1
00:00:01,940 --> 00:00:09,730
Now let's talk about how you can secure your website from file upload vulnerabilities.

2
00:00:09,740 --> 00:00:15,980
The main thing to keep in mind is that never allow people to upload executables.

3
00:00:15,980 --> 00:00:20,510
There shouldn't be a need for you to allow people to upload executables really.

4
00:00:20,690 --> 00:00:27,090
So stuff like BHB by scripts executables like x com all these files.

5
00:00:27,170 --> 00:00:32,420
You should never allow people to upload them because there is a high possibility that these files could

6
00:00:32,420 --> 00:00:33,680
harm your server.

7
00:00:34,930 --> 00:00:43,090
The second thing is you need to check that the file type is what the what you want is what you're expecting.

8
00:00:43,300 --> 00:00:46,760
And check the extension at the same time.

9
00:00:46,780 --> 00:00:53,650
So when we see and when you check in with our tests and the previous videos are the low security level

10
00:00:53,680 --> 00:00:55,490
obviously there was no checks.

11
00:00:55,650 --> 00:01:02,670
The medium security level there was check in for only the file type and the high security level they

12
00:01:02,680 --> 00:01:07,470
were check in for the extension on the.

13
00:01:07,550 --> 00:01:11,520
So what you want to do really is never allow executables.

14
00:01:11,600 --> 00:01:14,660
Make sure the uploaded file is what you're expecting.

15
00:01:14,660 --> 00:01:20,750
So if you're uploading an image make sure that the file type is an image on the other and the extension

16
00:01:20,930 --> 00:01:27,040
is an image extension so it's a peg or a PNB or any other image type on.

17
00:01:27,300 --> 00:01:34,010
And once you do these two checks so that and that make sure that you recreate the uploaded files so

18
00:01:34,400 --> 00:01:39,510
you check that the file is an image and check that the extension is an image extension.

19
00:01:39,510 --> 00:01:45,550
Then analyze the file use in some sort of a library so depending on the program the language you're

20
00:01:45,560 --> 00:01:46,930
using on your server.

21
00:01:47,060 --> 00:01:53,780
Make sure that you analyze you past this file to a library and analyze its content and recreate the

22
00:01:53,780 --> 00:01:55,820
file to suit your Web site.

23
00:01:55,820 --> 00:02:01,430
Now this is actually a good step anyway because since you're displaying this on your Web site you want

24
00:02:01,430 --> 00:02:07,850
to make sure that the images are too big and that they are optimized for web applications.

25
00:02:07,850 --> 00:02:10,700
So it's a good thing for your web site to run faster.

26
00:02:10,790 --> 00:02:16,490
And it's also a good thing to make sure that this image is actually an image and not a harm a harmful

27
00:02:16,490 --> 00:02:17,230
file.

28
00:02:17,240 --> 00:02:22,220
So let's just have a look on the source code now I know I always say we're doing blackbox testing but

29
00:02:22,220 --> 00:02:26,180
we're talking about the security now so you actually have to see the source code to see how you can

30
00:02:26,180 --> 00:02:27,640
secure it.

31
00:02:27,650 --> 00:02:33,770
So I'm just going to set the security level to medium because the low just doesn't really check anything.

32
00:02:33,770 --> 00:02:39,180
So we're just going to go with the medium for now and we're going to go on the upload

33
00:02:42,630 --> 00:02:44,450
I'm going to view the source.

34
00:02:44,610 --> 00:02:52,400
So as you can see now in the media it's only chicken if the uploaded file type is an image now I don't

35
00:02:52,400 --> 00:02:57,300
want to get into too much details about coding because this isn't a coding course.

36
00:02:57,470 --> 00:03:02,180
We're only talking about how you secure yourself and about penetration testing.

37
00:03:02,180 --> 00:03:04,120
So I have to cover the security part.

38
00:03:04,250 --> 00:03:09,350
So we're going to talk about the concepts but not the actual code that you need to use because you could

39
00:03:09,350 --> 00:03:11,260
be using a different programming language.

40
00:03:11,450 --> 00:03:16,670
So and here they are using Ph.D. and what they're doing is they have just a simple IF statement and

41
00:03:16,710 --> 00:03:21,550
they're checking if the image if the uploaded file type is an image.

42
00:03:21,740 --> 00:03:28,490
So we see how we can bypass this easily by uploading an image and then changing the extension by renaming

43
00:03:28,520 --> 00:03:35,360
our shell to the GBG which will uploaded which will be accepted as an image and then we'll just rename

44
00:03:35,360 --> 00:03:40,460
it as it's been uploaded to BHB file.

45
00:03:40,460 --> 00:03:44,240
Now if we set this to high security level

46
00:03:49,210 --> 00:03:55,850
and we go back to the upload and have a look at the source code you can see that what they're doing

47
00:03:55,850 --> 00:04:02,380
here they're checking that the extension is GBG or AJP e.g..

48
00:04:02,660 --> 00:04:04,570
And then you can upload the picture.

49
00:04:04,580 --> 00:04:07,400
So they're not checking for the file type this time.

50
00:04:07,400 --> 00:04:13,760
So as I said you need to check for both now and the new versions of DVD which you ate and actually has

51
00:04:13,850 --> 00:04:16,670
an extra security setting called impossible.

52
00:04:16,740 --> 00:04:22,710
And what it does is it basically just shows you the right implementation of each one of these pages.

53
00:04:22,730 --> 00:04:26,290
So it's it's actually can't be if it's the right way to do it.

54
00:04:26,480 --> 00:04:31,700
The DVD a version that comes in with me to exploit a will doesn't have that security setting.

55
00:04:31,850 --> 00:04:33,610
But we don't really need to use it anyway.

56
00:04:33,620 --> 00:04:34,850
We just need to see the code.

57
00:04:35,000 --> 00:04:36,830
So we have it here on get up.

58
00:04:37,340 --> 00:04:42,780
And the way the right way to implement this is if we're look at this is the same if statement.

59
00:04:43,040 --> 00:04:46,330
And basically what they're checking is they check the extension.

60
00:04:46,330 --> 00:04:52,620
It is an image extensions a j peg or GBG or PND.

61
00:04:52,640 --> 00:04:53,720
So that's all good.

62
00:04:53,900 --> 00:05:02,000
So it has to be one of these things and it has to be of an image type so it has to be of type image

63
00:05:02,010 --> 00:05:07,250
daypack or image BNZ and it doesn't stop that actually checks the sizes.

64
00:05:07,250 --> 00:05:08,330
But that's OK.

65
00:05:08,600 --> 00:05:13,970
What also does which I was speaking about which is recreate in the image itself.

66
00:05:14,300 --> 00:05:20,830
So what they're doing is they're they're stripping the metadata of the image and they're using a library.

67
00:05:20,870 --> 00:05:26,570
Actually they're not used in that library but you should be using that library which is called THP magic

68
00:05:26,600 --> 00:05:32,560
or whatever there is that there are similar libraries for Python and Ruby and all of that too.

69
00:05:32,570 --> 00:05:37,790
Basically what they do is they recreate another image from the uploaded image

70
00:05:41,110 --> 00:05:48,630
once they do that they actually delete and destroy the old image and use the new image with a new name

71
00:05:48,640 --> 00:05:51,590
so they create a new image from the old image.

72
00:05:51,670 --> 00:05:54,340
They rename it and then you they use that image.

73
00:05:54,490 --> 00:06:00,430
So these are three things you need to check for the extension check for the file type recreate the image

74
00:06:00,430 --> 00:06:09,070
itself that way even if a person tries to upload a bad file or a malicious file then you'll be able

75
00:06:09,070 --> 00:06:13,710
to protect your web application and your server from that file.

76
00:06:14,050 --> 00:06:20,910
So even if they manage to upload the file then the file will be destroyed because of the creation process.