Test Upload of Unexpected File Types (OTG-BUSLOGIC-008)
Many application’s business processes allow for the upload and manipulation of data that is submitted via files. But the business process must check the files and only allow certain “approved” file types. The risk in that by allowing users to upload files, attackers may submit an unexpected file type that that could be executed and adversely impact the application of system through attacks such that may defacement the web site, perform remote commands, browse the system files, browse the local resources, attack other servers, or exploit the local vulnerabilities, just to name a few.
The application may be expecting only certain file types to be uploaded for processing, such as CSV files. The application may not validate the uploaded file by extension (for low assurance file validation) or content (high assurance file validation). This can result in unexpected results from the application, including other vulnerabilities discussed in other sections of the Test Guide.
Suppose a picture sharing application allows users to upload a .gif or .jpg graphic file to the web site. What if an attacker is able to upload an html file with a <script> tag in it or php file? The system may move the file from a temporary location to the final location where the php code can now be executed against the application or system.
• Study the applications logical requirements. • Prepare a library of files that are “not approved” for upload that may contain files such as: o jsp o exe o html files containing script • In the application navigate to the file submission or upload mechanism • Submit the “not approved” for upload and verify that they are prevented from uploading
Related Test Cases
4.3.3 Test File Extensions Handling for Sensitive Information (OTG-CONFIG-003)
4.12.9 Test Upload of Malicious Files (OTG-BUSLOGIC-009)
OWASP - Unrestricted File Upload - https://www.owasp.org/index.php/Unrestricted_File_Upload
File upload security best practices: Block a malicious file upload - http://www.computerweekly.com/answer/File-upload-security-best-practices-Block-a-malicious-file-upload
Stop people uploading malicious PHP files via forms - http://stackoverflow.com/questions/602539/stop-people-uploading-malicious-php-files-via-forms
CWE-434: Unrestricted Upload of File with Dangerous Type - http://cwe.mitre.org/data/definitions/434.html
Secure Programming Tips - Handling File Uploads - https://www.datasprings.com/resources/dnn-tutorials/artmid/535/articleid/65/secure-programming-tips-handling-file-uploads?AspxAutoDetectCookieSupport=1
Applications should be developed with mechanisms to only take in and manipulate “acceptable “files that the rest of the application functionality is ready to handle and expecting. Some specific examples include: Black or White listing of file extensions, using “Content-Type” from the header, or using a file type recognizer, all to only allow specified file types into the system.