1
00:00:00,420 --> 00:00:07,200
In this session, we will see a workshop on the non validated upload of files to a Web application

2
00:00:07,200 --> 00:00:10,200
and the possible mitigation, so

3
00:00:12,280 --> 00:00:19,570
We can click on the Select file button, select a file, for example, a JPEG image and send it to the

4
00:00:19,570 --> 00:00:23,540
webserver with the upload button, going to the server.

5
00:00:23,560 --> 00:00:26,890
You can see that the file has arrived in the uploads folder.

6
00:00:28,000 --> 00:00:34,810
The uploads folder is in the application's virtual directory, and this is already a serious mistake.

7
00:00:35,440 --> 00:00:38,940
The upload function, however, is not developed correctly.

8
00:00:39,250 --> 00:00:46,720
In fact, it is possible to upload a file of a different type from that which the programmer expected

9
00:00:46,990 --> 00:00:47,830
to receive.

10
00:00:48,010 --> 00:00:56,290
For example, we can upload a PDF file and in fact we find in the uploads folder the PDF file sent.

11
00:00:56,980 --> 00:00:57,700
the problem.

12
00:00:59,110 --> 00:01:05,980
In the presence of this vulnerability could arise if the attacker instead of uploading a harmless file.

13
00:01:07,230 --> 00:01:11,850
Went, for example, to upload a webshell.

14
00:01:14,040 --> 00:01:25,110
The webshell is developed with the same technology as the Web application pages, in this

15
00:01:25,110 --> 00:01:25,740
case.

16
00:01:26,580 --> 00:01:30,630
It is in ASP.NET language.

17
00:01:32,380 --> 00:01:40,950
The webshell arrives in the uploads folder, as you can see, at this point the attacker can

18
00:01:40,960 --> 00:01:42,090
load the webshell

19
00:01:42,280 --> 00:01:43,210
and run it.

20
00:01:45,340 --> 00:01:51,880
The webshell is made to run operating system commands on the Web server.

21
00:01:53,540 --> 00:01:57,740
So in this example of running the dir command of the server.

22
00:02:03,740 --> 00:02:06,320
Now, let's see.

23
00:02:08,730 --> 00:02:14,580
What mitigation of this vulnerability consists of?

24
00:02:16,370 --> 00:02:26,060
It is necessary to ensure that it is possible to upload only the type of desired files, for example,

25
00:02:26,060 --> 00:02:33,350
JPG files, and to block the upload of any other type of file.

26
00:02:34,220 --> 00:02:43,760
I then go to extract and check the first four bytes of the uploaded file that indicate the type of file.

27
00:02:44,690 --> 00:02:52,940
And check with a Switch construct if the four bytes extracted correspond to the value of the type of

28
00:02:52,940 --> 00:02:59,720
file that I expect. If there is no match an error message will be printed and

29
00:03:01,330 --> 00:03:04,420
the file cannot be uploaded.

30
00:03:05,480 --> 00:03:19,430
A check is then made on the size of the file that is uploaded so that if it exceeds a set threshold

31
00:03:19,430 --> 00:03:26,170
the file is not accepted. With mitigation applied

32
00:03:27,200 --> 00:03:29,990
Let's now try to rerun

33
00:03:31,120 --> 00:03:32,770
The laboratory.

34
00:03:34,540 --> 00:03:35,220
OK.

35
00:03:37,690 --> 00:03:38,380
And.

36
00:03:39,800 --> 00:03:48,020
I delete previously uploaded files, so let's try the lab again.

37
00:03:48,950 --> 00:03:53,990
Let's first try to choose an allowed file.

38
00:03:56,370 --> 00:04:03,040
An image, for example, and I find the image. OK.

39
00:04:04,430 --> 00:04:05,090
Upload.

40
00:04:06,050 --> 00:04:12,500
And I find the image in the uploads folder, so the upload was successful, but if I try to upload the web

41
00:04:12,500 --> 00:04:14,150
shell, this time

42
00:04:15,280 --> 00:04:18,400
I find an error message and the upload is blocked.