Hello and welcome to the Cyberia secure coding course. My name is Sonny Wear, and this is CNN's Top 25 category insecure interaction between components, mitigations, countermeasures and defenses. So, first our defenses overview.
We're going to look at a layered security approach
for addressing the unrestricted file upload with dangerous type. This is going to include several defenses because there really are no silver bullets to address this particular area.
Also, I'm going to take you through some programmatic checks that you can do on the server side. We'll look at some sample code
but realize that these have to be layered in with other defenses. So first are layered security approach.
You can see that I have seven steps here, and all of them should be incorporated to provide a layered approach towards
preventing the types of attacks that we talked about for the unrestricted upload of files.
So if we take a look at the list we've got create custom validation of content type plus extension, and I'll explain what that means in just a moment.
Number two used temporary file names. Now this is an interesting one where we basically change the name of the file the idea being the attacker would look for their specific file name in order to execute it. As you saw in the demo,
the problem with temporary file names is it still may not prevent the attack. So even if you're using your elin coding or some other mechanism to change that name,
if the file is still accessible and excusable on the server and it doesn't really matter,
number three the landing Zone change. So this we also saw in the demo where the file was actually uploaded. Two completely different directory. It was called the Uploads Directory.
You could certainly do this, and
and my recommendation is to place it in a secured directory, a directory that's been locked down by the Web server so it's not accessible. Or better yet,
uh, pass it on over to your application server. If that's an option.
Number four ownership is a lower account, so you when files are generally uploaded, they're gonna be owned by the account that's running the Web server.
And so, in order to avoid this, you want to make sure that you've got some sort of Scripture code that can do a change. Ownership a CZ well, as a change of executed ble permissions on that file, which is number five, don't allow excusable permissions,
so this would be something that you want to ensure and your cue a team should check.
Number six is to use that sandbox directory. That's what I was alluding to for the landing zone change.
Not only do you want to change where
the file gets uploaded, but you want to make sure that that particular directory is actually locked down, and that would generally be done
as a Web server. Configuration change
and then number seven. If you can afford it,
try to incorporate the use of malware scanners. Now I know that this may come with some criticism
that now our scanners can only detect known signatures, and that is true. But for large majority of payloads that are well known medicine, Floyd, payloads and things like that,
this is certainly a viable solution for up for most companies.
It's not just realized that it's obviously not going to address zero days
and realize that it is a reactive kind of defense in that you you have to make sure that your scanners are
updated regularly with new signatures, etcetera.
Now programmatic changes.
What do you want to do? Is you want to at least have some code in there on your server side for checking the file that's coming in Because if you remember, I told you, never accept
a zip file, right? So that's one of the extensions or
contents that you never want to allow. You should also not allow files that don't have any extensions at all. This is commonly done by users that,
you know, don't turn on the the extension viewer in Windows,
and so you don't want to allow those either. You do want to force the user to provide some kind of dot something.
Uh, in that, though you basically would create an array
or an enumeration of the types of extensions that you want to receive,
and then you would also have an array or an enumeration of the types of content types that you will accept. And if you remember from
previous slides, I was able to very easily spoof the content type, right, so live. If the extension was of a certain type,
it will say certain content type, and I could easily spoof that So what you want to do is on the service side on Lee, except certain content types and only certain extension types.
The combination of this, you need to have a logical and so don't use wth e or statement the logical order.
that is just one layer, of course, of protection. Not to be your only means of protection.
As I mentioned, if you can afford it, purchase a malware scanner. Something that resides on the server itself can also be leveraged. You can make a pee I calls say you already have McAfee's McAfee any virus
already available on that particular server by default. That's
part of how the image is made.
You can actually make a P. I calls into that in leverage it that way.
And there are some third party products out there, very good products that you can then
purchase multiple engines to to basically cover more bases. And so
I encourage you to look into those further