Chapter 11

Defending File Uploads

If the enemy leaves a door open, you must rush in.

—Sun Tzu in The Art of War

Allowing clients to upload files to the web application is a risky endeavor. Although this is a useful capability, it opens the door for malicious clients to put data into your web application. For example, suppose you want to allow clients to upload image files. How do you ensure that the files being uploaded are truly images and not some other type of executable program? We must address three main attack scenarios if we want to allow our web application to upload files:

  • Denial of service
  • Backdoor/trojan
  • Malware

The recipes in this chapter include references to material taken from the Mitre Common Attack Pattern Enumeration and Classification (CAPEC) or Common Weakness Enumeration (CWE) projects.

Recipe 11-1: Detecting Large File Sizes
This recipe shows you how to use ModSecurity to enforce limits on the size of file uploads.
  • OWASP ModSecurity Core Rule Set (CRS)
    • modsecurity_crs_10_setup.conf
    • modsecurity_crs_23_request_limits.conf
  • ModSecurity
    • FILES_SIZES variable
    • FILES_COMBINED_SIZE variable
    • @gt operator
CWE-119: Uncontrolled Resource Consumption (“Resource Exhaustion”)
Limited resources include memory, file system storage, database connection pool entries, or CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service that ...

Get Web Application Defender's Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.