File Upload Security Recommendations

By Known-Space -
Proper file type checks: Check for at least basic parameters like file size, mime-type etc and allow only a selected MIME type wherever possible. Make a white-list of file extensions to be allowed for upload. Try to keep away from executable files and scripts where possible. Set minimum and maximum file size for upload. This will prevent Dosing the web server by uploading huge files and exhaust the storage space.
Random filenames and folder: Do not allow user input to specify the destination directory or file name of uploaded documents. Good practice is to rename the document to some random value and track them in your Database. In short guessing the name of the uploaded file should be made difficult for the attacker.
Upload Directory Security: Upload all files outside your web directory. Possibly separate the upload directory from application and system directories/drive. This can help mitigate issues related to resource exhaustion & directory traversal. Set proper folder permissions (chroot() ). Do not allow user to choose the upload folder. Avoid giving writable permissions to users. Instead web server like Apache can be given writable permissions while preventing users from RWX access on the upload folder.
Prevent users from directly accessing the files in the upload directory. Files can directly be stored on the server or other alternative would be to store the files as blobs in database instead. However blobbing for very large files can affect DB performance and also the malicious data if uploaded will be directly saved in database without validating.
Neutering the file like renaming it to some random value or XORing or compressing the file in some way so that the OS doesn’t interpret it as executable etc. will help increase the security barrier.
Anti Virus Scan: Scan the upload files for any virus or malicious content. You can even try out Mod Security which has a feature for inspecting files on upload, which you can combine with some antivirus. The advantage is that you get to block the HTTP request before the file even gets into your system. Alternatively files can also be scanned immediately just after it is uploaded. Both are effective in their own way and can be adapted accordingly depending on their implementation challenges. Other content filtering techniques include icap or CVP which are worth a thought.
File name Validation: While allowing users to upload the files, we allow them to specify the name the files should be referred to. Application should validate these file names for any XSS attacks.
Uploading and saving uploaded sensitive documents in encrypted form: Sensitive data needs to be uploaded via SSL and saved on the server in encrypted form to protect against eavesdropping. The file can also be encrypted while uploading instead of doing so while saving on the server. There are different products which can help you do this like AspEncrypt etc.
Page tokens: Use unique tokens for upload forms. This can help mitigate the less known Cross-site File Upload Attacks. Thus the attacker cannot upload malicious or illegal content on victim’s account. And if the victim is a web-admin, attacker can help himself upload any malicious file to the directories which is otherwise restricted to other users.
Error page: Do not reveal too much info in the error page like the directory path etc which can help attacker in further attack. Use customized error page.
Proper verb: HTTP POST verb is preferred over HTTP PUT or GET verb as it is comparatively more secure.
ACL: Limit “upload module” access to required users or groups wherever possible.
Logging user activities: Log all activities of the user like in this case, IP of user, size of the file, directory to which file was uploaded etc. This is help us know if any attacks were made against your server and if they were successful.

Comments

Post a Comment

Popular posts from this blog

Nginx

By Known-Space -
Image
What is a Web Server? A web server is software and hardware that uses  HTTP  (Hypertext Transfer Protocol) and other protocols to respond to  client  requests made over the World Wide Web. The main job of a web server is to display website content through storing, processing, and delivering webpages to users. Besides HTTP, web servers also support  SMTP  (Simple Mail Transfer Protocol) and FTP (File Transfer Protocol), used for email, file transfer, and storage. Web servers are  used in web hosting  or the hosting of data for websites and web-based applications -- or web applications. How do web servers work? Web server software is accessed through the domain names of websites and ensures the delivery of the site's content to the requesting user. The software side is also comprised of several components, with at least an HTTP server. The HTTP server is able to understand HTTP and URLs. As hardware, a web server is a computer that stores web server software and other files related t
Read more

AWS Configuration For RDS(postgres),ElastiCache(Redis) with ElasticBean

By Known-Space -
AWS Configuration For RDS(postgres),ElastiCache(Redis) with ElasticBean RDS Database Creation Go to AWS Management Console and use Find Services to search for RDS Click Create database button Select PostgreSQL Check 'only enable options eligible for RDS Free Usage Tier' and click Next button Scroll down to Settings Form Set DB Instance identifier to multi-docker-postgres Set Master Username to postgres Set Master Password to postgres and confirm Click Next button Make sure VPC is set to Default VPC Scroll down to Database Options Set Database Name to fibvalues Scroll down and click Create Database button ElastiCache Redis Creation Go to AWS Management Console and use Find Services to search for ElastiCache Click Redis in sidebar Click the Create button Make sure Redis is set as Cluster Engine In Redis Settings form, set Name to multi-docker-redis Change Node type to 'cache.t2.micro' Change Number of re
Read more

Use @Initbinder in Spring MVC

By Known-Space -
Image
In this blog we will learn how to use @initbinder Annotation in Spring MVC. We will walk through a small example with help of a demo application. If you’re familiar with MVC architecture ,you must all be aware that controller is used for processing the web request and rendering the response to the View. Now,Initbinder comes into picture if you want to customize the request being sent to the controller.It is defined in the controller, helps in controlling and formatting each and every request that comes to it. This annotation is used with the methods which initializes  WebDataBinder  and works as a preprocessor for each request coming to the controller. InitBinder interaction with other Components Seems lot of gyaan right ! So,now to explain this let’s take an example. Consider we have student management portal for a school ,which manages the information of all the students present in the school.It has a feature for registering a student when he is admitted to the school. So the form lo
Read more

How to read Dates with Hibernate

By Known-Space -
Handling Dates with Hibernate You can make use of a combination of Java's date formatting class and Hibernate annotations. Sample output: Student [id=50, firstName=Paul, lastName=Doe, email=paul@luv2code.com, dateOfBirth=null] Student [id=51, firstName=Daffy, lastName=Duck, email=daffy@luv2code.com, dateOfBirth=null] Student [id=52, firstName=Paul, lastName=Doe, email=paul@luv.com, dateOfBirth=31/12/1998] Development Process Overview 1. Alter database table for student 2. Add a date utils class for parsing and formatting dates 3. Add date field to Student class 4. Add toString method to Student class 5. Update CreateStudentDemo ---- Detailed steps 1. Alter database table for student We need to alter the database table to add a new column for "date_of_birth". Run the following SQL in your MySQL Workbench tool. ALTER TABLE `hb_student_tracker` . `student` ADD COLUMN `date_of_birth` DATETIME NULL AFTER `last_name` ; -- 2.
Read more

CSRF Protection using Synchronizer Tokens

By Known-Space -
Image
What is cross site request forgery? Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently  authenticated. CSRF attacks specifically target state-changing requests,  not theft of data, since the attacker has no way to see the response to the forged request We can avoid these kind of attack (CSRF) by two ways 1. Synchronizer Tokens 2. Double submitted cookies Here we are considering on Synchronize Tokens. When we login, there will be a random number generated and stored on the client side and server side as well. So when the attacker creates the code he doesn't know the token value. So he can not create a code with the correct token value. Anyhow, if the victim clicks the link, that won't be harmful. because the verification will fail. For the first step we want to create the session in the client side (index.php). Then we want create a cookies and set session id to the cook
Read more

CSRF Protection using Double Submitted Cookies

By Known-Space -
Image
Here we will look about the Double Submitted Cookies to CSRF protection. In Synchronizer Token the client and the server should wants to generate the token value. So this process is time consuming and get load the server. For reduce this kind of issues we are using double submitted cookies. We need java script to run double submitted cookies. For that the http flag should be off. Here we are sending two cookies through the http header and the http body. Then the server will validate these two cookies and if its same it will allow, if its not deny the request. In the client side (index.php) we create the session and store it in the cookie.After that create a token and store it in a new cookie. After that we shoud set the estimation of hidden token as "<? echo $token ?>" This will send the hidden token to server side when client click on login button. After that create a function to validate login in the server side Get the full code from here
Read more

Add Logging Messages in Spring 5.1 - All Java Config Version

By Known-Space -
Image
Add Logging Messages in Spring 5.1 - All Java Config Version The Problem In Spring 5.1, the Spring Development team changed the logging levels internally. As a result, by default you will no longer see the red logging messages at the INFO level. This is different than in the videos. The Solution If you would like to configure your app to show similar logging messages as in the video, you can make the following updates. Note, you will not see the EXACT same messages, since the Spring team periodically changes the text of the internal logging messages. However, this should give you some additional logging data. Overview of the steps 0. Create a logging properties file 1. Create a configuration class to configure the parent logger and console handler Detailed Steps 0. Create a logging properties file This properties file will define the logging levels for the application. The props file sets the logger level to FINE. For more detailed logging info, you can s
Read more

The TRUE difference between [] and {{}} bindings in Angular

By Known-Space -
  One of the parts of Angular that most developers think they understand, but many don’t, is the true nature of [] and {{}} bindings. A fundamental lack of understanding of these bindings can become a major issue when working with templates and trying to get them to do exactly what you want. It can also be the cause of spending an unnecessary amount of hours trying to figure out a bug. So I’m going to run down exactly what these two bindings do, and what it is that many developers misunderstand about them. You’re probably familiar with the typical usage of {{}} bindings: <h1>{{title}}</h1> And you’re probably familiar with the typical usage of [] or property bindings: <img [src]="imgsrc"> But do you truly understand what each binding is doing? And why we use them in this situation? Many if not most developers simply know to use {{}} when putting text in an element, and [] for binding to properties. But have you ever wondered with reactive forms why the  form
Read more

Hibernate and Primary Keys

By Known-Space -
Image
Hibernate and Primary Keys Primary Key :  Uniquely identifies each row in a table  Must be a unique value Cannot contain NULL values MySQL - Auto Increment Hibernate Identity - Primary Key ID Generation Strategies You can define your own CUSTOM generation strategy :-) Create implementation of org.hibernate.id.IdentifierGenerator Override the method: public Serializable generate(…)
Read more