What is Arbitary File Upload Vulnerability ?

Arbitrary File Upload (AFU) is a type of security vulnerability that can occur when attackers upload malicious files to a server. This can lead to a range of devastating attacks, such as remote code execution and server crashes. To prevent AFU vulnerabilities, developers should validate file types and implement file size limits to ensure that only safe and expected files are uploaded to the server. Additionally, they should consider using sandboxing techniques or segregating file storage to further limit the potential damage from any malicious files that do slip through.

The Story

A security researcher named Sagar Sajeev has successfully bypassed a file upload feature on a target website. He chained it to Remote Code Execution (RCE). Despite the target website’s security team attempting to fix the vulnerability three times. However, Sagar was able to bypass their fixes all three times. Sagar was awarded three bounties for his successful exploitation of the vulnerability.

In the first scenario, Sagar was able to bypass the restriction on uploading files with the “.php” extension by renaming the payload to “payload.pHp5,” with a mixture of upper and lower case letters in the extension. This worked as the target website only had client-side validation.

In the second scenario, Sagar renamed the payload to “payload.php\x00.png” and appended “\x00.png” to bypass the restriction. The RCE was triggered by right-clicking and viewing the image in a new tab.

In the third scenario, Sagar found a way to bypass the strict rule that only allowed images by altering the magic bytes of the payload. He used a Linux hex editor and xxd to change the magic bytes of the file to that of a png file, and then uploaded the file under the name “payload.p.phphp.” The website’s firewall removed the term “.php” from the file name, making it “payload.php” and triggering the script.

Sagar was unable to bypass the fourth fix implemented by the website’s security team, and it was reported that they have implemented a hardened validation and verification process for files, as well as a sandbox environment

How to Prevent Arbitary File Upload Vulnerability?

To prevent arbitrary file upload vulnerability, follow these steps:

1. Implement file type validation: Develop a white list of allowed file types that the application can accept. Reject any uploads that do not meet the allowed file type criteria.
2. Check file extensions and MIME types: Use server-side code to validate file extensions and MIME types. This helps prevent attackers from exploiting file type ambiguity.
3. Set appropriate file permissions: Ensure that the uploaded files have limited permissions that prevent execution. Do not allow uploaded files to have read, write, or execute permissions.
4. Implement CAPTCHA: Use CAPTCHA to prevent automated file uploads by bots. CAPTCHA helps prevent attackers from exploiting the vulnerability by making it harder to upload arbitrary files.
5. Use a content security policy: Implement a content security policy (CSP) to restrict the sources from which the application can load content. This can help prevent malicious files from being uploaded and executed.
6. Use a secure file upload library: Choose a secure file upload library that performs proper file type validation and security checks.
7. Implement file upload size limits: Set appropriate file upload size limits to prevent attackers from uploading large files that could cause denial of service (DoS) attacks or overwhelm the target system.

By implementing these measures, you can significantly reduce the risk of arbitrary file upload vulnerabilities in your web application.

Link to read full write up: here

Save the PDF: here