Defending File Uploads
If the enemy leaves a door open, you must rush in.
—Sun Tzu in The Art of War
Allowing clients to upload files to the web application is a risky endeavor. Although this is a useful capability, it opens the door for malicious clients to put data into your web application. For example, suppose you want to allow clients to upload image files. How do you ensure that the files being uploaded are truly images and not some other type of executable program? We must address three main attack scenarios if we want to allow our web application to upload files:
- Denial of service
The recipes in this chapter include references to material taken from the Mitre Common Attack Pattern Enumeration and Classification (CAPEC) or Common Weakness Enumeration (CWE) projects.
- OWASP ModSecurity Core Rule Set (CRS)
- FILES_SIZES variable
- FILES_COMBINED_SIZE variable
- @gt operator