File Extension Filter Bypass
Unsafe File Upload Using File Extension Filter Bypass
Overview of the Vulnerability
Unsafe file uploads occur when the web server fails to sufficiently validate the file’s size, type, name, contents, or what restrictions are placed on the file once it has been successfully uploaded. The application fails to validate the extension type of files that are uploaded, allowing an attacker to upload unsafe files to the web server which can be sent to and executed by users.
Business Impact
Unsafe file upload can lead to reputational damage for the business due to a loss in confidence from users who are attempting to perform legitimate actions within the application. It can also lead to indirect financial loss due to an attacker reading or manipulating files on the web server.
Steps to Reproduce
Enable a HTTP intercept proxy, such as Burp Suite or OWASP ZAP
With the HTTP intercept proxy turned on, use a browser to navigate to: {{URL}}
Intercept the request in the HTTP intercept proxy:
{{Request}}Change the following parameter to append a different value to the extension, as seen below:
{{Request}}Resend the request
Proof of Concept (PoC)
The screenshot below demonstrates the full exploit:
{{screenshot}}
Recommendation(s)
There is no single technique to prevent unsafe file uploads. However, implementing the right combination of defensive measures within the application will prevent or limit the impact. Some best practices include the following:
Allow only specific file types to be uploaded which are dictated by business functionality
Filter and check all content uploaded for viruses. Everything that does not pass strict validation should be discarded
Set a minimum and maximum file size and naming length, ensuring that only alpha-numeric characters are accepted and that only a single period is used to to designate between the file name and the extension type.
Don’t display the path of the uploaded file to the end users
For more information, please see:
Last updated