This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Test Upload of Malicious Files (OTG-BUSLOGIC-009)"

From OWASP
Jump to: navigation, search
(Created page with "== Brief Description == Suppose a picture sharing application allows users to upload their .gif or .jpg graphic files to the web site. What if an attacker is able to upload a...")
 
Line 13: Line 13:
 
== Testing Method 1 ==
 
== Testing Method 1 ==
  
• Using the Metasploit payload generation functionality generate a shellcode as a Windows executable using the Metasploit "msfpayload" command
+
• Using the Metasploit payload generation functionality generates a shellcode as a Windows executable using the Metasploit "msfpayload" command
 
• Submit the executable via the application’s upload functionality and see if it is accepted or correctly rejected.
 
• Submit the executable via the application’s upload functionality and see if it is accepted or correctly rejected.
  
Line 28: Line 28:
 
== Test Tools ==
 
== Test Tools ==
  
Metasploit and its payload generation functionality
+
Metasploit and its payload generation functionality  
 +
 
 
Intercepting proxy
 
Intercepting proxy
  
 
== Related Test Cases ==
 
== Related Test Cases ==
  
4.12.15 Test Upload of Unexpected File Types (OTG-BUSLOGIC-009)
+
4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)
 +
 
 +
4.12.8 Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)
  
 
== References ==   
 
== References ==   

Revision as of 13:40, 16 December 2013

Brief Description

Suppose a picture sharing application allows users to upload their .gif or .jpg graphic files to the web site. What if an attacker is able to upload a PHP shell or exe file? The attacker may then

Issue

The application may allow the upload of malicious files that include exploits or shellcode without submitting them to malicious file scanning. Malicious files could be detected and stopped at various points of the application architecture such as: IPS/IDS, application server anti-virus software or anti-virus scanning by application as files are uploaded (perhaps offloading the scanning using SCAP)

Example

Suppose a picture sharing application allows users to upload .gif or .jpg files to the web site. What if an attacker is able to submit a file that is in reality .gif or .jpg passing the “file type check “ but contains a simple PHP shell embedded in a jpg file?

Testing Method 1

• Using the Metasploit payload generation functionality generates a shellcode as a Windows executable using the Metasploit "msfpayload" command • Submit the executable via the application’s upload functionality and see if it is accepted or correctly rejected.

Testing Method 2

• Develop or create a file that should fail the application malware detection process. There are many available on the Internet such as ducklin.htm or ducklin-html.htm. • Submit the executable via the application’s upload functionality and see if it is accepted or correctly rejected.

Testing Method 3

• Set up the intercepting proxy to capture the “valid” request for an accepted file • Send an “invalid” request through with a valid/acceptable file extension and see if the request is accepted

Test Tools

Metasploit and its payload generation functionality

Intercepting proxy

Related Test Cases

4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)

4.12.8 Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)

References

OWASP - Unrestricted File Upload - https://www.owasp.org/index.php/Unrestricted_File_Upload

Why File Upload Forms are a Major Security Threat - http://www.acunetix.com/websitesecurity/upload-forms-threat/

File upload security best practices: Block a malicious file upload - http://www.computerweekly.com/answer/File-upload-security-best-practices-Block-a-malicious-file-upload

Overview of Malicious File Upload Attacks - http://securitymecca.com/article/overview-of-malicious-file-upload-attacks/

Stop people uploading malicious PHP files via forms - http://stackoverflow.com/questions/602539/stop-people-uploading-malicious-php-files-via-forms

How to Tell if a File is Malicious - http://www.techsupportalert.com/content/how-tell-if-file-malicious.htm

CWE-434: Unrestricted Upload of File with Dangerous Type - http://cwe.mitre.org/data/definitions/434.html

Implementing Secure File Upload - http://infosecauditor.wordpress.com/tag/malicious-file-upload/

Watchful File Upload - http://palizine.plynt.com/issues/2011Apr/file-upload/

Matasploit Generating Payloads - http://www.offensive-security.com/metasploit-unleashed/Generating_Payloads

Project Shellcode – Shellcode Tutorial 9: Generating Shellcode Using Metasploit http://www.projectshellcode.com/?q=node/29

Anti-Malware Test file - http://www.eicar.org/86-0-Intended-use.html

Remediation

While safeguards such as black or white listing of file extensions, using “Content-Type” from the header, or using a file type recognizer may not always be protections against this type of vulnerability. Every application that accepts files from users must have a mechanism to verify that the uploaded file does not contain malicious code. Uploaded files should never be stored where the users or attackers can directly access them.