Zach Moshe Rotem Naar.  File upload vulnerabilities overview  FUV – detailed overview  Live demonstration  In the future…

Slides:

Advertisements

Similar presentations

Advertisements

Enabling Secure Internet Access with ISA Server

Introduction to Computer Science 2 Lecture 7: Extended binary trees

Java Script Session1 INTRODUCTION.

Utilizing the GDB debugger to analyze programs Background and application.

Software Frame Simulator (SFS) Technion CS Computer Communications Lab (236340) in cooperation with ECI telecom Uri Ferri & Ynon Cohen January 2007.

PHP and the Web: Session : 4. Predefined variables PHP provides a large number of predefined global variables to any script which it runs also called.

Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav.

Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky ADD Presentation.

Microsoft ® Official Course Interacting with the Search Service Microsoft SharePoint 2013 SharePoint Practice.

Web Tailor Basics.

Web Applications Basics. Introduction to Web Web features Clent/Server HTTP HyperText Markup Language URL addresses Web server - a computer program that.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Chapter 6: Hostile Code Guide to Computer Network Security.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

CVSQL 2 The Design. System Overview System Components CVSQL Server –Three network interfaces –Modular data source provider framework –Decoupled SQL parsing.

NET+OS Bootloader Overview Requirements How to Build How to Customize Changes to Applications Configuration Settings.

CST JavaScript Validating Form Data with JavaScript.

DAT602 Database Application Development Lecture 15 Java Server Pages Part 1.

1 THE UNIX FILE SYSTEM By Chokechai Chuensukanant ID COSC 513 Operating System.

A Security Review Process for Existing Software Applications

Robinson_CIS_285_2005 HTML FORMS CIS 285 Winter_2005 Instructor: Mary Robinson.

1 © 2008 Avaya Inc. All rights reserved. IPOffice Configuration Service Emil Ratnam.

FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.

Online Translation Service Capstone Design Eunyoung Ku Jason Roberts Jennifer Pitts Gregory Woodburn Kim Tran.

Intel SFT CR Sept 2011 Release 9/28/ Minimize Command Line Params intelsftconfig.ini can now be used instead of the command line or used in conjunction.

JavaScript, Fourth Edition Chapter 5 Validating Form Data with JavaScript.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

1 Chapter Overview Publishing Resources in Active Directory Service Redirecting Folders Using Group Policies Deploying Applications Using Group Policies.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Serialization. Serialization is the process of converting an object into an intermediate format that can be stored (e.g. in a file or transmitted across.

Generic API Test tool By Moshe Sapir Almog Masika.

Chapter 6 Server-side Programming: Java Servlets

Meridium EPiServer Premium Partner EPiMore Partner EPiServer is a major focus area Founded in employees 2.

Chapter 9 I/O Streams and Data Files

Module 5: Implementing Printing. Overview Introduction to Printing in the Windows Server 2003 Family Installing and Sharing Printers Managing Access to.

Javadoc Comments.  Java API has a documentation tool called javadoc  The javadoc tool is used on the source code embedded with javadoc-style comments.

Building Secure Web Applications With ASP.Net MVC.

Chapter 10 Defining Classes. The Internal Structure of Classes and Objects Object – collection of data and operations, in which the data can be accessed.

Connect. Communicate. Collaborate PerfsonarUI plug-in tutorial Nina Jeliazkova ISTF, Bulgaria.

ESA UNCLASSIFIED – For Official Use Workshop #23 Pasadena, USA 25 rd March 2015 Sam Cooper Common services update (part 2)

Module 8 : Configuration II Jong S. Bok

JS (Java Servlets). Internet evolution [1] The internet Internet started of as a static content dispersal and delivery mechanism, where files residing.

Security Issues with PHP  PHP installation  PHP programming Willa Zhu & Eugene Burger.

ICM – API Server & Forms Gary Ratcliffe.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

More Unix Naomi Altman. Directories Directory = folder mkdir - makes a new directory rmdir - removes an empty directory cd mydirectory - moves you into.

New Generation University Faculty of Computer Science Chapter Five: File Uploaded and Ad Rotate Lecturer: Mukhtar Mohamed Ali “Hakaale”

FTP COMMANDS OBJECTIVES. General overview. Introduction to FTP server. Types of FTP users. FTP commands examples. FTP commands in action (example of use).

Hyperion Artifact Life Cycle Management Agenda  Overview  Demo  Tips & Tricks  Takeaways  Queries.

Group 2 Web Service For Collaborative editing Uses scalable Client-Server architecture to minimize network communication and improve reliability Provides.

: Information Retrieval อาจารย์ ธีภากรณ์ นฤมาณนลิณี

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Developer Exam Preparation Thom Robbins Bryan Soltis

#SummitNow Fighting viruses with Alfviral 2013 Fernando González @fegorama.

Configuring MQ Connections and Handlers for MQ adapter 6.5 July 2008.

Solvency II Tripartite template V2 and V3 Presentation of the conversion tools proposed by FundsXML France.

Chapter 5 Validating Form Data with JavaScript

Training Objectives About D2F Download Installation Configuration

Chapter 7: Identifying Advanced Attacks

HTTP – An overview.

World Wide Web policy.

CONTENT MANAGEMENT SYSTEM CSIR-NISCAIR, New Delhi

A Security Review Process for Existing Software Applications

Configuring Internet-related services

Online Translation Service Capstone Design

Mr. Justin “JET” Turner CSCI 3000 – Fall 2016 Section DA MW 4:05-5:20

Presentation transcript:

Zach Moshe Rotem Naar

 File upload vulnerabilities overview  FUV – detailed overview  Live demonstration  In the future…

 Many applications take advantage of the band width available today and allow users to upload file, either for storage or usage within the flow of the software. This allows the software to be more appealing and interactive with the user  The uploaded file is a “jack in the box”. It may convey all sorts of trouble within, from viruses to extremely large sizes

Safe file upload principals

 Check file type ◦ Avoid dangerous extensions ◦ Validate MIME-type Module

 Use random filename ◦ Avoid XSS attacks ◦ Avoid file inclusion attacks Module Utility

 Keep upload directory security Module

 Scan file with AntiVirus Module

 Limit file size ◦ Avoid DoS attack Module Utility

Design and Details

 Java package, which exposes an API that allows file validation through a single validate(file) method  The application is configured by an XML file that the caller supplies. Only relevant modules will be enabled  Utilities for application developer  Using Java 1.6

FUV package Validation modules Utils After the file is uploadedBefore/While uploading the file Validation modules

FileValidator > boolean Validate(File) FileValidator > boolean Validate(File) FileValidatorImpl Module > boolean Validate(File) Module > boolean Validate(File) File Type Module File Type Module File Name Module File Name Module UNIX File Permissions Module UNIX File Permissions Module Anti virus Module Anti virus Module *

 The primary interface of the system ◦ public boolean validate(File file)  Holds set of modules  Returns true if all configured modules approved the file according to their configuration  If at least one of the modules rejected the file, the method returns false

 Open archive/compressed files and check the inner files using the modules  In case one of the inner files is archive/compressed file too, the same operation is done recursively  The maximum file depth allowed is configured in the XML configuration file  Opens archive/compressed files using Apache-Commons-Compress package  Supported formats: ZIP, TAR, GZIP, BZIP2

 The main operation:  public boolean validate(File file)  All modules have:  “scanInnerFiles” attribute (“true” by default)  unique configuration  In case “scanInnerFiles” is “true” and the validated file is archive/compressed file, the module will scan the inner files too

 Validates file types according to a predefined set of accepted MIME types (white-list validation)  Uses Apache-Tika package for content analysis of the file  Configuration: ◦ Allowed types ◦ Force extension check

 Can be enabled only in UNIX environment  Validates that the file on the server has the appropriate permissions  The module is configured by 3 “maximal” allowed permissions for the user, group and all (similar to UNIX file permissions)  Using ls UNIX command

 Validates filename strings  Configuration: ◦ Filename length ◦ Allowed character strips – from the strips configured in the system (white-list validation)

 Uses an external program as an AntiVirus  Approves/Rejects the file according to its return code  Configuration: ◦ AntiVirus path ◦ Success return code  We’re using Clam-AV

FileValidator Module File True False

FileValidator Module File True False True If archive/comressed: Foreach inner file: send to validation False

FUV package Validation modules Utils After the file is uploadedBefore/While uploading the file Utils

SizeBoundedInputStream extends InputStream Read() hasReachedLimit() SizeBoundedInputStream extends InputStream Read() hasReachedLimit() FileNameGenerator String generateNewRandomFilename() String censorFilename(String filename) FileNameGenerator String generateNewRandomFilename() String censorFilename(String filename)

 Allow the user generate safe filenames  Contains 2 methods: 1.censorFilename(String fileName) Censors given filename: limits the filename length and removes not-allowed characters Configuration:  filename length  Allowed characters strips 2.generateNewRandomFilename() Generates random filename according to the configured pattern Configuration: filename pattern

 Creates safe way to upload a file without a problem with its size  Extends InputStream and warps the original InputStream  In case the number reached the maximum allowed, it returns -1 (EOF) and set the limitReached flag to “true”  Configuration: maximum size allowed

 Configure engine, modules and utilities parameters Application Name 7 … … 1024 … …

50 D C O bin/av_wrapper.sh 0 word text application/x-gzip rwx r-x

application/x-tika-msoffice application/msword application/x-tika-ooxml application/vnd.openxmlformats- officedocument.wordprocessingml.document application/vnd.openxmlformats- officedocument.wordprocessingml.template application/rtf text/plain

:51:01,859 INFO [main] c.a.f.c.FileValidatorImpl [FileValidatorImpl.java:63] Validating file : C:\tmp_rotem\tmp\out.zip :51:01,859 DEBUG [main] c.a.f.c.FileValidatorImpl [FileValidatorImpl.java:68] Validating module com.amdocs.filevalidator.modules.FileNameModule :51:01,875 DEBUG [main] c.a.f.m.FileNameModule [FileNameModule.java:61] File name length (excluding extension) is 3. Maximum length allowed: :51:01,875 DEBUG [main] c.a.f.m.FileNameModule [FileNameModule.java:81] Allowed chars: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_-)( :51:01,875 DEBUG [main] c.a.f.c.FileValidatorImpl [FileValidatorImpl.java:68] Validating module com.amdocs.filevalidator.modules.FileTypeModule :51:01,875 DEBUG [main] c.a.f.m.FileTypeModule [FileTypeModule.java:61] FileTypeModule was called for out.zip :51:01,875 DEBUG [main] c.a.f.m.FileTypeModule [FileTypeModule.java:65] AllowedTypes are {application/x-tika-msoffice=[doc], image/jpeg=[jpg, jpeg], text/plain=null, application/x-bzip2=null, application/x-gtar=null, application/vnd.openxmlformats- officedocument.wordprocessingml.document=[docx], application/msword=[doc], application/x-gzip=null, application/x-tika-ooxml=[docx], application/zip=null} :51:02,296 DEBUG [main] c.a.f.m.FileTypeModule [FileTypeModule.java:90] content type is application/zip :51:02,296 DEBUG [main] c.a.f.m.FileTypeModule [FileTypeModule.java:93] forcing ext check :51:02,343 INFO [main] c.a.f.c.FileValidatorImpl [FileValidatorImpl.java:110] Found ZIP file :51:02,343 INFO [main] c.a.f.c.FileValidatorImpl [FileValidatorImpl.java:323] Entry: cfvxcbcf.txt …

 XML Configuration – using JAXB  Logging - using SLF4J and LogBack  Unit Testing  Code Examples  Building the project – using Maven  Version Control – using SVN  JAR, sources and documents can be found on:

Validate files using FUV package

How to improve the project

 Add support in client side (JavaScript/PHP packages)  Add module for special treatment to images (malicious code inside image)  Create secure upload server using the FUV package  DoS Attack – limit the size and number of files one user can upload in a given period (track the user using cookies or IP)