Chapter 11 Defending File Uploads

If the enemy leaves a door open, you must rush in.

—Sun Tzu in The Art of War

Allowing clients to upload files to the web application is a risky endeavor. Although this is a useful capability, it opens the door for malicious clients to put data into your web application. For example, suppose you want to allow clients to upload image files. How do you ensure that the files being uploaded are truly images and not some other type of executable program? We must address three main attack scenarios if we want to allow our web application to upload files:

Denial of service
Backdoor/trojan
Malware

The recipes in this chapter include references to material taken from the Mitre Common Attack Pattern Enumeration and Classification (CAPEC) or Common Weakness Enumeration (CWE) projects.

Recipe 11-1: Detecting Large File Sizes

This recipe shows you how to use ModSecurity to enforce limits on the size of file uploads.

Ingredients

OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_10_setup.conf
- modsecurity_crs_23_request_limits.conf
ModSecurity
- FILES_SIZES variable
- FILES_COMBINED_SIZE variable
- @gt operator

CWE-119: Uncontrolled Resource Consumption (“Resource Exhaustion”)

Limited resources include memory, file system storage, database connection pool entries, or CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service that ...

Get Web Application Defender's Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Web Application Defender's Cookbook by Ryan C. Barnett, Jeremiah Grossman

Chapter 11

Defending File Uploads

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly