Many modern web applications have file upload capabilities, which are usually necessary for the web application's functionality to enable features like attaching files or changing a user's profile image. If the file upload functionality is not securely coded, it may be abused to upload arbitrary files to the back-end server, eventually leading to compromise of the back-end server.
When an attacker can upload arbitrary files to the back-end server, they can upload malicious files, like web shells, which would enable them to execute arbitrary commands on the back-end server. This eventually allows attackers to take control over the entire server and all web applications hosted on it, which makes
File Upload Attacks among the most critical web vulnerabilities.
This module will discuss the basics of identifying and exploiting file upload vulnerabilities and identifying and mitigating basic security restrictions in place to reach arbitrary file uploads.
In addition to the above, the
File Upload Attacks module will teach you the following:
- What are file upload vulnerabilities?
- Examples of code vulnerable to file upload vulnerabilities
- Different types of file upload validations
- Detecting and exploiting basic file upload vulnerabilities
- Bypassing client-side file upload validation
- Bypassing blacklisted and whitelisted extension validation
- Bypassing type and content validation
- Bypassing other basic security restrictions
- Attacking upload forms with limited allowed file types
- Preventing file upload vulnerabilities through secure validation techniques
CREST CPSA/CRT-related Sections:
- Intro to File Upload Attacks
- Absent Validation
- Upload Exploitation
CREST CCT APP-related Sections:
- All sections
CREST CCT INF-related Sections:
- All sections
This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the
PwnBox provided in the interactive sections or your virtual machine.
The module is classified as "
Medium" and assumes a working knowledge of the Linux command line and an understanding of information security fundamentals. The module also assumes a basic understanding of web applications and web requests. It will build on this understanding to teach how Arbitrary File Upload vulnerabilities work and how to exploit them.
In addition to the above, a firm grasp of the following modules can be considered as prerequisites for the successful completion of this module:
- Linux Fundamentals
- Web Requests
- Introduction to Web Applications
- Using Web Proxies
- Web Attacks
Intro to File Upload Attacks
Uploading user files has become a key feature for most modern web applications to allow the extensibility of web applications with user information. A social media website allows the upload of user profile images and other social media, while a corporate website may allow users to upload PDFs and other documents for corporate use.
However, as web application developers enable this feature, they also take the risk of allowing end-users to store their potentially malicious data on the web application's back-end server. If the user input and uploaded files are not correctly filtered and validated, attackers may be able to exploit the file upload feature to perform malicious activities, like executing arbitrary commands on the back-end server to take control over it.
File upload vulnerabilities are amongst the most common vulnerabilities found in web and mobile applications, as we can see in the latest CVE Reports. We will also notice that most of these vulnerabilities are scored as
Critical vulnerabilities, showing the level of risk caused by insecure file upload.
Types of File Upload Attacks
The most common reason behind file upload vulnerabilities is weak file validation and verification, which may not be well secured to prevent unwanted file types or could be missing altogether. The worst possible kind of file upload vulnerability is an
unauthenticated arbitrary file upload vulnerability. With this type of vulnerability, a web application allows any unauthenticated user to upload any file type, making it one step away from allowing any user to execute code on the back-end server.
Many web developers employ various types of tests to validate the extension or content of the uploaded file. However, as we will see in this module, if these filters are not secure, we may be able to bypass them and still reach arbitrary file uploads to perform our attacks.
The most common and critical attack caused by arbitrary file uploads is
gaining remote command execution over the back-end server by uploading a web shell or uploading a script that sends a reverse shell. A web shell, as we will discuss in the next section, allows us to execute any command we specify and can be turned into an interactive shell to enumerate the system easily and further exploit the network. It may also be possible to upload a script that sends a reverse shell to a listener on our machine and then interact with the remote server that way.
In some cases, we may not have arbitrary file uploads and may only be able to upload a specific file type. Even in these cases, there are various attacks we may be able to perform to exploit the file upload functionality if certain security protections were missing from the web application.
Examples of these attacks include:
- Introducing other vulnerabilities like
- Causing a
Denial of Service (DoS)on the back-end server.
- Overwriting critical system files and configurations.
- And many others.
Finally, a file upload vulnerability is not only caused by writing insecure functions but is also often caused by the use of outdated libraries that may be vulnerable to these attacks. At the end of the module, we will go through various tips and practices to secure our web applications against the most common types of file upload attacks, in addition to further recommendations to prevent file upload vulnerabilities that we may miss.