Keep Your Business Free From Ransomware
File uploads for web applications are essential for user productivity and many business services. For instance, file uploads are an important function for content management systems, healthcare portals, insurance sites, and messaging applications. As organisations move to remote and distanced workspaces it becomes increasingly critical to implement measures to ensure the security of file uploads, since leaving file uploads unrestricted creates an attack vector for malicious actors.
What are the File Upload Risks?
There are three types of risks when allowing file uploads on your site:
1. Attacks on your infrastructure:
- Overwriting an existing file – If a file is uploaded with the same name and extension as an existing file on the server, this could overwrite the existing file. If the file that was overwritten is a critical file (e.g. replace htaccess file), the new file can potentially be used to launch a server-side attack. This could cause the website to no longer function, or it could compromise security settings to allow attackers to upload additional malicious files and exploit you for ransom.
- Malicious content – If the uploaded file contains an exploit or malware which can leverage a vulnerability in server-side file handling, the file could be used to gain control of the server, causing severe business consequences and reputational damage.
2. Attacks on your users:
- Malicious content – If the uploaded file contains an exploit, malware, malicious script or macro, the file could be used to gain control of infected users’ machines.
3. Disruption of service:
- If an extremely large file is uploaded, this could result in high consumption of the servers’ resources and disrupt the service for your users.
How to Prevent File Upload Attacks – Our Web Application Security Checklist
To avoid these types of file upload attacks on web applications, we recommend you follow our checklist of the following ten best practices:
- Only allow specific file types. By limiting the list of allowed file types, you can avoid executables, scripts and other potentially malicious content from being uploaded to your applications.
- Verify file types. In addition to restricting the file types, it is important to ensure that no files are ‘masking’ as allowed file types. For instance, if an attacker were to rename an .exe to .docx, and your solution relies entirely on the file extension, it would bypass your check as a Word document which in fact it is not. Therefore, it is important to verify file types before allowing them to be uploaded.
- Scan for malware. To minimise risk, all files should be scanned for malware. We recommend multiscanning files with multiple anti-malware engines (using a combination of signatures, heuristics, and machine learning detection methods) in order to get the highest detection rate and the shortest window of exposure to malware outbreaks.
- Remove possible embedded threats. Files such as Microsoft Office, PDF and image files can have embedded threats in hidden scripts and macros that are not always detected by anti-malware engines. To remove risk and make sure that files contain no hidden threats, it is best practice to remove any possible embedded objects by using a methodology called content disarm and reconstruction (CDR).
- Authenticate users. To increase security, it is good practice to require users to authenticate themselves before uploading a file. However, that doesn’t guarantee the user’s machine itself wasn’t compromised.
- Set a maximum name length and maximum file size. Make sure to set a maximum name length (restrict allowed characters if possible) and file size in order to prevent a potential service outage.
- Randomise uploaded file names. Randomly alter the uploaded file names so that attackers cannot try to access the file with the file name they uploaded. When using Deep CDR, you can configure the sanitised file to be a random identifier (e.g. the analysis data_id).
- Store uploaded files outside the web root folder. The directory to which files are uploaded should be outside of the website’s public directory so that the attackers cannot execute the file via the assigned path URL.
- Check for vulnerabilities in files. Make sure that you check for vulnerabilities in software and firmware files before they are uploaded.
- Use simple error messages. When displaying file upload errors, do not include directory paths, server configuration settings, or other information that attackers could potentially use to gain further entry into your systems.
In a recent survey conducted by OPSWAT, only 8% of surveyed organisations implement all 10 of the recommended best practices for web application security protection listed above.
On top of that, less than half of the organisations surveyed currently implement more than five of the 10 best practices on our checklist.
The consequences organisations are most worried about when it comes to their web application security are as follows:
- Loss in business or revenue – 67%
- Reputational damage – 66%
- Denial of service/infrastructure – 59%
- Ransomware payouts – 55%
- Regulatory fines – 47%
- Lawsuits – 39%
- Post outbreak mitigation expenses – 36%
- Not concerned – 2%
Schedule a Meeting
LoughTec is committed to preventing threats and zero-day attacks for secure data transfer across your network, applications, and customer operations.
With almost two decades of experience in securing critical infrastructure systems, our technologies integrate advanced malware protection and detection into your IT solutions and applications.
MetaDefender – our advanced threat prevention solution for file uploads is used by organisations that require the highest level of security, including critical infrastructure, government agencies, and financial institutions.
Use a web application security solution that works – schedule a meeting with one of our Technical experts today and explore how we can help you protect your infrastructure from advanced sophisticated threats. Let us help you implement good web application security for your organisation.
Call us on +44 (0) 28 8225 2445 or email our team at firstname.lastname@example.org.
Check out our other resources regarding Web Application Security here:
Guide to developing a web application security policy
10 Web Application Security Risks
How to Conduct a Web Application Security Audit
8 Web Application Security Threats
Web Application Security Solutions from LoughTec
A version of this checklist was published by OPSWAT on 16th September 2020 – you can view this here – https://www.opswat.com/blog/file-upload-protection-best-practices.