File uploads are essential for user productivity and many business services and applications. For instance, file uploads are an important function for content management systems, healthcare portals, insurance sites, and messaging applications. As organizations move to remote and distanced workspaces it becomes increasingly critical to implement measures to ensure the security of file uploads, since leaving file uploads unrestricted creates an attack vector for malicious actors.
What are the File Upload Risks?
There are three types of risks when allowing file uploads on your site:
- Attacks on your infrastructure:
- Overwriting an existing file – If a file is uploaded with the same name and extension as an existing file on the server, this could overwrite the existing file. If the file that was overwritten is a critical file (e.g. replace htaccess file), the new file can potentially be used to launch a server-side attack. This could cause the website to no longer function, or it could compromise security settings to allow attackers to upload additional malicious files and exploit you for ransom.
- Malicious content – If the uploaded file contains an exploit or malware which can leverage a vulnerability in server-side file handling, the file could be used to gain control of the server, causing severe business consequences and reputational damage.
- Attacks on your users:
- Malicious content – If the uploaded file contains an exploit, malware, malicious script or macro, the file could be used to gain control of infected users’ machines.
- Disruption of service – If an extremely large file is uploaded, this could result in high consumption of the servers’ resources and disrupt the service for your users.
How to Prevent File Upload Attacks
To avoid these types of file upload attacks, we recommend the following ten best practices:
1. Only allow specific file types– By limiting the list of allowed file types, you can avoid executables, scripts and other potentially malicious content from being uploaded to your application.
2. Verify file types – In addition to restricting the file types, it is important to ensure that no files are ‘masking’ as allowed file types. For instance, if an attacker were to rename an .exe to .docx, and your solution relies entirely on the file extension, it would bypass your check as a Word document which in fact it is not. Therefore, it is important to verify file types before allowing them to be uploaded.
3. Scan for malware – To minimize risk, all files should be scanned for malware. We recommend multi-scanning files with multiple anti-malware engines (using a combination of signatures, heuristics, and machine learning detection methods) in order to get the highest detection rate and the shortest window of exposure to malware outbreaks.
4. Remove possible embedded threats – Files such as Microsoft Office, PDF and image files can have embedded threats in hidden scripts and macros that are not always detected by anti-malware engines. To remove risk and make sure that files contain no hidden threats, it is best practice to remove any possible embedded objects by using a methodology called content disarm and reconstruction (CDR).
5. Authenticate users – To increase security, it is good practice to require users to authenticate themselves before uploading a file. However, that doesn’t guarantee the user’s machine itself wasn’t compromised.
6. Set a maximum name length and maximum file size – Make sure to set a maximum name length (restrict allowed characters if possible) and file size in order to prevent a potential service outage.
7. Randomize uploaded file names – Randomly alter the uploaded file names so that attackers cannot try to access the file with the file name they uploaded. When using Deep CDR, you can configure the sanitized file to be a random identifier (e.g. the analysis data_id).
8. Store uploaded files outside the web root folder – The directory to which files are uploaded should be outside of the website’s public directory so that the attackers cannot execute the file via the assigned path URL.
9. Check for vulnerabilities in files – Make sure that you check for vulnerabilities in software and firmware files before they are uploaded.
10. Use simple error messages – When displaying file upload errors, do not include directory paths, server configuration settings, or other information that attackers could potentially use to gain further entry into your systems.
File Upload Security from OPSWAT
OPSWAT offers multiple solutions for File Upload Security with MetaDefender, an advanced threat prevention platform that helps prevent malicious file upload attacks using multiple anti-malware engines, content disarm and reconstruction (Deep CDR), and vulnerability assessment. MetaDefender can be deployed via an API or with any ICAP enabled network device such as web application firewalls, load balancers and application delivery controllers.
Want to find out more about how to block malicious file uploads? Read our white paper How to Block Malicious File Uploads with OPSWAT APIs.