File Upload Abuse

File Upload Abuse is the abuse of public file upload features. That is a broad definition and there are many ways that file uploads can be abused.

Web applications often allow users to upload files. Examples include:

  • Profile photo, avatar
  • Photo sharing
  • Animated GIFs in forums
  • Background image, layout customization
  • File distribution (PDF, Word, Excel)
  • Submission for review, contests

The most common types of abuse are uploading files which are too many, too large, or too frequent. Too many or too large files can deplete a system's file storage resources. Files sent too frequently can slow down server processing or monopolize server connections, potentially even leading to a denial of service.

Another potential abuse is users uploading the wrong content type. The application might be expecting an image, but the user uploads a movie or a PDF file.

These file upload abuses could be accidental or intentional.


Malware

The most serious file upload abuse is the uploading of malware. Malware gets its name from "malicious software".

Malware will launch when the file is read. It may pretend to be a different file type to avoid raising suspicion. It can even be embedded in images, PDF files, or other media assets.

Malware comes in many different varieties. Each one has a different purpose and a different goal.

  • Adware
  • Bots and botnets
    • Spam
    • Denial of Service (DoS)
  • Ransomware
  • Spyware
    • Keystroke loggers
    • Data harvesting
    • Enable web cameras
  • Bypass access controls
  • Rootkit (total server control)

File Upload Abuse Preventions

The best prevention of file abuse is to authenticate users before allowing them to upload files. No anonymous uploads allowed. This will not prevent a determined attacker from creating an account, but it will provide a screen from the general public and some tools for identifying the user and revoking their access.

Developers should be extremely cautious about hosting user-uploaded files for public download. It is an easy way to become a unwitting distribution site for malware. Do not do it unless absolutely necessary, and when necessary take additional precautions (Defense in Depth). Limit uploads to directories not readable by public. Uploads should be human reviewed and approved. Uploads should be scanned for viruses and other malware types.

It is important to validate the uploaded file. Its content type (or MIME type) can be checked against a whitelist of allowed types. Its file extension can be matched against a whitelist of allowed file extensions. In addition, most file types include information in the first few lines of the file to identify the file format ("Magic Numbers"). This information can be checked to confirm the file type even when the MIME type or file extension can be forged.

The file size can be validated against a maximum file size. In addition to custom size validations, many web servers and PHP's configuration allow setting a maximum file size. Using large hard drives or cloud servers for storage can help ensure that there is always adequate drive space available. Warnings (emails, SMS) can be set up to notify server administrators if disk space becomes low.

To prevent file submissions which are too frequent, the server or firewall should implement throttling and rate limiting.

As a final measure, servers can be scanned with virus detection software to protect again any malware that slips through. This measure is not preventative, as much as it is remediation. Generally, virus detection software will not detect malware which is present but has not infected the current server. But it would detect if malware had been opened and activated.


Case Studies

Fork me on GitHub