Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zach Moshe Rotem Naar.  File upload vulnerabilities overview  FUV – detailed overview  Live demonstration  In the future…

Published byFrancis Rich Modified over 9 years ago

Similar presentations

Presentation on theme: "Zach Moshe Rotem Naar.  File upload vulnerabilities overview  FUV – detailed overview  Live demonstration  In the future…"— Presentation transcript:

1 Zach Moshe Rotem Naar

2  File upload vulnerabilities overview  FUV – detailed overview  Live demonstration  In the future…

3  Many applications take advantage of the band width available today and allow users to upload file, either for storage or usage within the flow of the software. This allows the software to be more appealing and interactive with the user  The uploaded file is a “jack in the box”. It may convey all sorts of trouble within, from viruses to extremely large sizes

4 Safe file upload principals

5  Check file type ◦ Avoid dangerous extensions ◦ Validate MIME-type Module

6  Use random filename ◦ Avoid XSS attacks ◦ Avoid file inclusion attacks Module Utility

7  Keep upload directory security Module

8  Scan file with AntiVirus Module

9  Limit file size ◦ Avoid DoS attack Module Utility

10 Design and Details

11  Java package, which exposes an API that allows file validation through a single validate(file) method  The application is configured by an XML file that the caller supplies. Only relevant modules will be enabled  Utilities for application developer  Using Java 1.6

12 FUV package Validation modules Utils After the file is uploadedBefore/While uploading the file Validation modules

13 FileValidator > boolean Validate(File) FileValidator > boolean Validate(File) FileValidatorImpl Module > boolean Validate(File) Module > boolean Validate(File) File Type Module File Type Module File Name Module File Name Module UNIX File Permissions Module UNIX File Permissions Module Anti virus Module Anti virus Module *

14  The primary interface of the system ◦ public boolean validate(File file)  Holds set of modules  Returns true if all configured modules approved the file according to their configuration  If at least one of the modules rejected the file, the method returns false

15  Open archive/compressed files and check the inner files using the modules  In case one of the inner files is archive/compressed file too, the same operation is done recursively  The maximum file depth allowed is configured in the XML configuration file  Opens archive/compressed files using Apache-Commons-Compress package  Supported formats: ZIP, TAR, GZIP, BZIP2

16  The main operation:  public boolean validate(File file)  All modules have:  “scanInnerFiles” attribute (“true” by default)  unique configuration  In case “scanInnerFiles” is “true” and the validated file is archive/compressed file, the module will scan the inner files too

17  Validates file types according to a predefined set of accepted MIME types (white-list validation)  Uses Apache-Tika package for content analysis of the file  Configuration: ◦ Allowed types ◦ Force extension check

18  Can be enabled only in UNIX environment  Validates that the file on the server has the appropriate permissions  The module is configured by 3 “maximal” allowed permissions for the user, group and all (similar to UNIX file permissions)  Using ls UNIX command

19  Validates filename strings  Configuration: ◦ Filename length ◦ Allowed character strips – from the strips configured in the system (white-list validation)

20  Uses an external program as an AntiVirus  Approves/Rejects the file according to its return code  Configuration: ◦ AntiVirus path ◦ Success return code  We’re using Clam-AV

21 FileValidator Module File True False

22 FileValidator Module File True False True If archive/comressed: Foreach inner file: send to validation False

23 FUV package Validation modules Utils After the file is uploadedBefore/While uploading the file Utils

24 SizeBoundedInputStream extends InputStream Read() hasReachedLimit() SizeBoundedInputStream extends InputStream Read() hasReachedLimit() FileNameGenerator String generateNewRandomFilename() String censorFilename(String filename) FileNameGenerator String generateNewRandomFilename() String censorFilename(String filename)

25  Allow the user generate safe filenames  Contains 2 methods: 1.censorFilename(String fileName) Censors given filename: limits the filename length and removes not-allowed characters Configuration:  filename length  Allowed characters strips 2.generateNewRandomFilename() Generates random filename according to the configured pattern Configuration: filename pattern

26  Creates safe way to upload a file without a problem with its size  Extends InputStream and warps the original InputStream  In case the number reached the maximum allowed, it returns -1 (EOF) and set the limitReached flag to “true”  Configuration: maximum size allowed

27  Configure engine, modules and utilities parameters Application Name 7 … … 1024 … …

28 50 D C O bin/av_wrapper.sh 0 word text application/x-gzip rwx r-x

29 application/x-tika-msoffice application/msword application/x-tika-ooxml application/vnd.openxmlformats- officedocument.wordprocessingml.document application/vnd.openxmlformats- officedocument.wordprocessingml.template application/rtf text/plain

30 2011-03-04 18:51:01,859 INFO [main] c.a.f.c.FileValidatorImpl [FileValidatorImpl.java:63] Validating file : C:\tmp_rotem\tmp\out.zip 2011-03-04 18:51:01,859 DEBUG [main] c.a.f.c.FileValidatorImpl [FileValidatorImpl.java:68] Validating module com.amdocs.filevalidator.modules.FileNameModule 2011-03-04 18:51:01,875 DEBUG [main] c.a.f.m.FileNameModule [FileNameModule.java:61] File name length (excluding extension) is 3. Maximum length allowed: 50 2011-03-04 18:51:01,875 DEBUG [main] c.a.f.m.FileNameModule [FileNameModule.java:81] Allowed chars: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_-)( 2011-03-04 18:51:01,875 DEBUG [main] c.a.f.c.FileValidatorImpl [FileValidatorImpl.java:68] Validating module com.amdocs.filevalidator.modules.FileTypeModule 2011-03-04 18:51:01,875 DEBUG [main] c.a.f.m.FileTypeModule [FileTypeModule.java:61] FileTypeModule was called for out.zip 2011-03-04 18:51:01,875 DEBUG [main] c.a.f.m.FileTypeModule [FileTypeModule.java:65] AllowedTypes are {application/x-tika-msoffice=[doc], image/jpeg=[jpg, jpeg], text/plain=null, application/x-bzip2=null, application/x-gtar=null, application/vnd.openxmlformats- officedocument.wordprocessingml.document=[docx], application/msword=[doc], application/x-gzip=null, application/x-tika-ooxml=[docx], application/zip=null} 2011-03-04 18:51:02,296 DEBUG [main] c.a.f.m.FileTypeModule [FileTypeModule.java:90] content type is application/zip 2011-03-04 18:51:02,296 DEBUG [main] c.a.f.m.FileTypeModule [FileTypeModule.java:93] forcing ext check 2011-03-04 18:51:02,343 INFO [main] c.a.f.c.FileValidatorImpl [FileValidatorImpl.java:110] Found ZIP file 2011-03-04 18:51:02,343 INFO [main] c.a.f.c.FileValidatorImpl [FileValidatorImpl.java:323] Entry: cfvxcbcf.txt …

31  XML Configuration – using JAXB  Logging - using SLF4J and LogBack  Unit Testing  Code Examples  Building the project – using Maven  Version Control – using SVN  JAR, sources and documents can be found on: http://code.google.com/p/fuv/ http://code.google.com/p/fuv/

32 Validate files using FUV package

33 How to improve the project

34  Add support in client side (JavaScript/PHP packages)  Add module for special treatment to images (malicious code inside image)  Create secure upload server using the FUV package  DoS Attack – limit the size and number of files one user can upload in a given period (track the user using cookies or IP)

35

Download ppt "Zach Moshe Rotem Naar.  File upload vulnerabilities overview  FUV – detailed overview  Live demonstration  In the future…"

Similar presentations

PHP I.

PHP I.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Introduction to Computer Science 2 Lecture 7: Extended binary trees

Introduction to Computer Science 2 Lecture 7: Extended binary trees
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
Utilizing the GDB debugger to analyze programs Background and application.

Utilizing the GDB debugger to analyze programs Background and application.
Software Frame Simulator (SFS) Technion CS Computer Communications Lab (236340) in cooperation with ECI telecom Uri Ferri & Ynon Cohen January 2007.

Software Frame Simulator (SFS) Technion CS Computer Communications Lab (236340) in cooperation with ECI telecom Uri Ferri & Ynon Cohen January 2007.
PHP and the Web: Session : 4. Predefined variables PHP provides a large number of predefined global variables to any script which it runs also called.

PHP and the Web: Session : 4. Predefined variables PHP provides a large number of predefined global variables to any script which it runs also called.
Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.

Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav.

Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav.
Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky ADD Presentation.

Academic Advisor: Dr. Yuval Elovici Technical Advisor: Dr. Lidror Troyansky ADD Presentation.
Microsoft ® Official Course Interacting with the Search Service Microsoft SharePoint 2013 SharePoint Practice.

Microsoft ® Official Course Interacting with the Search Service Microsoft SharePoint 2013 SharePoint Practice.
Web Tailor Basics.

Web Tailor Basics.
Web Applications Basics. Introduction to Web Web features Clent/Server HTTP HyperText Markup Language URL addresses Web server - a computer program that.

Web Applications Basics. Introduction to Web Web features Clent/Server HTTP HyperText Markup Language URL addresses Web server - a computer program that.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
CVSQL 2 The Design. System Overview System Components CVSQL Server –Three network interfaces –Modular data source provider framework –Decoupled SQL parsing.

CVSQL 2 The Design. System Overview System Components CVSQL Server –Three network interfaces –Modular data source provider framework –Decoupled SQL parsing.
NET+OS Bootloader Overview Requirements How to Build How to Customize Changes to Applications Configuration Settings.

NET+OS Bootloader Overview Requirements How to Build How to Customize Changes to Applications Configuration Settings.

Similar presentations

Ads by Google