File uploads have become a necessity for organizations around the world, and because of this they have become an integral feature in most web applications available on the market today.
By their very nature these applications – which are often mission critical – are designed to receive inputs from users, enabling the collection of sensitive information to help organizations comply with Anti-Money Laundering regulations, such as Know Your Customer (KYC).
However, a quarter of software systems available today have at least one high severity security flaw.* For files uploaded into web applications, there is a high likelihood that zero-day (new) file-based threats won’t be identified by endpoint protection.
If exploited by cybercriminals, a File Upload vulnerability can expose applications to malware, unauthorized server access, attacks on website visitors, the hosting of illegal files, and much more.
For organizations to achieve enterprise-grade protection, security and development teams should focus their efforts on securing the File Upload functionality within their web application. Finding and fixing vulnerabilities in software is important, but one of the most valuable areas of focus is the point at which a file is presented to an application, because this is where a multitude of security risks are activated.
https://glasswall.filecamp.com/s/i/krHISxSjqDDgT5sa
Dealing with file-based threats
The most obvious way to protect the underlying software application is by intercepting and disarming files by the application itself. This can be partially achieved by proxies and firewalls at the network layer, but there may be certain protection gaps that still exist that leave an application vulnerable. Files can also be disarmed as they are retrieved from storage, but there are still some attack techniques that can be best addressed at the web application layer.
According to Gartner®, the File Upload use case is one that requires special controls to remove malware. Content Disarm and Reconstruction (CDR) is cited as the strongest option for filtering threats at the application, gateway, and storage layers. CDR technology is different. Instead of looking for malicious content, advanced CDR processes treat all files as untrusted, validating, rebuilding and cleaning each one against their manufacturer’s ‘known-good’ specification.
With Glasswall CDR, for example, only safe, clean, and fully functioning files enter an organization, allowing users to access uploaded files with full confidence.
As a file is uploaded to your application, here are some basic steps which can be implemented to reduce the risk of incoming threats:
1.Authenticate Users: Only allowing file uploads from authenticated users adds an additional layer of security.
2. Permitted File Extensions: Limit file-based threats entering your web application by only allowing certain file extensions. This can be implemented by creating an ‘allow-list’ and a ‘deny-list’. For example, you can eliminate any file extensions that are associated with software execution, or look for double extensions like .gif.doc which might evade regex detection of a .doc file.
3. Validate User Input: Avoid passing user-supplied input (filename) to the filesystem APIs. File name validation should limit file size, limit character length, and only allow certain characters. Whenever possible, change the file name to something safe or at least eliminate characters that may be used to traverse the directory.
4. Validate File-Type: Go beyond just looking at the file extension or the ‘magic number’ within the first few bits of a file. Glasswall’s CDR technology [link this to what is Glasswall CDR] can identify the true file type and extension of incoming files, by inspecting the underlying nature of the data. This can be invoked via an API call to Glasswall’s API, which can be accessed using our SaaS endpoints, within a private cloud deployment.
5. Perform CDR: Run the file through a Content Disarm and Reconstruction (CDR) service to remove unknown threats. Glasswall provides a file analysis and rebuild service through an API. If a CDR solution is not an option, then an antivirus service should be employed. However, Glasswall has found that, on average, file-based threats are not discovered by detection-based solutions for 18 days, therefore antivirus and even enhanced endpoint protection will leave organizations open to risk.
Comparatively, CDR will remove file-based threats without relying on signatures, heuristics, or behavioral analysis (sandboxing). It returns a clean file without any changes to the visual layer, and most CDR services can deal with file archives and disarm so-called ‘zip bombs’, which are designed to drown system resources with an ever-expanding set of files.
6. Isolate File Storage: With organizations increasingly adopting immutable design patterns, file persistence should take place outside of the application server, such as in a container that runs alongside many other services within the application. This allows the system to self-heal when issues are encountered. Isolation of files from the main application facilitates system resilience, and also ensures that any residual risks associated with the incoming documents are kept separate. Ideally, files should be stored outside of the Webroot folder, where only administrative access is allowed.
Glasswall CDR platform – The cloud-native solution
The Glasswall CDR Platform sanitizes files to prevent both known and zero-day threats from entering an organization’s IT infrastructure. Glasswall allows organizations that are considering incorporating CDR into their IT infrastructure to trial the technology via a public synchronous API – file type detection, analysis and file rebuild endpoints are all available for evaluation purposes.
An asynchronous version of the API is also available for public evaluation. This enables application owners to interact with pre-signed URLs so that application logic can retrieve a file at a future point in time – avoiding overload during heavy periods of file upload requests. The OpenAPI specification facilitates automated codegen^ to accelerate application integration with modern coding languages.
Additionally, a free to use version of Glasswall Clean Room provides a reference point for how a contemporary user interface may interact with the Glasswall API to remove threats from file uploads.
The Glasswall CDR Platform can CDR a file via a call to the API, or also indirectly using an ICAP+ compliant appliance. File Uploads (and even Downloads) can be supported by these approaches.
Glasswall recommends the adoption of automated application security testing tools along with CDR to ensure that file upload functionality is kept safe from targeted attacks. This guidance for making File Uploads safer within your application should help you neutralize the threat of malware entering your organization.
Here is some additional recommended reading on how to reduce the risk of accepting files into your application:
* https://info.veracode.com/report-state-of-software-security-volume-12.html
± https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
^ https://swagger.io/tools/swagger-codegen/