Ok folks! Here we are again ! This time this article will try to be a perfect mixture between informative and rant. And by “informative” i mean “this is the problem and here how you can solve it”. So, let’s open a beer and get started !
A Small Context
You know, I always say:
file uploads are like that person who shows up to your party uninvited. Sure, they might bring a pie, alcohol or help out around, making things run a little smoother, but they also might just sneak in attitude or something that, sooner or later, will start a fight.
Same thing with file uploads. They’re great for getting work done, tossing documents back and forth between the good folks trying to do their jobs, or clients sending you stuff you need. But they’re also like an open door for bad actor to slip in something really nasty.
The main issues
You know, running a business these days is a lot like trying to keep your pants up during a wild night out. You’ve got all these departments—accounting, HR, you name it—flipping files back and forth like pancakes at a Sunday breakfast. And it ain’t just about throwing a spreadsheet to your buddy anymore. Nope, these days, opening a file can be like opening the Lost Ark of Indiana Jones, and i doubt you would like to endup all melted. And all you need to do is simiply open that doc file or accept it’s macro.
So, if before (many years ago) a user would have to install some shady application…now the story is a bit different. As said 3 lines above all you need to do is to open a resume, your courier receipt, your last quarter spreedsheet or any file related to productivity. As if wasnt enough yet many attacker can benefit also from Improper/Inadequate Input Validation (especially in your “Upload your file form”), SSRF, RCE and various misconfigurations depending on your environment….
i know, i painted quite a eerie and awful picture here…but hey, not my fault if the majority of my collegue do not think as an attacker does !
The Solution: Ban File ? NO !
I know, the most tempting (and easy) solution would be that. But very useless since you need to share documents in your day to day operations and clients might need to send you stuff (ID, Contracts, whatever). So, im not coming with a solution to all (is impossible, and avoid who says otherwise – remember: a 100% secure system is NOT possible) but with few very grood practices to follow in order to reduce the risk of having future (serious) problems.
Best Practices
Each company has it’s own needs (in term of workflows and security) so the assessment phase is quite important.
Talk and ask to yourself important questions
No, im not welcoming schizophrenia…
- Restrictions: how many of them can you apply without causing problem to the others ? It’s like putting a breathalyzer on a beer tap. Sure, it’s safe, but man, is it a buzzkill. So evaluate carefully each case
- Training/Knowledge: how much can you really trust that after sitting through a security seminar, your employees are gonna remember anything? It’s like believing in me remember my anniversary. Spoiler alert: I won’t, and neither will they when it comes to all that security mumbo jumbo.
- File Check: how are you checking these files? You pre-processing these things? It’s kinda like sniffing the milk before you pour it into your coffee—you wanna make sure it’s not going to let you spend the day in the bathroom. How do you know that the very thing you set up to catch problems isn’t gonna be the thing that causes them?
- Sandbox: how sure are you that this simulated sandbox you built is anything like the real deal? It’s like rehearsing your marriage proposal with your dog. Sure, it goes great with your best furry 4 legged friend, but how’s it gonna fly with your girlfriend at the fancy restaurant?
Use Cases
So, let’s put on our detective hats and consider your situation here:
First up, why the heck are folks uploading files to your portal anyway? Is it because they’re sending over scanned documents, swapping drafts with your buddies in the legal department, or maybe sharing invoices that make you wonder if you’re running a business or a charity?
Now, think about what kind of files you’re dealing with. If it’s just PDFs and spreadsheets, you gotta ask yourself, why in the world would you let a PDF that’s more stuffed than a Beercan Chicken with things like JavaScript? That’s like giving the keys to your brand-new car to the guy who just stumbled out of the pub.
And about those documents with hyperlinks and macros—do you really trust them? It’s like picking up a hitchhiker who’s wearing a shirt that says, “Ask me about my criminal record.”
Then there’s the whole thing about images. How do you know that picture is legit and not something whipped up by some threat actor ?
Deciding that no file with a script or macro should sneak into your organization is one thing, but actually keeping them out? That’s about as tough as teaching my dog not to chase cats.
The reality is, you can’t always tell what’s in a file without opening it up and having a look-see, and by then, it might be too late.
So, we gotta buckle up and take some extra steps to shield ourselves from these wolves in sheep’s clothing, masquerading as your everyday office files. It’s like knowing you might find a snake in the grass, so you wear boots tall enough to keep you from getting bit.
File Type
Think of it like only stocking the top shelf with the booze you know won’t make your guests blind. This is crucial. You don’t want to open up the floodgates to every kind of file; that’s like serving moonshine and expecting no one to go crazy. We pick what files our team actually needs, and kick the rest to the curb. How ? Many people just rely on the frontend developer to use the “accept” attribute on the website. Folks, THAT IS NOT ENOUGH ! Come on ! You always have to validate it on your backend. There are tons and tons of libraries for any language you can use in order to do that.
So, if so far you’ve been checking only file extension and/or using the accept attribute then..i’m sorry…but i have very bad news for you.
Lastly, if you followed me around, you know that i love the quote “Paranoia is a Virtue” (thank you Mr Wheeler!). So try to use any tool that will allow a proper check of the file content in order to be sure that there is no foul play here. This will permit also to avoid a DTD (Document Type Declaration) situation that brings with it attack like XXE, DoS, SSRF, and other risks…
Conclusion (?)
Integrate your file upload mechanism with an Antivirus system and always Sanitize their content !
So, the thing to remember here are:
- Never trust anyone
- Check the file content
- Avoid (when possible) embedded objects in your document like scripts and macros
As always,
Stay safe !
I recently discovered your blog, and I must say that I genuinely enjoyed reading your posts. I’m planning to subscribe to your updates, and I hope you continue to provide new content regularly.
Thank you !