Pascal Wichmann
ABSTRACT
Improper handling of file uploads in web applications induces threats to the application and its users. In this paper, we propose FileUploadChecker, a server-side tool to automatically detect potentially malicious file uploads in web applications and reject or sanitize malicious content in files. FileUploadChecker works transparently on the web request level, using the middleware concept of web frameworks. Thus, FileUploadChecker can be deployed without modifications to the code of existing web applications, for example, if it is infeasible for server administrators to maintain patches to the underlying software or if proprietary software cannot be patched.
FileUploadChecker helps to protect from the exploitation of several file upload vulnerabilities. In our evaluation, we analyze vulnerabilities that have been present in popular software packages, finding that FileUploadChecker can partially or fully protect from an exploitation of of these vulnerabilities. Furthermore, we test FileUploadChecker with a sample of benign files and with a penetration testing tool, yielding false positive rates between and , depending on the file type.
- Nasser S. Alamri and William H. Allen. 2014. A taxonomy of file-type identification techniques. In ACM Southeast Regional Conference.Google Scholar
- Ömer Aslan and Refik Samet. 2020. A Comprehensive Review on Malware Detection Approaches. IEEE Access 8(2020), 6249–6271. https://doi.org/10.1109/ACCESS.2019.2963724Google ScholarCross Ref
- Thomas Boutell and Tom Lane. 1996. PNG Specification: File Signature. http://www.libpng.org/pub/png/spec/1.0/PNG-Rationale.html#R.PNG-file-signature (accessed October 15, 2021).Google Scholar
- Web Application Security Consortium. 2006. Web Application Firewall Evaluation Criteria. https://projects.webappsec.org/f/wasc-wafec-v1.0.pdfGoogle Scholar
- Anusha Damodaran, Fabio Di Troia, Corrado Aaron Visaggio, Thomas H. Austin, and Mark Stamp. 2017. A comparison of static, dynamic, and hybrid analysis for malware detection. J. Comput. Virol. Hacking Tech. 13, 1 (2017).Google Scholar
- Lieven Desmet, Frank Piessens, Wouter Joosen, and Pierre Verbaeten. 2006. Bridging the gap between web application firewalls and web applications. In Proceedings of the 2006 ACM workshop on Formal methods in security engineering, FMSE 2006. ACM.Google ScholarDigital Library
- CVE Details. 2021. FFMPEG Security Vulnerabilities. https://www.cvedetails.com/vulnerability-list/vendor_id-3611/product_id-6315/Ffmpeg-Ffmpeg.html (accessed October 15, 2021).Google Scholar
- CVE Details. 2021. Imagemagick Security Vulnerabilities. https://www.cvedetails.com/vulnerability-list/vendor_id-1749/Imagemagick.html (accessed October 15, 2021).Google Scholar
- CVE Details. 2021. Python Pillow Security Vulnerabilities. https://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-27460/Python-Pillow.html (accessed October 15, 2021).Google Scholar
- Flask Developers. 2021. Flask Documentation: Becoming Big. Wrap with middleware. https://flask.palletsprojects.com/en/2.0.x/becomingbig/ (accessed October 15, 2021).Google Scholar
- Adam Doupé, Marco Cova, and Giovanni Vigna. 2010. Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners. In Detection of Intrusions and Malware, and Vulnerability Assessment, 7th International Conference, DIMVA.Google Scholar
- Edgescan. 2021. 2021 Vulnerability Statistics Report. Technical Report. https://info.edgescan.com/hubfs/Edgescan2021StatsReport.pdf (accessed September 16, 2021).Google Scholar
- R. Fielding and J. Reschke. 2014. Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. RFC 7230.Google Scholar
- Django Software Foundation. 2021. Django Documentation: Middleware. https://docs.djangoproject.com/en/3.2/topics/http/middleware/ (accessed October 15, 2021).Google Scholar
- OWASP Foundation. 2021. OWASP Top 10 - 2021. Technical Report. OWASP Foundation. https://owasp.org/Top10/ (accessed October 21, 2021).Google Scholar
- Ouissem Ben Fredj, Omar Cheikhrouhou, Moez Krichen, Habib Hamam, and Abdelouahid Derhab. 2020. An OWASP Top Ten Driven Survey on Web Application Protection Methods. In Risks and Security of Internet and Systems - 15th International Conference, CRiSIS 2020. Springer, 235–252.Google Scholar
- Gustavo Henke and express-validator contributors. 2021. express-validator. https://express-validator.github.io/Google Scholar
- Jin Huang, Yu Li, Junjie Zhang, and Rui Dai. 2019. UChecker: Automatically Detecting PHP-Based Unrestricted File Upload Vulnerabilities. In 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.Google Scholar
- Naeem Ilyas, Giovanni Cimolin da Silva, and Kshitij Sobti. 2019. Django Upload Validator. https://github.com/mckinseyacademy/django-upload-validator (accessed June 17, 2021).Google Scholar
- Virgile Jarry and GitHub Contributors. 2021. fuxploider. https://github.com/almandin/fuxploider. (accessed June 14, 2022).Google Scholar
- Taekjin Lee, Seongil Wi, Suyoung Lee, and Sooel Son. 2020. FUSE: Finding File Upload Bugs via Penetration Testing. In 27th Annual Network and Distributed System Security Symposium, NDSS.Google ScholarCross Ref
- Marius Musch, Marius Steffens, Sebastian Roth, Ben Stock, and Martin Johns. 2019. ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2019, Auckland, New Zealand, July 09-12, 2019. ACM, 391–402. https://doi.org/10.1145/3321705.3329841Google ScholarDigital Library
- Adrian Nürnberger and Mathias Onea. 2021. Laravel Image Sanitize. https://github.com/laravel-at/laravel-image-sanitize (accessed May 3, 2021).Google Scholar
- Karishma Pooj and Sonali Patil. 2016. Understanding File Upload Security for Web Applications. International Journal of Engineering Trends and Technology (2016).Google Scholar
- Stefan Prandl, Mihai M. Lazarescu, and Duc-Son Pham. 2015. A Study of Web Application Firewall Solutions. In Information Systems Security - 11th International Conference, ICISS.Google Scholar
- Antonio Ramirez. 2021. express-autosanitizer. https://github.com/antoniormrzz/express-autosanitizer (accessed June 17, 2021).Google Scholar
- Symfony SAS. 2021. Symfony Documentation: How to Set Up Before and After Filters. https://symfony.com/doc/current/event_dispatcher/before_after_filters.html (accessed October 15, 2021).Google Scholar
- Rami Sihwail, Khairuddin Omar, and Khairul Akram Zainol Ariffin. 2018. A survey on malware analysis techniques: Static, dynamic, hybrid and memory analysis. International Journal on Advanced Science, Engineering and Information Technology (2018).Google ScholarCross Ref
- The ClamAV Team. 2021. ClamAV open-source anti-virus engine. https://www.clamav.net (accessed October 4, 2021).Google Scholar
- Pascal Wichmann, Alexander Groddeck, and Hannes Federrath. 2022. PyPi: Django Middleware Proof of Concept Implementation of FileUploadChecker. https://pypi.org/project/django-middleware-fileuploadvalidation/Google Scholar
- Luyi Xing, Yangyi Chen, XiaoFeng Wang, and Shuo Chen. 2013. InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations. In 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24-27, 2013. The Internet Society. https://www.ndss-symposium.org/ndss2013/integuard-toward-automatic-protection-third-party-web-service-integrationsGoogle Scholar
- Jason Zhang. 2018. MLPdf: an effective machine learning based approach for PDF malware detection. arXiv preprint arXiv:1808.06991(2018).Google Scholar
Index Terms
- FileUploadChecker: Detecting and Sanitizing Malicious File Uploads in Web Applications at the Request Level
Recommendations
Enlargement of vulnerable web applications for testing
There are two main kinds of vulnerable web applications, usual applications developed with a specific aim and applications which are vulnerable by design. On one hand, the usual applications are those that are used everywhere and on a daily basis, and ...
Empirical Analysis of Web Attacks
The web applications are becoming more popular and complex in today's era of Internet. These on-line applications provide rich benefits along with risk to organization, brand and data. Malicious attackers continue to exploit vulnerabilities in ...
A Survey on XSS Attack Detection and Prevention in Web Applications
ICMLC '20: Proceedings of the 2020 12th International Conference on Machine Learning and ComputingWith the popularity of web technology, web applications become more increasingly vulnerable and are exposed to malicious attacks. Cross Site Scripting(XSS) is a typical attack in web applications. When a vulnerability is exploited, an attacker may ...
Comments