DEXTUpload.NET Professional
menu toggleProduct Information > Security development guide

Security development guide of the file upload

Service that provides the ability to upload files, can be subject to attacks that can affect the security from the outside. For example, an attacker can upload a malicious file, it is possible to execute the webshell that are stored on the server. Most of the service, but it includes a file attachment function, if the security code to verify the validity of the file you want to upload does not exist, it is possible to try to exploit it and get the privileges of the server or adding harmful to the service.

In all of the platform(ASP, ASP.NET, PHP, JSP(Servlet), etc), it is not the defense of the verification to the essentially uploaded file. Thus, developers who want to provide a service must create a working codes to verify files trasmitted from the client(browser, third-party).

Filtering of the file extension in client area

When you upload files, you must filter only to authorized files.

The target of attachment is made depending on the service. In the general case, with the exception of the media files(doc, docx, xls, xlsx, hwp, ..., jpg, png, etc.) that are commonly used, it should not be allowed to upload. Therefore, jsp, asp, php, cgi file except for media files must be prohibited to upload.

If you use pure HTML, it is possible to confirm the extension name of the file by using the JavaScript code, if you use the components using the Plug-in technologies such as ActiveX, it should use the filtering function in the component itself

Code to verify the extension of the file is using the method(White List) to check whether is the file extension that can be uploaded rather than a method(Black List) to check the extension of the file upload is prohibited.

Even after a proper verification on the client side, in the process of being sent to the server, there is a case where the data modulation occurs. In the HTTP protocol, since there is no way to protect it, it must be encrypted transmitted using SSL (Secure Socket Layer).

Becase SSL performs the encryption on the transport layer, developers has no portion to be processed separately. However, SSL is, because there is a process of encryption/decryption, is possible to reduce overall performance(response speed).

Filtering of the file extension in service(server) area

Even if client-side validation is performed, for easy bypass it is possible, even in the server-side code, must perform the same test.

It is necessary to perform a check of the extension based on the client inspection method like the White List. And inspecting directly without pre-processing the file name that was passed from the client side, is much better on the security.

For example, instead of triming(delete the character set to be processed by a space) or the work such as to remove the special characters, it is necessary to perform the inspection the original file name, files not included in the White List must be not to save on the server. In the case of an extension filtering in the process of the Black List, so your service can be attacked to find a pattern in which the attacker is not included in the Black List through the repetitive tasks, so as to be sure to use the White List verification system.

Delete the execution authority of the upload directory

As long as there is no special purpose, generally uploaded files are subject to the download.

As well as webshell file has been saved, if this file is not performed, not have a serious impact on security. Therefore, the directory where you want to save the file, it is necessary to remove always execute permissions.

Example) security settings for IIS

In IIS settings, after you select the target directory, open the Properties window, set the execution authority to "none".

Example) IIS7 case of more

In the case of more than IIS7 is, after you select the upload directory, open the handler mapping tool, it is necessary to change the permissions.

In the edit item permissions, uncheck the item of "script, execution".

Example) In the case of Apache

In the case of Apache, rather than how to remove the permissions, it is possible to use the method to limit the subject of the file that can be stored in the upload directory.

#httpd.conf configuration file
<Directory upload_directory>
	AllowOverride FileInfo (or "All" also available)
</Directory>
						

Create a .htaccess file to the upload directory, must change the MIME-TYPE not to execute webshell files.

<FilesMatch "\.(php|pl|cgi|inc|lib)">
Order allow, deny
Deny from all
</FilesMatch>
AddType text/html .html .htm .php .php3 .php4. phtml .phps .in .cgi .pi .shtml .jsp
						

For other details, refer to the setting of the Apache .htaccess file.

http://httpd.apache.org/docs/2.4/mod/core.html#allowoverride

http://httpd.apache.org/docs/2.4/howto/htaccess.html

Other Web servers and WAS server settings, refer to related documents.

Delete the path external exposure of the upload directory

For development convenience, the general location of the file upload directory, in many cases to be exposed to the web address. Unlike the process of uploading a file, in the part of the download, the web server is responsible in many cases without developer working, so it becomes the target for executing the uploaded webshell. Therefore, the path of the file upload directory, must be avoided to be set to the path of the sub-directory of services in primary. Also when using an external directory, in order to prevent access to the web address, it should not be registered as a web virtual directory. Instead, you must develop a download module that has the ability to transfer and read the file from an external directory in order to download file.

Changing the file management policy

There are in many case where want to save files with original names on the local drive. Although determining the policy to make the save and keep the file name for the convenience of the management of the business, in such a case, it should be the efforts to create additional code in order to avoid duplicate file names, so unless changing file names, it is advantageous conditions for the webshell attack.

The file to upload should be saved with a special file name to match the service policy without the use original file name.

Example)

F_[yyyyMMddHHmmssfff]_[Remote IP]_[session and a unique ID]_[thread ID]_[ordering].[meaningless extension name]

"trying to attack the site.jsp" -> "F20130401153027125_111.111.111.111_0012345_100_0001.bin"

Then, the actual local file name is registered in the database for download service, for use when needed. In this case, if the size, extension name, MIME-TYPE(if possible) of the file register, it helps in the implementation of additional security and services. In conclusion, since the attackers can not know the name of the file to run the webshell, they can not try to attack. Even if you know the file name, because it is not only able to access the file via the download module, the server will just download it to the client instead of running the file. This is the reason why webshell attack can be easily prevented.

DEXTUpload.NET Professional

DEXTUpload.NET Professional do not have unique security features to prevent the upload attack of the file.

DEXTUpload.NET Professional is possible to save as the original file name, or put the order in the file name when you save the upload is file. However, regardless of the product, depending on the platform, if the file name contains a special character and a non-permitted(attacker intended), it is stored in a file name that is not intended, or an error may occur. Therefore, before you save the file, you must write codes to inspect sure the file name is valid.