File Upload Security Issues and Best Practices

Overview

A website needs constant attention and new information in order to remain relevant. Rather than manually uploading single files by hand, more and more websites operate through a process known as automatic file uploading. Automatic file uploading utilizes code to modify or upload new files to a site without the need of human intervention. Automatic file uploading has increased efficiency in uploading files, however, it does come with its own set of risks. Attackers and malicious content are always trying to penetrate systems and steal their information. With proper preventative techniques, this type of crisis can be avoided. In this article, I will discuss these risks, prevention, and popular methods of uploading files automatically.

In this article, I will first discuss possible security risks of file uploading. Next, I will discuss ways of preventing security risks from file uploading. After, I will discuss popular automatic file uploaders such as AJAX, and Drive API.

Security Risks

When allowing, file uploading to a website, some issues regarding security may arise. It is becoming increasingly common for websites to allow its users to upload their own files and has become a requirement for social media websites. If the method of file uploading for a site is not secure, a plethora of issues can follow an upload of malicious content.

A common vulnerability that could be a security risk is no validation or no restrictions on the types of files that are available to be uploaded. If any type of file is allowed to be uploaded to the server, anyone with bad intentions who has access to the site could upload a malicious file that could attack the server of the site. Another issue that could affect a site would be an over-reliance on MIME-type validation. Attackers can easily bypass this security precaution so other preventative measures should be in place. Another security method that could be easily bypassed is a blacklist of file extensions. Blacklisting file extensions keeps track of extensions that could possibly be harmful. When a user uploads a file, the system checks the file extension to make sure it is not on the blacklist. If it is, the file is rejected. Unfortunately, this method may not be able to list all possible extensions that could be harmful to the site and may leave some threats out. An attacker could use an extension that is not included on the list to circumvent the security measure.

Prevention

Attackers are always looking for ways to access systems with malicious files that give them control. In order to avoid such an attack, there are methods and best practices that may aid in alleviating security issues. One method would be to only allow specific file extensions. By only allowing file extensions that are harmless, it would be impossible for an attacker to upload a file with a malicious extension. Another method of increasing file uploads within a site would be to restrict access of file uploading to specific verified users. This method would not be effective for a site that encourages its users to share files such as Instagram, Facebook, Twitter, or any other file-sharing site. Another way to increase security for a site would be to not serve files directly from the webserver, this opens the server up for vulnerabilities. Use an application to serve the files to mitigate risk.

There are also security risks when uploading files that have an unknown source. Cautious steps and defensive behavior when uploading files can prevent a malicious file from entering your system. There are many different steps that a user can take to avoid uploading malicious files. One step would be to change the original file name to an unpredictable name. This would make it harder to retrieve the file if you do not know the new name. Rather than storing this newly-named file in your document root, create a directory to keep your uploaded files in. If this is completed, an attacker will be unable to directly access files as the source of the file would be streamed. One should always look at the file size to make sure it is in the appropriate range. Also, be careful when uploading compressed files directly onto a server as if it is malicious, it is very hard to predict based on file size. When suspicious of a file, before activating it, run a simple malware scan on it. If it indicates malware, do not use the file.

Methods of Uploading Files Automatically

Google API

Google is the creator of many effective API’s, this is apparent in it’s file uploading API called Drive API. The Drive API is able to process three types of upload requests: simple uploads, multipart uploads, and resumable uploads. The upload API even has the functionality to convert file types into Google Docs format.

AJAX API

Ajax has developed the ability to for a web application to communicate with a remote web server, drastically reducing web page load times. Therefore, files are now able to be uploaded to a server directly without involving a third-party browser. AJAX file upload is compatible with multiple coding languages for automatic uploading. AJAX can upload files using: HTML, Javascript, and PHP.

JavaScript

Javascript is able to work with many different libraries for file uploading. This allows it to be versatile and each library has its own strengths and weaknesses. For example, Javascript is compatible with a resumable.js library and is a highly recommended paring. This pairing is able to upload large batches of files and has a high fault tolerance.

HTML5/Javascript

HTML 5 allows for multiple file uploads from a single source. Using HTML code, a user is able to create a progress bar to track the uploading of the file. They are also able to embed a cancel button if a user decides to not upload a file after beginning. This type of automatic file uploading is useful for handling multiple files.

Conclusion

Automatic file uploading has changed the way that files are uploaded to websites and servers. Using code to automate the process has made it more efficient and consumers far less time for web developers. There are many risks that arise from any sort of file uploading, however, there are preventative measures that are easily implemented that can be a great defense against attackers and malicious files.

Bibliography

“File Upload With Ajax.” Cloudinary, cloudinary.com.

“Uploading Files.” Google, Google, developers.google.com.

“8 best JavaScript libraries for file uploading as of 2018.” Slant, Slant, 25 Dec. 2017, www.slant.co.

Hewage, Dishan. “Upload multiple files with HTML 5 and JavaScript (with Progress bar and Cancel button).” Linkedin, Linkedin, 12 May 2017, www.linkedin.com.

Caputo, Linda , et al. “Upload a file by using the REST API and jQuery.” Microsoft Docs, Microsoft , docs.microsoft.com.

“File Upload Vulnerabilities.” Wordfence, Defiant Inc. , 25 Jan. 2016, www.wordfence.com.

“How File Upload Forms are Used by Online Attackers.” Acunetix, Acunetix Inc., www.acunetix.com.

Ullrich, Johannes . “8 Basic Rules to Implement Secure File Uploads.” SANS Software Security, SANS Institute, 28 Dec. 2009, software-security.sans.org.

“Web Application Security Guide/File upload vulnerabilities.” Wikibooks, Wikimedia Inc. , en.wikibooks.org.

Leave a Reply

Your email address will not be published. Required fields are marked *