Stored Cross Site Scripting via File Upload

by jitendra.chauhan on April 18, 2012

in E-commerce Security,Penetration Testing,Web Application Security

Stored Cross-Site Scripting (XSS) is one of the major flaw in Web Applications, and it is also one of the difficult form of Cross-Site Scripting to be detected by Automated Scanners. A simple example of Stored XSS is as follows:

  • Consider a Social Networking Site, that allows a registered user to write comments and post images on his/her friends’ wall.

  • If a registered user is able to post a malicious input, e.g. <script> malicious_code() </script>, on the wall of target victim, then malicious_code() would be executed once the victim user visits his/her wall.

  • Another variant of the same vulnerability exist, in case, a registered user is able to upload arbitrary HTML (with javascript) or even ASP/PHP file in place of an image.

The impact of Stored XSS is, sometime, much more than Reflected XSS. For example, in the above scenario, an attacker can target hundreds / millions of users with the same (self-propagating) malicious payload.

Note that, an automated scanner would find it difficult to verify whether the injected malicious payload is actually sanitized properly or not. For example, in the above scenario, an automated scanner, in general, will not have logic to visit the particular page or partial of the page where the malicious input will appear because of various reasons like pagination or no standard way to visit a user profile.

Many web applications have functionality to upload pictures, documents (doc, ppt), exported data (CSV, XML), themes(.thm format) and many other types of files. Such applications are vulnerable to Stored XSS via File Upload and as a result, an attacker can upload a file with malicious content and compromise target victim users.

There are following mistakes that, generally, results into Stored XSS via File Upload

  1. Only Client Side Validation: Client side validation of the uploaded files can, mostly, be bypassed using web app proxy (paros / burp). As a result, only client side validation means no validation.

  2. Predictable File Location: Sometimes, there is predictable way to construct uploaded file URL. In such cases, if it is possible to upload, say, a PHP file in the place of an image file then it may be possible to directly execute PHP code on the server. One of the common mistake, we have seen, is that vendors append a few digits random number as a suffix to make the filename unique in the system and make it difficult to predict the file URL. However, such an approach can easily bypassed using simple brute-forcing.

  3. Weak Server Side Validation: A weak server side validation is often can be bypassed by attackers. For example, if the application should only allow TEXT files to be uploaded, an attacker can upload malicious HTML / PHP / ASP files because of weak server side validation.

Mitigations

  1. Server Side Validation: There should be server side validation of the uploaded files based upon the business requirements. Some of the factors that should be considered to validate the input file include file type, file content and file size. There are two main approaches for validation:

    1. While list Approach: In this approach only certain types of file and certain content of the file should be allowed.

    2. Black List Approach: In this approach, certain types of file and certain content of the file should not be allowed.

  2. Sandboxing: All the uploaded files should be stored and retrieved from a different domain and different server, if possible. As a result, even if malicious content of the file is executed, it will have limited privileges.

A more comprehensive list of mitigation strategies can be found here. Stores XSS and similar vulnerabilities can be found readily during security expert analysis phase of penetration testing.

Share

{ 0 comments }

Challenges in automated testing of session management

As we all know, web application scanners are meant to assist a user in identifying the vulnerabilities in a web application. The user/ audience for this tool can be penetration testers, developers or auditors. The true potential of any tool can be extracted only by a user who understands the domain and the tool he [...]

Share
Read the full article →

REST APIs and Next Generation Threats: Part 1

Some days back, when I was going through the record breaking statistics of Facebook and its social networking platform’s REST APIs,  I found phrases like “People on Facebook install 20 million applications every day. More than 2.5 million websites have integrated with Facebook”. It  really shows the incredible power of REST APIs and probably it [...]

Share
Read the full article →

The Definitive Guide to Penetration Testing Reports

Penetration testing is not going to be worth anything if there are no reports to detail what has been done and what needs to be corrected.  It is the Penetration Test report that tells IT managers and other company stakeholders just how good or bad your network, web applications and Internet security performs are. But how [...]

Share
Read the full article →

Meet hacker’s best friends: AntiVirus and Firewalls

Mr. John (name changed) is the senior security manager of one of the large organization in the world.  Mr. John enforces best of the security policy to protect his organization from latest threats and risks. He has deployed best of the anti-virus on all the desktops and servers. He keeps all the anti-virus signature updated [...]

Share
Read the full article →

How Search Engine Security Testing can improve Website Ranking

You may be wondering what Website Ranking Improvement has to do with Search Engine Security Testing. Few years back  I also wondered the same before I came across one smart SEO guy. Combined with his insights in SEO and my background in security testing, I’m convinced that all search engine marketeers should now consider adopting [...]

Share
Read the full article →

A Lazy Pen Tester’s Guide to Testing Flash Applications

Yesterday, I received a post in the Pen-Test mailing list requesting for tips/resources on penetration testing of flash applications.  While there are some tools and white papers available, I could not find many authoritative resources which wraps the entire spectrum of flash security testing of RIA applications.  So here is an endeavor to detail out [...]

Share
Read the full article →

Quick Way of Fuzz Testing Unknown Protocols with Wireplay

The research team at iViZ have been working on a simple yet powerful idea for rapid fuzz testing of Network Applications. Theoretically fuzzing involves supplying in-valid or semi-invalid input set to the target application and monitoring for possible faults. This is highly useful for finding out newer vulnerabilities in applications. However , the security researchers [...]

Share
Read the full article →

3 Reasons why Automated Vulnerability Scanning does not work

One of the things that IT managers and network security specialists learn early on is that vulnerability scanning with free or open source tools do not work or are generally not enough when it comes to protecting your computer network and identifying its vulnerabilities. Most network managers are lulled into a false sense of security [...]

Share
Read the full article →

Is Twitter the new source of Malware?

Ok, I’m going to keep this one real short. A few days ago I created one Squidoo Lens on the vulnerabilities of facebook and twitter which received good user feedback and comments. Following up on that, here is a summary (as well some new ones) that you may consider to prevent your computers being targeted [...]

Share
Read the full article →

← Previous Entries

Technology Blogs Computers & Internet Directory Free web directory Add Your Site