Allowing uploads to external facing site

My company has an external/vendor facing website. The Dev team would like to add some functionality to the site that would require the ability to upload files (mostly XLS and CSV) to the site. I'm wondering how you all would address the security concerns associated with allowing this. What type of input validation or data validation would be needed? The site today does not have a WAF sitting in front of it. Is this required?

I like to think of this functionality similar to uploading your resume to Monster.com. How does monster verify that you're not uploading a malicious file?

Hope this is not too vague

Find more posts tagged with

Comments

the_Grinch

Could do some form of virus scanning upon uploading of the file. Also, probably a number of tools that could validate the header of the file to confirm that it is truly a csv/xls. I'd make sure you have a policy preventing the execution of macros as well.

MitM

the_Grinch wrote: »

Could do some form of virus scanning upon uploading of the file. Also, probably a number of tools that could validate the header of the file to confirm that it is truly a csv/xls. I'd make sure you have a policy preventing the execution of macros as well.

Would that be part of the code? One the file is loaded, the site logic would then initiate the virus scan. I'm assuming with an API to the AV?

the_Grinch

A number of ways I could think of to implement it. Could be part of some logic in the code itself or even something on the server where when it detects a change to the folder it looks at what changes then performs a scan of the file.

https://stackoverflow.com/questions/3363767/how-do-you-virus-scan-a-file-being-uploaded-to-your-java-webapp-as-it-streams

Mike7

Is the website for file upload only? No download? Then make sure the upload files are not directly accessible after download via URL such as /upload/a.csv. Especially if the files contains customer information.

File type extension validation is required, i.e. only allow XLS and CSV with validation done on web server side. You do not want someone to upload a .aspx or .php file and use it to execute code on your web server.

Are you processing the file contents after upload? Do you need to keep the files after processing it? Please files in a folder where dynamic code execution is not allowed.

I am not so concerned about EXE virus as someone needs to login to the web server to execute it. You can implement antivirus scanning, but most of them are kinda slow to scan as they need to load virus signatures into memory before scanning. If the dev team use ClamAV, they can load ClamAV daemon and call clamdscan instead of clamscan.

You can also engage a pen tester to test the web app for vulnerabilities.

MitM

Thanks @the_Grinch

Mike7 wrote: »

Is the website for file upload only? No download? Then make sure the upload files are not directly accessible after download via URL such as /upload/a.csv. Especially if the files contains customer information.

File type extension validation is required, i.e. only allow XLS and CSV with validation done on web server side. You do not want someone to upload a .aspx or .php file and use it to execute code on your web server.

Are you processing the file contents after upload? Do you need to keep the files after processing it? Please files in a folder where dynamic code execution is not allowed.

I am not so concerned about EXE virus as someone needs to login to the web server to execute it. You can implement antivirus scanning, but most of them are kinda slow to scan as they need to load virus signatures into memory before scanning. If the dev team use ClamAV, they can load ClamAV daemon and call clamdscan instead of clamscan.

You can also engage a pen tester to test the web app for vulnerabilities.

The website is file upload, no download. The info I received was the files will not be stored, the data in the file will be read by the web application (jboss) and then sent to an ERP system via API.

I'm no web application expert but I would think the uploaded file would need to be saved somewhere before it was processed by the web application. If that was indeed the case, based on the info, the file should be deleted after being processed.

I agree, extension validation is required, that was my first requirement. I did find articles about ClamAV. On the web server, we have Sophos installed. I don't know much about ClamAV but would it make sense to have both installed? I wasn't sure if the web application can make use of Sophos to scan before being uploaded.

I agree on the pen tester but I want to install a web application scanner to see what vulnerabilities I can find and have fixed first, before calling in a pen tester

Mike7

It Sophos is available, use it. Depends on whether you are executing the command line executable and calling their API. See https://community.sophos.com/products/community-chat/f/community-feedback/100498/call-sophos-antivirus-from-java

AFAIK, web application scanners (at least the free ones) do not test file upload functionality.

MitM

Mike7 wrote: »

AFAIK, web application scanners (at least the free ones) do not test file upload functionality.

Thanks! I would think they wouldn't test the upload functionality either. I meant I want to scan it for other things before I bring a pen tester in

Welly_59

I’d be wary of hosting jboss and apache on the same server. Not long ago I had to split a web front end and application onto two different servers due to Thai very thing

paul78

Just my 2 cents but making sure that a malicious payload isn't being uploaded isn't necessarily the only issue to worry about. There are a few other areas that you have to be sure about. Most file upload designs these days if you are using something like AWS would upload the file into an S3 bucket or similar file-based storage instead of loading it as a blob into a database. If you go the route of uploading into some intermediate file storage, you have to also make sure that a malicious actor (or overzealous user) cannot do things like upload files to cause a denial of service issue.

Also - depending on how the files are stored, you would want to make sure that are no horizontal attack vectors. For example, if you are letting a user upload a file and then preview it - you have to be careful that there are IDOR vulnerabilities.

TeKniques

The best thing to do would be to follow the OWASP recommendations for best practices regarding file uploads. You could also have your code audited and tested by a professional web application penetration tester.