6 Replies - 480 Views - Last Post: 10 August 2018 - 02:09 PM

#1 trickstar34   User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 109
  • Joined: 05-June 09

Protecting from Malicious Uploads

Posted 03 August 2018 - 06:00 PM

So I have a site that will be handling money I'm working on that will also allow users to upload photos. I'm in the phase of making sure my site cant be hacked so I'm responsible for losses. I've been using owasp.org for a guide to what all threats I have and how to mitigate them. I've prevented XSS and CSFR so far and reading this one about file uploads has me thinking this is going to take forever. Theres SO MANY things it lists that can go wrong and seems like it'll take forever to do:

https://www.owasp.or...ted_File_Upload

The parts that dont seem so bad are running it through antivirus, checking file size and type, checking magic bytes, hashing file names, sandboxing it, configuring ImageMagick so that ImageTragic isn't possible in the privacy file, using POST, ect. but seriously that list of threats is so insanely long. Is there any libraries or simple ways to prevent all of that? I feel like its going to take a month to implement all of that. I plan on using a hardened LEMP stack so all the Windows related stuff shouldn't be a problem.

This post has been edited by trickstar34: 03 August 2018 - 06:32 PM


Is This A Good Question/Topic? 0
  • +

Replies To: Protecting from Malicious Uploads

#2 no2pencil   User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6816
  • View blog
  • Posts: 31,414
  • Joined: 10-May 07

Re: Protecting from Malicious Uploads

Posted 03 August 2018 - 10:04 PM

View Posttrickstar34, on 03 August 2018 - 09:00 PM, said:

but seriously that list of threats is so insanely long.

Working against a list is a terrible way to prevent security attacks, imo, because you're always going to be a step behind the attacker.
Was This Post Helpful? 0
  • +
  • -

#3 Radius Nightly   User is offline

  • D.I.C Regular

Reputation: 39
  • View blog
  • Posts: 318
  • Joined: 07-May 15

Re: Protecting from Malicious Uploads

Posted 04 August 2018 - 02:08 AM

Anything thats created can be broken. Its like building a house, even high quality, there will be always some hole to patch, some vulnerabilities, and you will be always one step behind because thieves will always come up with a new idea.

For start you need to protect data from losses having disks in redundant array (in case of failure) and backup plan (in case of zombie apocalypse) to be able to restore data back.
So you dont actually need anti-virus, and you need to pay for it, if you wanna use it, it will consume additional power and time, and sometimes do some stupid things. You will need a firewall and some filters, but not something for checking files, because on your server you can set up everything, such as speed limitations, quota, limit number of connections per user, limit keep-alive connections, limit number of requests with time, for how long user can keep uploading and/or downloading (depend on size and his speed), will it be cached, buffered, whatever, size limitations or checking file size, date, time, IANA/MIME for file types, hashing can be done trough PHP, and so on... for lots of things you dont really need additional applications.
You can also make limitations based on regions, countries or so, based on IP range, where one IP range can handle separate server/s or all this ranges can be managed even on a single server, means if someone from eg. Germany overload/attack/flood your server, it will still continue working for all regions, except Europe (such strategy are used by lots of community sites, i think Twitter and Instagram also got it, so attacker will only disable server for several minutes for his region, also depends how you divide regions).
You can virtualize whole server, it will make some things easier, or you can virtualize applications that running the server with some strict rules, but it can be buggy and sometimes needs a little bit more RAM and CPU power.
If its gonna be small amount of data, not so big overall, you can set backup every several days and do maintenance once a month or so, where you can check everything even with anti-virus if you are so paranoid and got time.
If you are talking about Windows Server, it already got lots of blocks, restrictions and limitations as its meant to be used as a paid server and its gonna be hard to crush, in that case you may wanna tweak it to use full server potential by moving limitations higher (some of this tweaks require adding registry keys and modifying system dlls). Keep server and his applications up to date from time to time to keep it immunized on more various attacks, crackers evolving, so servers evolving, you must move, if you stuck where you are, they will crush you one day.

And dont forget KISS Principle.
Was This Post Helpful? 0
  • +
  • -

#4 trickstar34   User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 109
  • Joined: 05-June 09

Re: Protecting from Malicious Uploads

Posted 05 August 2018 - 02:23 AM

View Postno2pencil, on 03 August 2018 - 11:04 PM, said:

View Posttrickstar34, on 03 August 2018 - 09:00 PM, said:

but seriously that list of threats is so insanely long.

Working against a list is a terrible way to prevent security attacks, imo, because you're always going to be a step behind the attacker.


Well I wasn't really aware of ways to protect my application and I googled things like "how web sites are hacked" and the most common methods. These lists mostly consisted of XSS and XSRF which I think I've done a good job mitigating and I learned how to do these hacks in the process and tried doing these attacks on my application and it seems to be protected from those. Then when I was looking for specific ways to mitigate those I found OWASP which has been very informative for me. Like I said my application will be handling money and I want to be able to sell similar applications to local businesses so I dont have much room to allow for an insecure site.
Was This Post Helpful? 0
  • +
  • -

#5 ArtificialSoldier   User is offline

  • D.I.C Lover
  • member icon

Reputation: 2365
  • View blog
  • Posts: 7,219
  • Joined: 15-January 14

Re: Protecting from Malicious Uploads

Posted 06 August 2018 - 10:15 AM

It shouldn't be surprising that there are a lot of ways that allowing uploaded files can go wrong. You can mitigate a lot of issues just by how you use the uploaded files. What are the photos that people are uploading?
Was This Post Helpful? 0
  • +
  • -

#6 trickstar34   User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 109
  • Joined: 05-June 09

Re: Protecting from Malicious Uploads

Posted 10 August 2018 - 02:04 PM

View PostArtificialSoldier, on 06 August 2018 - 11:15 AM, said:

It shouldn't be surprising that there are a lot of ways that allowing uploaded files can go wrong. You can mitigate a lot of issues just by how you use the uploaded files. What are the photos that people are uploading?


Well I'd figure that most of these vulnerabilities would be mitigated by server software or OS's by now. The photos are profile pcitures/icons, pictures of products, ect I plan on only allowing PNG, JPEG and GIF. I'm using Imagick and set the settings to prevent ImageTragic. What other minimum steps do I need to take? Like things that I MUST not forget like preventing SQL injections, CSFR and CSS attacks.

This post has been edited by trickstar34: 10 August 2018 - 02:04 PM

Was This Post Helpful? 0
  • +
  • -

#7 ArtificialSoldier   User is offline

  • D.I.C Lover
  • member icon

Reputation: 2365
  • View blog
  • Posts: 7,219
  • Joined: 15-January 14

Re: Protecting from Malicious Uploads

Posted 10 August 2018 - 02:09 PM

Well, all of those are important. If you're going to accept payment card information, you also need to be PCI compliant.
Was This Post Helpful? 1
  • +
  • -

Page 1 of 1