How to Not Get Hacked Through File Uploads
6 hours ago
- #file-uploads
- #web-development
- #security
- File uploads introduce multiple attack surfaces beyond just your code, including image libraries, file systems, CDNs, and browsers.
- Parser exploits can occur in image processing libraries (e.g., ImageTragick, libwebp vulnerabilities), allowing attackers to execute arbitrary commands.
- Defenses against parser exploits include running file processing in restricted environments (containers, serverless functions) and keeping dependencies updated.
- SVG and HTML files can contain embedded scripts, leading to stored XSS if served from the same origin as the main application.
- Mitigate XSS risks by serving files from a separate domain with no shared session state and setting security headers like `Content-Disposition: attachment`.
- Filenames can be used for path traversal attacks (e.g., overwriting system files). Use random identifiers for stored filenames and validate archive extraction paths.
- Resource exhaustion attacks (e.g., zip bombs) can consume infrastructure resources. Enforce size limits at the proxy level and set rate limits.
- Validate file types using magic bytes, not just extensions or MIME headers, and maintain a strict allowlist of accepted formats.
- For user-to-user file sharing, implement antivirus scanning before making files available.
- Follow a security checklist covering validation, sandboxing, headers, and dependency updates to secure file uploads.