload.pdf<br />
*Potentially Dangerous File Types http://www.windowsitpro.com/Files/18/27072/Webtable_01.pdf<br />
*Image Upload XSS http://ha.ckers.org/blog/20070603/image-upload-xss/<br />
*Code Execution Through Filenames in Uploads http://ha.ckers.org/blog/20070620/code-execution-through-filenames-in-uploads/<br />
*Secure File Upload Check List With PHP http://hungred.com/useful-information/secure-file-upload-check-list-php/<br />
*Alternate Data Streams http://es.wikipedia.org/wiki/Alternate_Data_Streams<br />
*NTFS - Glossary http://inform.pucp.edu.pe/~inf232/Ntfs/ntfs_doc_v0.5/help/glossary.html<br />
*IIS 6.0 Security Best Practices http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx<br />
*Securing Sites with Web Site Permissionshttp://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx<br />
*IIS 6.0 Operations Guide http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx<br />
*Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/en-us/library/ms994921.aspx<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0 http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/<br />
*IIS Security Checklist http://windows.stanford.edu/docs/IISsecchecklist.htm<br />
*Microsoft IIS ASP Multiple Extensions Security Bypass http://secunia.com/advisories/37831/<br />
*CVE-2009-4444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4444<br />
*CVE-2009-4445 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4445<br />
*CVE-2009-1535 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535<br />
<br />
--[[User:Soroush Dalili|Soroush Dalili]] 12:38, 14 December 2010 (UTC)<br />
<br />
__NOTOC__ <br />
<br />
[[Category:FIXME|add linksIn addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki></nowiki>Availability VulnerabilityAuthorization VulnerabilityAuthentication VulnerabilityConcurrency VulnerabilityConfiguration VulnerabilityCryptographic VulnerabilityEncoding VulnerabilityError Handling VulnerabilityInput Validation VulnerabilityLogging and Auditing VulnerabilitySession Management Vulnerability]] [[Category:Error_Handling_Vulnerability]] [[Category:Vulnerability]] [[Category:OWASP_ASDR_Project]] [[Category:File_System]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=96282Unrestricted File Upload2010-12-14T12:27:23Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Vulnerability}} <br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
[[ASDR TOC Vulnerabilities|Vulnerabilities Table of Contents]] <br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. <br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. <br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. <br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. <br />
<br />
<br><br />
<br />
== Risk Factors ==<br />
<br />
*The impact of this vulnerability is high but the likelihood is low. So, the severity of this type of vulnerability is Medium. <br />
*The website can be defaced. <br />
*The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on. <br />
*This vulnerability can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]]. <br />
*An attacker might be able to put a phishing page into the website. <br />
*Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server. <br />
*Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file. <br />
*A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later. <br />
*The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
*Upload .jsp file into web tree - jsp code executed as web user <br />
*Upload .gif to be resized - image library flaw exploited <br />
*Upload huge files - file space denial of service <br />
*Upload file using malicious path or name - overwrite critical file <br />
*Upload file containing personal data - other users access it <br />
*Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
=== Attacks on other systems ===<br />
<br />
*Upload .exe file into web tree - victims download trojaned executable <br />
*Upload virus infected file - victims' machines infected <br />
*Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br><br />
<br />
== Weak Protection Methods and Methods of Bypassing ==<br />
<br />
=== Using Black-List for Files’ Extensions ===<br />
<br />
Some web applications still use only a black-list of extensions to prevent from uploading a malicious file. <br />
<br />
*It is possible to bypass this protection by using some extensions which are executable on the server but are not mentioned in the list. (Example: “file.php5”, “file.shtml”, “file.asa”, or “file.cer”) <br />
*Sometimes it is possible to bypass this protection by changing some letters of extension to the capital form (example: “file.aSp” or “file.PHp3”). <br />
*Using trailing spaces and/or dots at the end of the filename can sometimes cause bypassing the protection. These spaces and/or dots at the end of the filename will be removed when the file wants to be saved on the hard disk automatically. The filename can be sent to the server by using a local proxy or using a simple script (example: “file.asp ... ... . . .. ..“).<br />
*A web-server may use the first extension after the first dot (“.”) in the file name or use a specific priority algorithm to detect the file extension. Therefore, protection can be bypassed by uploading a file with two extensions after the dot character. The first one is forbidden, and the second one is permitted (example: “file.php.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by adding a semi-colon after the forbidden extension and before the permitted extension (example: “file.asp;.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by putting an ASP file with another extension in a folder which has “.asp” in its name (example: “folder.asp\file.txt”). Besides, it is possible to create a directory just by using a file uploader and ADS (Alternate Data Stream). In this method, filename should include “::$Index_Allocation” or “:$I30:$Index_Allocation” to create a directory instead of a file (example: “ newfolder.asp::$Index_Allocation”).<br />
*This protection can be completely bypassed by using the most famous control character which is Null character (0x00) after the forbidden extension and before the permitted one. In this method, during the saving process all the strings after the Null character will be discarded. Putting a Null character in the filename can be simply done by using a local proxy or by using a script (example: “file.asp%00.jpg”). Besides, it would be perfect if the Null character is inserted directly by using the Hex view option of a local proxy such as Burpsuite or Webscarab in the right place (without using&nbsp;%). <br />
*It is also possible to create a file with a forbidden extension by using NTFS alternate data stream (ADS). In this case, a “:” sign will be inserted after the forbidden extension and before the permitted one. As a result, an empty file with the forbidden extension will be created on the server (example: “file.asp:.jpg”). Attacker can try to edit this file later to execute his/her malicious codes. However, an empty file is not always good for an attacker. So, there is an invented method by the author of this paper in which an attacker can upload a non-empty shell file by using the ADS. In this method, a forbidden file can be uploaded by using this pattern: “file.asp::$data.”. <br />
*Sometimes combination of the above can lead to bypassing the protections.<br />
<br />
=== Using White-List for Files’ Extensions ===<br />
<br />
Many web applications use a white-list to accept the files’ extensions. Although using white-list is one of the recommendations, it is not enough on its own. Without having input validation, there is still a chance for an attacker to bypass the protections. <br />
<br />
*the 3rd, 4th, 5th, and 6th methods of last section apply here as well. <br />
*The list of permitted extensions should be reviewed as it can contain malicious extension as well. For instance, in case of having “.shtml” in the list, the application can be vulnerable to SSI attacks.<br />
<br />
=== Using “Content-Type” from the Header ===<br />
<br />
“Content-Type” entity in the header of the request indicates the Internet media type of the message content . Sometimes web applications use this parameter in order to recognize a file as a good one. For instance, they only accept the files with the “Content-Type” of “text/plain”. <br />
<br />
*It is possible to bypass this protection by changing this parameter in the request header by using a local proxy.<br />
<br />
=== Using a File Type Recogniser ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the type of the file in order to do further process. For instance, in case of having image resizing, it is probable to have image type recogniser. <br />
<br />
*Sometimes the recognisers just read the few first characters (or header) of the files in order to check them. In this case, an attacker can insert the malicious code after some valid header. <br />
*There are always some places in the structure of the files which are for the comments section and have no effect on the main file. And, an attacker can insert malicious codes in these points. <br />
*Also, it is not impossible to think about a file modifier (for example an image resizer) which produces malicious codes itself in case of receiving special input.<br />
<br />
<br><br />
<br />
<br />
== Prevention Methods (Solutions to be more secure) ==<br />
In order to make a Windows server more secure, it is very important to follow the Microsoft security best practices first. For this purpose, some of the useful links are:<br />
*IIS 6.0 Security Best Practices[http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
*Securing Sites with Web Site Permissions[http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
*IIS 6.0 Operations Guide[http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
*Improving Web Application Security: Threats and Countermeasures[http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0[http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
*IIS Security Checklist[http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
And some special recommendations for the developers and webmasters:<br />
*Never accept a filename and its extension directly without having a white-list filter.<br />
*It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a “select case” syntax (in case of having VBScript) to choose the file extension in regard to the real file extension.<br />
*All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).<br />
*Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.<br />
*It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.<br />
*Uploaded directory should not have any “execute” permission.<br />
*Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).<br />
*Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.<br />
*Use Cross Site Request Forgery protection methods.<br />
*Prevent from overwriting a file in case of having the same hash for both.<br />
*Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.<br />
*Try to use POST method instead of PUT (or GET!)<br />
*Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.<br />
*In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.<br />
<br />
<br><br />
<br />
== Related [[Attacks]] ==<br />
<br />
*[[Attack 1]] <br />
*[[Attack 2]]<br />
<br />
<br><br />
<br />
== Related [[Vulnerabilities]] ==<br />
<br />
*[[Vulnerability 1]] <br />
*[[Vulnerabiltiy 2]]<br />
<br />
<br><br />
<br />
== Related [[Controls]] ==<br />
<br />
*[[Control 1]] <br />
*[[Control 2]]<br />
<br />
<br><br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
*[[Technical Impact 1]] <br />
*[[Technical Impact 2]]<br />
<br />
<br><br />
<br />
== References ==<br />
<br />
*Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ <br />
*Microsoft IIS ASP Multiple Extensions Security Bypass http://secunia.com/advisories/37831/<br />
*IIS6/ASP & file upload for fun and profit http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/<br />
*Secure file upload in PHP web applications http://www.net-security.org/dl/articles/php-file-upload.pdf<br />
*Image Upload XSS http://ha.ckers.org/blog/20070603/image-upload-xss/<br />
*Code Execution Through Filenames in Uploads http://ha.ckers.org/blog/20070620/code-execution-through-filenames-in-uploads/<br />
*Secure File Upload Check List With PHP http://hungred.com/useful-information/secure-file-upload-check-list-php/<br />
*Potentially Dangerous File Types http://www.windowsitpro.com/Files/18/27072/Webtable_01.pdf<br />
*NTFS - Glossary http://inform.pucp.edu.pe/~inf232/Ntfs/ntfs_doc_v0.5/help/glossary.html<br />
*IIS 5.1 Directory Authentication Bypass http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf<br />
--[[User:Soroush Dalili|Soroush Dalili]] 12:27, 14 December 2010 (UTC)<br />
__NOTOC__ <br />
<br />
[[Category:FIXME|add linksIn addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki></nowiki>Availability VulnerabilityAuthorization VulnerabilityAuthentication VulnerabilityConcurrency VulnerabilityConfiguration VulnerabilityCryptographic VulnerabilityEncoding VulnerabilityError Handling VulnerabilityInput Validation VulnerabilityLogging and Auditing VulnerabilitySession Management Vulnerability]] [[Category:Error_Handling_Vulnerability]] [[Category:Vulnerability]] [[Category:OWASP_ASDR_Project]] [[Category:File_System]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=96281Unrestricted File Upload2010-12-14T12:06:57Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Vulnerability}} <br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
[[ASDR TOC Vulnerabilities|Vulnerabilities Table of Contents]] <br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. <br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. <br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. <br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. <br />
<br />
<br><br />
<br />
== Risk Factors ==<br />
<br />
*The impact of this vulnerability is high but the likelihood is low. So, the severity of this type of vulnerability is Medium. <br />
*The website can be defaced. <br />
*The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on. <br />
*This vulnerability can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]]. <br />
*An attacker might be able to put a phishing page into the website. <br />
*Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server. <br />
*Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file. <br />
*A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later. <br />
*The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
*Upload .jsp file into web tree - jsp code executed as web user <br />
*Upload .gif to be resized - image library flaw exploited <br />
*Upload huge files - file space denial of service <br />
*Upload file using malicious path or name - overwrite critical file <br />
*Upload file containing personal data - other users access it <br />
*Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
=== Attacks on other systems ===<br />
<br />
*Upload .exe file into web tree - victims download trojaned executable <br />
*Upload virus infected file - victims' machines infected <br />
*Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br><br />
<br />
== Weak Protection Methods and Methods of Bypassing ==<br />
<br />
=== Using Black-List for Files’ Extensions ===<br />
<br />
Some web applications still use only a black-list of extensions to prevent from uploading a malicious file. <br />
<br />
*It is possible to bypass this protection by using some extensions which are executable on the server but are not mentioned in the list. (Example: “file.php5”, “file.shtml”, “file.asa”, or “file.cer”) <br />
*Sometimes it is possible to bypass this protection by changing some letters of extension to the capital form (example: “file.aSp” or “file.PHp3”). <br />
*Using trailing spaces and/or dots at the end of the filename can sometimes cause bypassing the protection. These spaces and/or dots at the end of the filename will be removed when the file wants to be saved on the hard disk automatically. The filename can be sent to the server by using a local proxy or using a simple script (example: “file.asp ... ... . . .. ..“).<br />
*A web-server may use the first extension after the first dot (“.”) in the file name or use a specific priority algorithm to detect the file extension. Therefore, protection can be bypassed by uploading a file with two extensions after the dot character. The first one is forbidden, and the second one is permitted (example: “file.php.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by adding a semi-colon after the forbidden extension and before the permitted extension (example: “file.asp;.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by putting an ASP file with another extension in a folder which has “.asp” in its name (example: “folder.asp\file.txt”). Besides, it is possible to create a directory just by using a file uploader and ADS (Alternate Data Stream). In this method, filename should include “::$Index_Allocation” or “:$I30:$Index_Allocation” to create a directory instead of a file (example: “ newfolder.asp::$Index_Allocation”).<br />
*This protection can be completely bypassed by using the most famous control character which is Null character (0x00) after the forbidden extension and before the permitted one. In this method, during the saving process all the strings after the Null character will be discarded. Putting a Null character in the filename can be simply done by using a local proxy or by using a script (example: “file.asp%00.jpg”). Besides, it would be perfect if the Null character is inserted directly by using the Hex view option of a local proxy such as Burpsuite or Webscarab in the right place (without using&nbsp;%). <br />
*It is also possible to create a file with a forbidden extension by using NTFS alternate data stream (ADS). In this case, a “:” sign will be inserted after the forbidden extension and before the permitted one. As a result, an empty file with the forbidden extension will be created on the server (example: “file.asp:.jpg”). Attacker can try to edit this file later to execute his/her malicious codes. However, an empty file is not always good for an attacker. So, there is an invented method by the author of this paper in which an attacker can upload a non-empty shell file by using the ADS. In this method, a forbidden file can be uploaded by using this pattern: “file.asp::$data.”. <br />
*Sometimes combination of the above can lead to bypassing the protections.<br />
<br />
=== Using White-List for Files’ Extensions ===<br />
<br />
Many web applications use a white-list to accept the files’ extensions. Although using white-list is one of the recommendations, it is not enough on its own. Without having input validation, there is still a chance for an attacker to bypass the protections. <br />
<br />
*the 3rd, 4th, 5th, and 6th methods of last section apply here as well. <br />
*The list of permitted extensions should be reviewed as it can contain malicious extension as well. For instance, in case of having “.shtml” in the list, the application can be vulnerable to SSI attacks.<br />
<br />
=== Using “Content-Type” from the Header ===<br />
<br />
“Content-Type” entity in the header of the request indicates the Internet media type of the message content . Sometimes web applications use this parameter in order to recognize a file as a good one. For instance, they only accept the files with the “Content-Type” of “text/plain”. <br />
<br />
*It is possible to bypass this protection by changing this parameter in the request header by using a local proxy.<br />
<br />
=== Using a File Type Recogniser ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the type of the file in order to do further process. For instance, in case of having image resizing, it is probable to have image type recogniser. <br />
<br />
*Sometimes the recognisers just read the few first characters (or header) of the files in order to check them. In this case, an attacker can insert the malicious code after some valid header. <br />
*There are always some places in the structure of the files which are for the comments section and have no effect on the main file. And, an attacker can insert malicious codes in these points. <br />
*Also, it is not impossible to think about a file modifier (for example an image resizer) which produces malicious codes itself in case of receiving special input.<br />
<br />
<br><br />
<br />
<br />
== Prevention Methods (Solutions to be more secure) ==<br />
In order to make a Windows server more secure, it is very important to follow the Microsoft security best practices first. For this purpose, some of the useful links are:<br />
*IIS 6.0 Security Best Practices[http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
*Securing Sites with Web Site Permissions[http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
*IIS 6.0 Operations Guide[http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
*Improving Web Application Security: Threats and Countermeasures[http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0[http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
*IIS Security Checklist[http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
And some special recommendations for the developers and webmasters:<br />
*Never accept a filename and its extension directly without having a white-list filter.<br />
*It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a “select case” syntax (in case of having VBScript) to choose the file extension in regard to the real file extension.<br />
*All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).<br />
*Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.<br />
*It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.<br />
*Uploaded directory should not have any “execute” permission.<br />
*Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).<br />
*Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.<br />
*Use Cross Site Request Forgery protection methods.<br />
*Prevent from overwriting a file in case of having the same hash for both.<br />
*Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.<br />
*Try to use POST method instead of PUT (or GET!)<br />
*Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.<br />
*In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.<br />
<br />
<br><br />
<br />
== Related [[Attacks]] ==<br />
<br />
*[[Attack 1]] <br />
*[[Attack 2]]<br />
<br />
<br><br />
<br />
== Related [[Vulnerabilities]] ==<br />
<br />
*[[Vulnerability 1]] <br />
*[[Vulnerabiltiy 2]]<br />
<br />
<br><br />
<br />
== Related [[Controls]] ==<br />
<br />
*[[Control 1]] <br />
*[[Control 2]]<br />
<br />
<br><br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
*[[Technical Impact 1]] <br />
*[[Technical Impact 2]]<br />
<br />
<br><br />
<br />
== References ==<br />
<br />
*Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ <br />
*Microsoft IIS ASP Multiple Extensions Security Bypass http://secunia.com/advisories/37831/<br />
*IIS6/ASP & file upload for fun and profit http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/<br />
--[[User:Soroush Dalili|Soroush Dalili]] 10:46, 14 December 2010 (UTC)<br />
TBD <br />
<br />
__NOTOC__ <br />
<br />
[[Category:FIXME|add linksIn addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki></nowiki>Availability VulnerabilityAuthorization VulnerabilityAuthentication VulnerabilityConcurrency VulnerabilityConfiguration VulnerabilityCryptographic VulnerabilityEncoding VulnerabilityError Handling VulnerabilityInput Validation VulnerabilityLogging and Auditing VulnerabilitySession Management Vulnerability]] [[Category:Error_Handling_Vulnerability]] [[Category:Vulnerability]] [[Category:OWASP_ASDR_Project]] [[Category:File_System]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=96278Unrestricted File Upload2010-12-14T10:46:56Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Stub}} {{Template:Vulnerability}} <br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
[[ASDR TOC Vulnerabilities|Vulnerabilities Table of Contents]] <br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. <br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. <br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. <br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. <br />
<br />
<br><br />
<br />
== Risk Factors ==<br />
<br />
*The impact of this vulnerability is high but the likelihood is low. So, the severity of this type of vulnerability is Medium. <br />
*The website can be defaced. <br />
*The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on. <br />
*This vulnerability can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]]. <br />
*An attacker might be able to put a phishing page into the website. <br />
*Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server. <br />
*Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file. <br />
*A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later. <br />
*The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
*Upload .jsp file into web tree - jsp code executed as web user <br />
*Upload .gif to be resized - image library flaw exploited <br />
*Upload huge files - file space denial of service <br />
*Upload file using malicious path or name - overwrite critical file <br />
*Upload file containing personal data - other users access it <br />
*Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
=== Attacks on other systems ===<br />
<br />
*Upload .exe file into web tree - victims download trojaned executable <br />
*Upload virus infected file - victims' machines infected <br />
*Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br><br />
<br />
== Weak Protection Methods and Methods of Bypassing ==<br />
<br />
=== Using Black-List for Files’ Extensions ===<br />
<br />
Some web applications still use only a black-list of extensions to prevent from uploading a malicious file. <br />
<br />
*It is possible to bypass this protection by using some extensions which are executable on the server but are not mentioned in the list. (Example: “file.php5”, “file.shtml”, “file.asa”, or “file.cer”) <br />
*Sometimes it is possible to bypass this protection by changing some letters of extension to the capital form (example: “file.aSp” or “file.PHp3”). <br />
*Using trailing spaces and/or dots at the end of the filename can sometimes cause bypassing the protection. These spaces and/or dots at the end of the filename will be removed when the file wants to be saved on the hard disk automatically. The filename can be sent to the server by using a local proxy or using a simple script (example: “file.asp ... ... . . .. ..“). <br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by adding a semi-colon after the forbidden extension and before the permitted extension (example: “file.asp;.jpg”).<br />
*In case of using IIS6 (or prior versions), it might be possible to bypass this protection by putting an ASP file with another extension in a folder which has ".asp" in its name (example: “folder.asp\file.txt”)<br />
*This protection can be completely bypassed by using the most famous control character which is Null character (0x00) after the forbidden extension and before the permitted one. In this method, during the saving process all the strings after the Null character will be discarded. Putting a Null character in the filename can be simply done by using a local proxy or by using a script (example: “file.asp%00.jpg”). Besides, it would be perfect if the Null character is inserted directly by using the Hex view option of a local proxy such as Burpsuite or Webscarab in the right place (without using&nbsp;%). <br />
*It is also possible to create a file with a forbidden extension by using NTFS alternate data stream (ADS). In this case, a “:” sign will be inserted after the forbidden extension and before the permitted one. As a result, an empty file with the forbidden extension will be created on the server (example: “file.asp:.jpg”). Attacker can try to edit this file later to execute his/her malicious codes. However, an empty file is not always good for an attacker. So, there is an invented method by the author of this paper in which an attacker can upload a non-empty shell file by using the ADS. In this method, a forbidden file can be uploaded by using this pattern: “file.asp::$data.”. <br />
*Sometimes combination of the above can lead to bypassing the protections.<br />
<br />
=== Using White-List for Files’ Extensions ===<br />
<br />
Many web applications use a white-list to accept the files’ extensions. Although using white-list is one of the recommendations, it is not enough on its own. Without having input validation, there is still a chance for an attacker to bypass the protections. <br />
<br />
*the 3rd, 4th, 5th, and 6th methods of last section apply here as well. <br />
*The list of permitted extensions should be reviewed as it can contain malicious extension as well. For instance, in case of having “.shtml” in the list, the application can be vulnerable to SSI attacks.<br />
<br />
=== Using “Content-Type” from the Header ===<br />
<br />
“Content-Type” entity in the header of the request indicates the Internet media type of the message content . Sometimes web applications use this parameter in order to recognize a file as a good one. For instance, they only accept the files with the “Content-Type” of “text/plain”. <br />
<br />
*It is possible to bypass this protection by changing this parameter in the request header by using a local proxy.<br />
<br />
=== Using a File Type Recogniser ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the type of the file in order to do further process. For instance, in case of having image resizing, it is probable to have image type recogniser. <br />
<br />
*Sometimes the recognisers just read the few first characters (or header) of the files in order to check them. In this case, an attacker can insert the malicious code after some valid header. <br />
*There are always some places in the structure of the files which are for the comments section and have no effect on the main file. And, an attacker can insert malicious codes in these points. <br />
*Also, it is not impossible to think about a file modifier (for example an image resizer) which produces malicious codes itself in case of receiving special input.<br />
<br />
<br><br />
<br />
<br />
== Prevention Methods (Solutions to be more secure) ==<br />
In order to make a Windows server more secure, it is very important to follow the Microsoft security best practices first. For this purpose, some of the useful links are:<br />
*IIS 6.0 Security Best Practices[http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
*Securing Sites with Web Site Permissions[http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
*IIS 6.0 Operations Guide[http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
*Improving Web Application Security: Threats and Countermeasures[http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0[http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
*IIS Security Checklist[http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
And some special recommendations for the developers and webmasters:<br />
*Never accept a filename and its extension directly without having a white-list filter.<br />
*It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a “select case” syntax (in case of having VBScript) to choose the file extension in regard to the real file extension.<br />
*All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).<br />
*Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.<br />
*It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.<br />
*Uploaded directory should not have any “execute” permission.<br />
*Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).<br />
*Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.<br />
*Use Cross Site Request Forgery protection methods.<br />
*Prevent from overwriting a file in case of having the same hash for both.<br />
*Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.<br />
*Try to use POST method instead of PUT (or GET!)<br />
*Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.<br />
*In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.<br />
<br />
<br><br />
<br />
== Related [[Attacks]] ==<br />
<br />
*[[Attack 1]] <br />
*[[Attack 2]]<br />
<br />
<br><br />
<br />
== Related [[Vulnerabilities]] ==<br />
<br />
*[[Vulnerability 1]] <br />
*[[Vulnerabiltiy 2]]<br />
<br />
<br><br />
<br />
== Related [[Controls]] ==<br />
<br />
*[[Control 1]] <br />
*[[Control 2]]<br />
<br />
<br><br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
*[[Technical Impact 1]] <br />
*[[Technical Impact 2]]<br />
<br />
<br><br />
<br />
== References ==<br />
<br />
*Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ <br />
*Microsoft IIS ASP Multiple Extensions Security Bypass http://secunia.com/advisories/37831/<br />
*IIS6/ASP & file upload for fun and profit http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/<br />
--[[User:Soroush Dalili|Soroush Dalili]] 10:46, 14 December 2010 (UTC)<br />
TBD <br />
<br />
__NOTOC__ <br />
<br />
[[Category:FIXME|add linksIn addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki></nowiki>Availability VulnerabilityAuthorization VulnerabilityAuthentication VulnerabilityConcurrency VulnerabilityConfiguration VulnerabilityCryptographic VulnerabilityEncoding VulnerabilityError Handling VulnerabilityInput Validation VulnerabilityLogging and Auditing VulnerabilitySession Management Vulnerability]] [[Category:Error_Handling_Vulnerability]] [[Category:Vulnerability]] [[Category:OWASP_ASDR_Project]] [[Category:File_System]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Talk:Unrestricted_File_Upload&diff=81684Talk:Unrestricted File Upload2010-04-18T19:17:23Z<p>Soroush Dalili: Created page with 'Please update this page and correct my mistakes or add some new ideas. --~~~~'</p>
<hr />
<div>Please update this page and correct my mistakes or add some new ideas. --[[User:Soroush Dalili|Soroush Dalili]] 19:17, 18 April 2010 (UTC)</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=81683Unrestricted File Upload2010-04-18T19:15:55Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Stub}} {{Template:Vulnerability}} <br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
[[ASDR TOC Vulnerabilities|Vulnerabilities Table of Contents]] <br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. <br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. <br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. <br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. <br />
<br />
<br><br />
<br />
== Risk Factors ==<br />
<br />
*The impact of this vulnerability is high but the likelihood is low. So, the severity of this type of vulnerability is Medium. <br />
*The website can be defaced. <br />
*The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on. <br />
*This vulnerability can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]]. <br />
*An attacker might be able to put a phishing page into the website. <br />
*Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server. <br />
*Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file. <br />
*A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later. <br />
*The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
*Upload .jsp file into web tree - jsp code executed as web user <br />
*Upload .gif to be resized - image library flaw exploited <br />
*Upload huge files - file space denial of service <br />
*Upload file using malicious path or name - overwrite critical file <br />
*Upload file containing personal data - other users access it <br />
*Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
=== Attacks on other systems ===<br />
<br />
*Upload .exe file into web tree - victims download trojaned executable <br />
*Upload virus infected file - victims' machines infected <br />
*Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br><br />
<br />
== Weak Protection Methods and Methods of Bypassing ==<br />
<br />
=== Using Black-List for Files’ Extensions ===<br />
<br />
Some web applications still use only a black-list of extensions to prevent from uploading a malicious file. <br />
<br />
*It is possible to bypass this protection by using some extensions which are executable on the server but are not mentioned in the list. (Example: “file.php5”, “file.shtml”, “file.asa”, or “file.cer”) <br />
*Sometimes it is possible to bypass this protection by changing some letters of extension to the capital form (example: “file.aSp” or “file.PHp3”). <br />
*Using trailing spaces and/or dots at the end of the filename can sometimes cause bypassing the protection. These spaces and/or dots at the end of the filename will be removed when the file wants to be saved on the hard disk automatically. The filename can be sent to the server by using a local proxy or using a simple script (example: “file.asp ... ... . . .. ..“). <br />
*In case of using insecure IIS6 (or prior versions), it might be possible to bypass this protection by adding a semi-colon after the forbidden extension and before the permitted extension (example: “file.asp;.jpg”). <br />
*This protection can be completely bypassed by using the most famous control character which is Null character (0x00) after the forbidden extension and before the permitted one. In this method, during the saving process all the strings after the Null character will be discarded. Putting a Null character in the filename can be simply done by using a local proxy or by using a script (example: “file.asp%00.jpg”). Besides, it would be perfect if the Null character is inserted directly by using the Hex view option of a local proxy such as Burpsuite or Webscarab in the right place (without using&nbsp;%). <br />
*It is also possible to create a file with a forbidden extension by using NTFS alternate data stream (ADS). In this case, a “:” sign will be inserted after the forbidden extension and before the permitted one. As a result, an empty file with the forbidden extension will be created on the server (example: “file.asp:.jpg”). Attacker can try to edit this file later to execute his/her malicious codes. However, an empty file is not always good for an attacker. So, there is an invented method by the author of this paper in which an attacker can upload a non-empty shell file by using the ADS. In this method, a forbidden file can be uploaded by using this pattern: “file.asp::$data.”. <br />
*Sometimes combination of the above can lead to bypassing the protections.<br />
<br />
=== Using White-List for Files’ Extensions ===<br />
<br />
Many web applications use a white-list to accept the files’ extensions. Although using white-list is one of the recommendations, it is not enough on its own. Without having input validation, there is still a chance for an attacker to bypass the protections. <br />
<br />
*the 3rd, 4th, 5th, and 6th methods of last section apply here as well. <br />
*The list of permitted extensions should be reviewed as it can contain malicious extension as well. For instance, in case of having “.shtml” in the list, the application can be vulnerable to SSI attacks.<br />
<br />
=== Using “Content-Type” from the Header ===<br />
<br />
“Content-Type” entity in the header of the request indicates the Internet media type of the message content . Sometimes web applications use this parameter in order to recognize a file as a good one. For instance, they only accept the files with the “Content-Type” of “text/plain”. <br />
<br />
*It is possible to bypass this protection by changing this parameter in the request header by using a local proxy.<br />
<br />
=== Using a File Type Recogniser ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the type of the file in order to do further process. For instance, in case of having image resizing, it is probable to have image type recogniser. <br />
<br />
*Sometimes the recognisers just read the few first characters (or header) of the files in order to check them. In this case, an attacker can insert the malicious code after some valid header. <br />
*There are always some places in the structure of the files which are for the comments section and have no effect on the main file. And, an attacker can insert malicious codes in these points. <br />
*Also, it is not impossible to think about a file modifier (for example an image resizer) which produces malicious codes itself in case of receiving special input.<br />
<br />
<br><br />
<br />
<br />
== Prevention Methods (Solutions to be more secure) ==<br />
In order to make a Windows server more secure, it is very important to follow the Microsoft security best practices first. For this purpose, some of the useful links are:<br />
*IIS 6.0 Security Best Practices[http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx]<br />
*Securing Sites with Web Site Permissions[http://technet.microsoft.com/en-us/library/cc756133(WS.10).aspx]<br />
*IIS 6.0 Operations Guide[http://technet.microsoft.com/en-us/library/cc785089(WS.10).aspx]<br />
*Improving Web Application Security: Threats and Countermeasures[http://msdn.microsoft.com/en-us/library/ms994921.aspx]<br />
*Understanding the Built-In User and Group Accounts in IIS 7.0[http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/]<br />
*IIS Security Checklist[http://windows.stanford.edu/docs/IISsecchecklist.htm]<br />
And some special recommendations for the developers and webmasters:<br />
*Never accept a filename and its extension directly without having a white-list filter.<br />
*It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a “select case” syntax (in case of having VBScript) to choose the file extension in regard to the real file extension.<br />
*All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).<br />
*Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.<br />
*It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.<br />
*Uploaded directory should not have any “execute” permission.<br />
*Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).<br />
*Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.<br />
*Use Cross Site Request Forgery protection methods.<br />
*Prevent from overwriting a file in case of having the same hash for both.<br />
*Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.<br />
*Try to use POST method instead of PUT (or GET!)<br />
*Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.<br />
*In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.<br />
<br />
<br><br />
<br />
== Related [[Attacks]] ==<br />
<br />
*[[Attack 1]] <br />
*[[Attack 2]]<br />
<br />
<br><br />
<br />
== Related [[Vulnerabilities]] ==<br />
<br />
*[[Vulnerability 1]] <br />
*[[Vulnerabiltiy 2]]<br />
<br />
<br><br />
<br />
== Related [[Controls]] ==<br />
<br />
*[[Control 1]] <br />
*[[Control 2]]<br />
<br />
<br><br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
*[[Technical Impact 1]] <br />
*[[Technical Impact 2]]<br />
<br />
<br><br />
<br />
== References ==<br />
<br />
*Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ <br />
*Microsoft IIS ASP Multiple Extensions Security Bypass http://secunia.com/advisories/37831/<br />
--[[User:Soroush Dalili|Soroush Dalili]] 19:15, 18 April 2010 (UTC)<br />
TBD <br />
<br />
__NOTOC__ <br />
<br />
[[Category:FIXME|add linksIn addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki></nowiki>Availability VulnerabilityAuthorization VulnerabilityAuthentication VulnerabilityConcurrency VulnerabilityConfiguration VulnerabilityCryptographic VulnerabilityEncoding VulnerabilityError Handling VulnerabilityInput Validation VulnerabilityLogging and Auditing VulnerabilitySession Management Vulnerability]] [[Category:Error_Handling_Vulnerability]] [[Category:Vulnerability]] [[Category:OWASP_ASDR_Project]] [[Category:File_System]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=81681Unrestricted File Upload2010-04-18T19:07:17Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Stub}} {{Template:Vulnerability}} <br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
[[ASDR TOC Vulnerabilities|Vulnerabilities Table of Contents]] <br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. <br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. <br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. <br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. <br />
<br />
<br><br />
<br />
== Risk Factors ==<br />
<br />
*The impact of this vulnerability is high but the likelihood is low. So, the severity of this type of vulnerability is Medium. <br />
*The website can be defaced. <br />
*The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on. <br />
*This vulnerability can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]]. <br />
*An attacker might be able to put a phishing page into the website. <br />
*Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server. <br />
*Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file. <br />
*A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later. <br />
*The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
*Upload .jsp file into web tree - jsp code executed as web user <br />
*Upload .gif to be resized - image library flaw exploited <br />
*Upload huge files - file space denial of service <br />
*Upload file using malicious path or name - overwrite critical file <br />
*Upload file containing personal data - other users access it <br />
*Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
=== Attacks on other systems ===<br />
<br />
*Upload .exe file into web tree - victims download trojaned executable <br />
*Upload virus infected file - victims' machines infected <br />
*Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br><br />
<br />
== Weak Protection Methods and Methods of Bypassing ==<br />
<br />
=== Using Black-List for Files’ Extensions ===<br />
<br />
Some web applications still use only a black-list of extensions to prevent from uploading a malicious file. <br />
<br />
*It is possible to bypass this protection by using some extensions which are executable on the server but are not mentioned in the list. (Example: “file.php5”, “file.shtml”, “file.asa”, or “file.cer”) <br />
*Sometimes it is possible to bypass this protection by changing some letters of extension to the capital form (example: “file.aSp” or “file.PHp3”). <br />
*Using trailing spaces and/or dots at the end of the filename can sometimes cause bypassing the protection. These spaces and/or dots at the end of the filename will be removed when the file wants to be saved on the hard disk automatically. The filename can be sent to the server by using a local proxy or using a simple script (example: “file.asp ... ... . . .. ..“). <br />
*In case of using insecure IIS6 (or prior versions), it might be possible to bypass this protection by adding a semi-colon after the forbidden extension and before the permitted extension (example: “file.asp;.jpg”). <br />
*This protection can be completely bypassed by using the most famous control character which is Null character (0x00) after the forbidden extension and before the permitted one. In this method, during the saving process all the strings after the Null character will be discarded. Putting a Null character in the filename can be simply done by using a local proxy or by using a script (example: “file.asp%00.jpg”). Besides, it would be perfect if the Null character is inserted directly by using the Hex view option of a local proxy such as Burpsuite or Webscarab in the right place (without using&nbsp;%). <br />
*It is also possible to create a file with a forbidden extension by using NTFS alternate data stream (ADS). In this case, a “:” sign will be inserted after the forbidden extension and before the permitted one. As a result, an empty file with the forbidden extension will be created on the server (example: “file.asp:.jpg”). Attacker can try to edit this file later to execute his/her malicious codes. However, an empty file is not always good for an attacker. So, there is an invented method by the author of this paper in which an attacker can upload a non-empty shell file by using the ADS. In this method, a forbidden file can be uploaded by using this pattern: “file.asp::$data.”. <br />
*Sometimes combination of the above can lead to bypassing the protections.<br />
<br />
=== Using White-List for Files’ Extensions ===<br />
<br />
Many web applications use a white-list to accept the files’ extensions. Although using white-list is one of the recommendations, it is not enough on its own. Without having input validation, there is still a chance for an attacker to bypass the protections. <br />
<br />
*the 3rd, 4th, 5th, and 6th methods of last section apply here as well. <br />
*The list of permitted extensions should be reviewed as it can contain malicious extension as well. For instance, in case of having “.shtml” in the list, the application can be vulnerable to SSI attacks.<br />
<br />
=== Using “Content-Type” from the Header ===<br />
<br />
“Content-Type” entity in the header of the request indicates the Internet media type of the message content . Sometimes web applications use this parameter in order to recognize a file as a good one. For instance, they only accept the files with the “Content-Type” of “text/plain”. <br />
<br />
*It is possible to bypass this protection by changing this parameter in the request header by using a local proxy.<br />
<br />
=== Using a File Type Recogniser ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the type of the file in order to do further process. For instance, in case of having image resizing, it is probable to have image type recogniser. <br />
<br />
*Sometimes the recognisers just read the few first characters (or header) of the files in order to check them. In this case, an attacker can insert the malicious code after some valid header. <br />
*There are always some places in the structure of the files which are for the comments section and have no effect on the main file. And, an attacker can insert malicious codes in these points. <br />
*Also, it is not impossible to think about a file modifier (for example an image resizer) which produces malicious codes itself in case of receiving special input.<br />
<br />
<br><br />
<br />
== Related [[Attacks]] ==<br />
<br />
*[[Attack 1]] <br />
*[[Attack 2]]<br />
<br />
<br><br />
<br />
== Related [[Vulnerabilities]] ==<br />
<br />
*[[Vulnerability 1]] <br />
*[[Vulnerabiltiy 2]]<br />
<br />
<br><br />
<br />
== Related [[Controls]] ==<br />
<br />
*[[Control 1]] <br />
*[[Control 2]]<br />
<br />
<br><br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
*[[Technical Impact 1]] <br />
*[[Technical Impact 2]]<br />
<br />
<br><br />
<br />
== References ==<br />
<br />
*Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ <br />
*Microsoft IIS ASP Multiple Extensions Security Bypass http://secunia.com/advisories/37831/<br />
<br />
TBD <br />
<br />
__NOTOC__ <br />
<br />
[[Category:FIXME|add linksIn addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki></nowiki>Availability VulnerabilityAuthorization VulnerabilityAuthentication VulnerabilityConcurrency VulnerabilityConfiguration VulnerabilityCryptographic VulnerabilityEncoding VulnerabilityError Handling VulnerabilityInput Validation VulnerabilityLogging and Auditing VulnerabilitySession Management Vulnerability]] [[Category:Error_Handling_Vulnerability]] [[Category:Vulnerability]] [[Category:OWASP_ASDR_Project]] [[Category:File_System]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=81680Unrestricted File Upload2010-04-18T19:05:40Z<p>Soroush Dalili: </p>
<hr />
<div>{{Template:Stub}} {{Template:Vulnerability}} <br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' <br />
<br />
[[ASDR TOC Vulnerabilities|Vulnerabilities Table of Contents]] <br />
<br />
== Description ==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. <br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. <br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it. <br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved. <br />
<br />
<br><br />
<br />
== Risk Factors ==<br />
<br />
*The impact of this attack is high but the likelihood is low. So, the severity of this type of attack is Medium. <br />
*The website can be defaced. <br />
*The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on. <br />
*This attack can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]]. <br />
*An attacker might be able to put a phishing page into the website. <br />
*Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server. <br />
*Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file. <br />
*A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later. <br />
*The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
== Examples ==<br />
<br />
=== Attacks on application platform ===<br />
<br />
*Upload .jsp file into web tree - jsp code executed as web user <br />
*Upload .gif to be resized - image library flaw exploited <br />
*Upload huge files - file space denial of service <br />
*Upload file using malicious path or name - overwrite critical file <br />
*Upload file containing personal data - other users access it <br />
*Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
=== Attacks on other systems ===<br />
<br />
*Upload .exe file into web tree - victims download trojaned executable <br />
*Upload virus infected file - victims' machines infected <br />
*Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br><br />
<br />
== Weak Protection Methods and Methods of Bypassing ==<br />
<br />
=== Using Black-List for Files’ Extensions ===<br />
<br />
Some web applications still use only a black-list of extensions to prevent from uploading a malicious file. <br />
<br />
*It is possible to bypass this protection by using some extensions which are executable on the server but are not mentioned in the list. (Example: “file.php5”, “file.shtml”, “file.asa”, or “file.cer”) <br />
*Sometimes it is possible to bypass this protection by changing some letters of extension to the capital form (example: “file.aSp” or “file.PHp3”). <br />
*Using trailing spaces and/or dots at the end of the filename can sometimes cause bypassing the protection. These spaces and/or dots at the end of the filename will be removed when the file wants to be saved on the hard disk automatically. The filename can be sent to the server by using a local proxy or using a simple script (example: “file.asp ... ... . . .. ..“). <br />
*In case of using insecure IIS6 (or prior versions), it might be possible to bypass this protection by adding a semi-colon after the forbidden extension and before the permitted extension (example: “file.asp;.jpg”). <br />
*This protection can be completely bypassed by using the most famous control character which is Null character (0x00) after the forbidden extension and before the permitted one. In this method, during the saving process all the strings after the Null character will be discarded. Putting a Null character in the filename can be simply done by using a local proxy or by using a script (example: “file.asp%00.jpg”). Besides, it would be perfect if the Null character is inserted directly by using the Hex view option of a local proxy such as Burpsuite or Webscarab in the right place (without using&nbsp;%). <br />
*It is also possible to create a file with a forbidden extension by using NTFS alternate data stream (ADS). In this case, a “:” sign will be inserted after the forbidden extension and before the permitted one. As a result, an empty file with the forbidden extension will be created on the server (example: “file.asp:.jpg”). Attacker can try to edit this file later to execute his/her malicious codes. However, an empty file is not always good for an attacker. So, there is an invented method by the author of this paper in which an attacker can upload a non-empty shell file by using the ADS. In this method, a forbidden file can be uploaded by using this pattern: “file.asp::$data.”. <br />
*Sometimes combination of the above can lead to bypassing the protections.<br />
<br />
=== Using White-List for Files’ Extensions ===<br />
<br />
Many web applications use a white-list to accept the files’ extensions. Although using white-list is one of the recommendations, it is not enough on its own. Without having input validation, there is still a chance for an attacker to bypass the protections. <br />
<br />
*the 3rd, 4th, 5th, and 6th methods of last section apply here as well. <br />
*The list of permitted extensions should be reviewed as it can contain malicious extension as well. For instance, in case of having “.shtml” in the list, the application can be vulnerable to SSI attacks.<br />
<br />
=== Using “Content-Type” from the Header ===<br />
<br />
“Content-Type” entity in the header of the request indicates the Internet media type of the message content . Sometimes web applications use this parameter in order to recognize a file as a good one. For instance, they only accept the files with the “Content-Type” of “text/plain”. <br />
<br />
*It is possible to bypass this protection by changing this parameter in the request header by using a local proxy.<br />
<br />
=== Using a File Type Recogniser ===<br />
<br />
Sometimes web applications intentionally or unintentionally use some functions (or APIs) to check the type of the file in order to do further process. For instance, in case of having image resizing, it is probable to have image type recogniser. <br />
<br />
*Sometimes the recognisers just read the few first characters (or header) of the files in order to check them. In this case, an attacker can insert the malicious code after some valid header. <br />
*There are always some places in the structure of the files which are for the comments section and have no effect on the main file. And, an attacker can insert malicious codes in these points. <br />
*Also, it is not impossible to think about a file modifier (for example an image resizer) which produces malicious codes itself in case of receiving special input.<br />
<br />
<br><br />
<br />
== Related [[Attacks]] ==<br />
<br />
*[[Attack 1]] <br />
*[[Attack 2]]<br />
<br />
<br><br />
<br />
== Related [[Vulnerabilities]] ==<br />
<br />
*[[Vulnerability 1]] <br />
*[[Vulnerabiltiy 2]]<br />
<br />
<br><br />
<br />
== Related [[Controls]] ==<br />
<br />
*[[Control 1]] <br />
*[[Control 2]]<br />
<br />
<br><br />
<br />
== Related [[Technical Impacts]] ==<br />
<br />
*[[Technical Impact 1]] <br />
*[[Technical Impact 2]]<br />
<br />
<br><br />
<br />
== References ==<br />
<br />
*Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/ <br />
*Microsoft IIS ASP Multiple Extensions Security Bypass http://secunia.com/advisories/37831/<br />
<br />
TBD <br />
<br />
__NOTOC__ <br />
<br />
[[Category:FIXME|add linksIn addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki></nowiki>Availability VulnerabilityAuthorization VulnerabilityAuthentication VulnerabilityConcurrency VulnerabilityConfiguration VulnerabilityCryptographic VulnerabilityEncoding VulnerabilityError Handling VulnerabilityInput Validation VulnerabilityLogging and Auditing VulnerabilitySession Management Vulnerability]] [[Category:Error_Handling_Vulnerability]] [[Category:Vulnerability]] [[Category:OWASP_ASDR_Project]] [[Category:File_System]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=81679Unrestricted File Upload2010-04-18T18:47:24Z<p>Soroush Dalili: /* References */</p>
<hr />
<div>{{Template:Stub}}<br />
{{Template:Vulnerability}}<br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''<br />
<br />
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]<br />
<br />
==Description==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.<br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored.<br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it.<br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved.<br />
<br />
<br />
==Risk Factors==<br />
<br />
* The impact of this attack is high but the likelihood is low. So, the severity of this type of attack is Medium.<br />
* The website can be defaced.<br />
* The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on.<br />
* This attack can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]].<br />
* An attacker might be able to put a phishing page into the website.<br />
* Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server.<br />
* Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file.<br />
* A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later.<br />
* The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
==Examples==<br />
<br />
===Attacks on application platform===<br />
* Upload .jsp file into web tree - jsp code executed as web user<br />
* Upload .gif to be resized - image library flaw exploited<br />
* Upload huge files - file space denial of service<br />
* Upload file using malicious path or name - overwrite critical file<br />
* Upload file containing personal data - other users access it<br />
* Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
===Attacks on other systems===<br />
* Upload .exe file into web tree - victims download trojaned executable<br />
* Upload virus infected file - victims' machines infected<br />
* Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br />
==Related [[Attacks]]==<br />
<br />
* [[Attack 1]]<br />
* [[Attack 2]]<br />
<br />
<br />
==Related [[Vulnerabilities]]==<br />
<br />
* [[Vulnerability 1]]<br />
* [[Vulnerabiltiy 2]]<br />
<br />
<br />
<br />
==Related [[Controls]]==<br />
<br />
* [[Control 1]]<br />
* [[Control 2]]<br />
<br />
<br />
==Related [[Technical Impacts]]==<br />
<br />
* [[Technical Impact 1]]<br />
* [[Technical Impact 2]]<br />
<br />
<br />
==References==<br />
* Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/<br />
<br />
TBD<br />
[[Category:FIXME|add links<br />
<br />
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki><br />
<br />
Availability Vulnerability<br />
<br />
Authorization Vulnerability<br />
<br />
Authentication Vulnerability<br />
<br />
Concurrency Vulnerability<br />
<br />
Configuration Vulnerability<br />
<br />
Cryptographic Vulnerability<br />
<br />
Encoding Vulnerability<br />
<br />
Error Handling Vulnerability<br />
<br />
Input Validation Vulnerability<br />
<br />
Logging and Auditing Vulnerability<br />
<br />
Session Management Vulnerability]]<br />
<br />
__NOTOC__<br />
<br />
[[Category:Vulnerability]]<br />
[[Category:OWASP ASDR Project]]<br />
[[Category:File System]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=81678Unrestricted File Upload2010-04-18T18:45:21Z<p>Soroush Dalili: /* References */</p>
<hr />
<div>{{Template:Stub}}<br />
{{Template:Vulnerability}}<br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''<br />
<br />
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]<br />
<br />
==Description==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.<br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored.<br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it.<br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved.<br />
<br />
<br />
==Risk Factors==<br />
<br />
* The impact of this attack is high but the likelihood is low. So, the severity of this type of attack is Medium.<br />
* The website can be defaced.<br />
* The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on.<br />
* This attack can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]].<br />
* An attacker might be able to put a phishing page into the website.<br />
* Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server.<br />
* Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file.<br />
* A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later.<br />
* The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
==Examples==<br />
<br />
===Attacks on application platform===<br />
* Upload .jsp file into web tree - jsp code executed as web user<br />
* Upload .gif to be resized - image library flaw exploited<br />
* Upload huge files - file space denial of service<br />
* Upload file using malicious path or name - overwrite critical file<br />
* Upload file containing personal data - other users access it<br />
* Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
===Attacks on other systems===<br />
* Upload .exe file into web tree - victims download trojaned executable<br />
* Upload virus infected file - victims' machines infected<br />
* Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br />
==Related [[Attacks]]==<br />
<br />
* [[Attack 1]]<br />
* [[Attack 2]]<br />
<br />
<br />
==Related [[Vulnerabilities]]==<br />
<br />
* [[Vulnerability 1]]<br />
* [[Vulnerabiltiy 2]]<br />
<br />
<br />
<br />
==Related [[Controls]]==<br />
<br />
* [[Control 1]]<br />
* [[Control 2]]<br />
<br />
<br />
==Related [[Technical Impacts]]==<br />
<br />
* [[Technical Impact 1]]<br />
* [[Technical Impact 2]]<br />
<br />
<br />
==References==<br />
* Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0 [http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/]<br />
<br />
TBD<br />
[[Category:FIXME|add links<br />
<br />
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki><br />
<br />
Availability Vulnerability<br />
<br />
Authorization Vulnerability<br />
<br />
Authentication Vulnerability<br />
<br />
Concurrency Vulnerability<br />
<br />
Configuration Vulnerability<br />
<br />
Cryptographic Vulnerability<br />
<br />
Encoding Vulnerability<br />
<br />
Error Handling Vulnerability<br />
<br />
Input Validation Vulnerability<br />
<br />
Logging and Auditing Vulnerability<br />
<br />
Session Management Vulnerability]]<br />
<br />
__NOTOC__<br />
<br />
[[Category:Vulnerability]]<br />
[[Category:OWASP ASDR Project]]<br />
[[Category:File System]]</div>Soroush Dalilihttps://wiki.owasp.org/index.php?title=Unrestricted_File_Upload&diff=81677Unrestricted File Upload2010-04-18T18:39:18Z<p>Soroush Dalili: /* Risk Factors */</p>
<hr />
<div>{{Template:Stub}}<br />
{{Template:Vulnerability}}<br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''<br />
<br />
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]<br />
<br />
==Description==<br />
<br />
Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.<br />
<br />
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored.<br />
<br />
There are really two different classes of problems here. The first is with the file metadata, like the path and filename. These are generally provided by the transport, such as HTTP multipart encoding. This data may trick the application into overwriting a critical file or storing the file in a bad location. You must validate the metadata extremely carefully before using it.<br />
<br />
The other class of problem is with the file content. The range of problems here depends entirely on what the file is used for. See the examples below for some ideas about how files might be misused. To protect against this type of attack, you should analyze everything your application does with files and think carefully about what processing and interpreters are involved.<br />
<br />
<br />
==Risk Factors==<br />
<br />
* The impact of this attack is high but the likelihood is low. So, the severity of this type of attack is Medium.<br />
* The website can be defaced.<br />
* The web server can be compromised by uploading and executing a web-shell which can: run a command, browse the system files, browse the local resources, attack to other servers, and exploit the local vulnerabilities, and so on.<br />
* This attack can make the website vulnerable to some other types of attacks such as [[Cross-site Scripting (XSS)|XSS]].<br />
* An attacker might be able to put a phishing page into the website.<br />
* Local file inclusion vulnerabilities can be exploited by uploading a malicious file into the server.<br />
* Local vulnerabilities of real-time monitoring tools such as an antivirus can be exploited by uploading a harmful file.<br />
* A malicious file can be uploaded on the server in order to have a chance to be executed by administrator or webmaster later.<br />
* The web server might be used as a warez server by a bad guy in order to be host of malwares, illegal software, steganographic objects, and so on.<br />
<br />
==Examples==<br />
<br />
===Attacks on application platform===<br />
* Upload .jsp file into web tree - jsp code executed as web user<br />
* Upload .gif to be resized - image library flaw exploited<br />
* Upload huge files - file space denial of service<br />
* Upload file using malicious path or name - overwrite critical file<br />
* Upload file containing personal data - other users access it<br />
* Upload file containing "tags" - tags get executed as part of being "included" in a web page<br />
<br />
===Attacks on other systems===<br />
* Upload .exe file into web tree - victims download trojaned executable<br />
* Upload virus infected file - victims' machines infected<br />
* Upload .html file containing script - victim experiences [[Cross-site Scripting (XSS)]]<br />
<br />
<br />
==Related [[Attacks]]==<br />
<br />
* [[Attack 1]]<br />
* [[Attack 2]]<br />
<br />
<br />
==Related [[Vulnerabilities]]==<br />
<br />
* [[Vulnerability 1]]<br />
* [[Vulnerabiltiy 2]]<br />
<br />
<br />
<br />
==Related [[Controls]]==<br />
<br />
* [[Control 1]]<br />
* [[Control 2]]<br />
<br />
<br />
==Related [[Technical Impacts]]==<br />
<br />
* [[Technical Impact 1]]<br />
* [[Technical Impact 2]]<br />
<br />
<br />
==References==<br />
<br />
TBD<br />
[[Category:FIXME|add links<br />
<br />
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki><br />
<br />
Availability Vulnerability<br />
<br />
Authorization Vulnerability<br />
<br />
Authentication Vulnerability<br />
<br />
Concurrency Vulnerability<br />
<br />
Configuration Vulnerability<br />
<br />
Cryptographic Vulnerability<br />
<br />
Encoding Vulnerability<br />
<br />
Error Handling Vulnerability<br />
<br />
Input Validation Vulnerability<br />
<br />
Logging and Auditing Vulnerability<br />
<br />
Session Management Vulnerability]]<br />
<br />
__NOTOC__<br />
<br />
[[Category:Vulnerability]]<br />
[[Category:OWASP ASDR Project]]<br />
[[Category:File System]]</div>Soroush Dalili