Validating uploaded files to prevent potential injections

Uploaded files are another vector for injection attacks. Attackers can upload files containing malicious code, scripts, or executables. Common types of injection attacks involving uploaded files include:

• Remote File Inclusion (RFI): Malicious files are uploaded and then included/executed by the web application.

• Local File Inclusion (LFI): Attackers upload files that exploit vulnerabilities to include local files on the server.

• Malware Distribution: Files containing malware are uploaded and executed on the server or client machines.

"www.example.com" is a document management system used by businesses to upload, store, and share important files such as contracts, reports, and legal documents. Users can upload various file types, including PDFs, Word documents, images, and spreadsheets. However, the platform is at risk of file upload injection attacks, where an attacker might upload a file containing malicious code designed to exploit vulnerabilities in the system. Here is an example of a typical injection attack through uploaded files.

Initial State:

• A user (or an attacker posing as a user) uploads a file to the platform. The system accepts various file types, such as .docx, .pdf, .jpg, and .xlsx.

• The attacker crafts a file that appears to be a legitimate document but contains hidden malicious code. This code could be in the form of:

  • Embedded scripts in a PDF or Word document.

  • A malicious PHP script disguised with a double extension (e.g., invoice.php.jpg).

  • A macro in an Excel spreadsheet that executes harmful commands when opened.

Attack Execution:

• The attacker uploads the malicious file to www.example.com, expecting that the system will either store it without inspection or execute it, leading to a security breach.

• If the file is processed without proper validation, it could trigger the execution of the embedded code, leading to data theft, unauthorized system access, or even a complete system compromise.

Solutions by FortiWeb

FortiWeb can help protect against such injection attacks by implementing the following strategies.

• Limiting file uploads

  Restrict file uploads based upon file type and size. FortiWeb validates the file type both by the extension and the MIME type to prevent extension manipulation such as using double extension (e.g., invoice.php.jpg) to disguise a script file. See To limit the file type and size:.

• Scanning uploaded files for viruses

  Utilize FortiWeb's built-in virus database to scan uploaded files for viruses. This virus database includes the 'In the Wild' viruses that are actively prevalent in the network, along with a large collection of 'zoo' viruses that, although no longer prevalent in recent studies, still pose potential risks. FortiWeb continuously update its virus database to include the most current virus. See To configure the built-in virus scan:.

• ICAP Virus scan

  For virus scanning, you can also send files to an ICAP server. ICAP (Internet Content Adaptation Protocol) is typically used in transparent HTTP proxy caches to implement virus scanning and content filters. Both ICAP virus scans and FortiWeb's built-in virus database serve the purpose of protecting your network from malicious software. You can choose either method depending on your specific security needs and infrastructure setup. See To configure ICAP Virus scan:.

• FortiSandbox

  For files that pass initial checks, FortiWeb can be integrated with a sandbox environment to simulate the opening or execution of the file in a controlled, isolated environment. This allows FortiWeb to detect any suspicious behavior that the file might trigger, such as unexpected network connections or attempts to modify system files, before the file is allowed into the production environment. See To configure FortiSandbox scan:.

• Web Shell detection

  Web shells are malicious scripts often uploaded by attackers to gain unauthorized access to a web server. FortiWeb can detect web shells written in various scripting languages, including PHP, ASP, JSP, Perl, and Python.

  FortiWeb uses traditional method which detects web shells based on tags and keywords, as well as fuzzy hash based detection where it determines the similarity by comparing the hash value of the file and the web shell sample library. See To configure Web Shell detection:.

Configurations on FortiWeb

We assume that the www.example.com want to achieve the following:

1. Implement file upload security to "https://www.example.com/upload"
2. limit the uploaded file types to .docx, .pdf, .jpg, and .xlsx.
3. The file size shouldn't be larger than 2 MB.
4. Detect malicious scripts in the uploaded files.

To limit the file type and size:

1. Go to Web Protection > Input Validation > File Security and select the File Security Rule tab.
2. Click Create New.
3. Configure the settings.

   Name	Enter a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
   Type	Allow File Types
   Host Status	Enable
   Host	www.example.com
   Request URL Type	Simple String
   Request URL	/upload
   File Upload Limit	2048 KB
   File Uncompress	disable
   JSON File Support	disable
   Octet Stream Filename Position	Default

4. Click OK.
5. Under Predefined File Types, click Create New.
6. Select the file types.
   To determine the file type solely based on its extension, you can select the appropriate file types under "While Suffixes Files".
   
   However, to enhance security when handling file uploads, it's crucial not only to check the file extension but also to verify the content or payload of the files. This approach helps mitigate the risks associated with extension manipulation, where an attacker might rename a file to bypass filters based on extensions alone (e.g., renaming "abc.php" to "abc.php.pdf" to disguise a PHP script as a PDF).
   To determine the file type by its content, select the respective file types under the main category such as Picture File, Text Files, etc., as shown below.
   
7. Click OK.
8. Go to Web Protection > Input Validation > File Security and select the File Security Policy tab.
9. Click Create New.
10. Configure these settings:

11. Name	Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Action	Alert & Deny
    Severity	Medium
    Trigger Action	Select which trigger action, if any, that FortiWeb will carry out when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.

12. Click OK.

13. 13. Click Create New.

14. 14. Select the File Security rule from the drop down list.

15. 15. Click OK.

FortiWeb will take the Alert & Deny action if the file type uploaded by the client doesn't belong to the specified types.

To configure the built-in virus scan:

1. Go to Web Protection > Input Validation > File Security and select the File Security Policy tab.
2. Select the File Security Policy you just created.
3. Enable the Antivirus Scan option.
4. Click OK.

You can switch between the Regular Virus Database and Extended Virus Database.

1. Go to System > Config > FortiGuard.
2. Select the FortiGuard tab.
3. Scroll down to the FortiWeb Virus Database section.
4. Choose from the two database as you need.
   
5. Click Apply.

FortiWeb will scan the content of the uploaded file to detect if it contains virus.

To configure ICAP Virus scan:

1. Go to System > Config > Feature Visibility.
   
2. Locate Additional Features.
3. Enable ICAP Server.
4. Click Apply.
5. Go to System > Config > ICAP Server.
6. Complete the settings according to the below table:

Server IP / Domain	Enter the IP address or domain name of the ICAP server. FortiWeb will send the uploaded files to this address.
Port	Enter the port number. The default port is 11344 if you want to use encrypted transmission.
Cache Timeout	If FortiWeb does not receive a scan result within the specified time, it will resend the file to the ICAP server for scanning. The valid range is 1-168 hours. The default value is 72.
Service Name	The name of the ICAP service, which appears in the URL configured in the ICAP client. For example, icap://<ip_address>/<name>.
Transmission Encryption	Enable

7. Click Test ICAP to test whether the SSL connection is established to the ICAP server.
8. Click Apply.
9. Go to Web Protection > Input Validation > File Security and select the File Security Policy tab.
10. Select the file security policy you just created.
11. Enable Send Files to ICAP Server.
12. Click OK.

FortiWeb will send the uploaded files to the specified ICAP server for virus scan.

To configure FortiSandbox scan:

1. Go to System > Config > FortiSandbox.
2. Complete the settings according to the below table:

FortiSandbox Type	FortiSandbox Appliance—Submit files that match the upload restriction rules to a FortiSandbox physical appliance or FortiSandbox-VM. FortiWeb Cloud Sandbox—Submit files to FortiWeb Cloud Sandbox. You need to register your FortiWeb and a FortiWeb FortiGuard Sandbox Cloud Service subscription.
Server IP/Domain	Enter the IP address or domain name of the FortiSandbox. Available only when FortiSandbox Appliance is selected.
FortiSandbox Status	The connectivity status of FortiSandbox is displayed here.
Cache Timeout	If FortiWeb does not receive a scan result within the specified time, it will resend the file to the FortiSandbox server or cloud service for scanning. The valid range is 1-168 hours. The default value is 72.
Admin Email	Enter the email address that FortiSandbox sends weekly reports and notifications to.
Statistics Interval	Specifies how often FortiWeb retrieves statistics from FortiSandbox, in minutes. The valid range is 1-60 minutes. The default value is 5.

3. Click Apply.
4. Go to Web Protection > Input Validation > File Security and select the File Security Policy tab.
5. Select the file security policy you just created.
6. Enable Send Files to FortiSandbox.
7. Click OK.

FortiWeb will send the uploaded files to the specified FortiSandbox server or cloud service. Check the key features of FortiSandbox.

To configure Web Shell detection:

1. Go to Web Protection > Input Validation > Web Shell Detection.
2. Click Create New.
3. Configure these settings:

Name	Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
Action	Alert & Deny
Severity	Low.
Trigger Action	Select which trigger action, if any, that FortiWeb will carry out when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
Fuzzy Similarity Threshold	Web Shell Detection can perform fuzzy hash based detection to determines the similarity by comparing the hash value of the file and the Trojan sample library. In this way, no matter how the attacker modifies the script, as long as the similarity meets the threshold, it can be identified as a Trojan. Specify the Fuzzy Similarity Threshold. A file will be identified as a Trojan when it resembles the Trojan sample library by the specified percentage. The default value is 80.

4. Enable the type of scripts that you want FortiWeb to parse. Each script type includes a list of specific scripts. If you want to include or exclude certain scripts, you can find the web shell detection policy, click Edit, then click the following icon to include or exclude the scripts from the list.
   
5. Click OK.

FortiWeb will block the request if it detects malicious scripts in the uploaded files.

Next step

Apply the security rules to web protection profile and then reference the profile in a server policy. See:

• Configuring a protection profile for inline topologies

• Configuring an HTTP server policy

By implementing FortiWeb's robust inspection and validation mechanisms, you can ensure that all uploaded files are safe and free from malicious content before they are processed or stored. This comprehensive approach to file security not only protects the platform from attacks but also fosters trust among its users by ensuring their sensitive documents are handled securely.