Php Script to Perform Malicious File Upload
Pen Testing: Malicious File Execution
What is a Malicious File Execution Vulnerability?
Malicious file execution vulnerabilities (also called File Inclusion Vulnerabilities) is a vulnerability that occurs due to user input or uploads to websites not being properly handled or poor data validation by the website/web awarding.
Web applications that are poorly designed or coded may automatically run or parse input that is inputted from a user. If that input is a a malicious file or pointer to a URL that will execute a malicious script or command at the server level the awarding has been successfully hacked.
A Simplified Case of Execution of a Malicious File
In this instance, suppose there is a website that allows you to upload a picture and share information technology with friends.
Imagine this website is programmed using the server-side scripting language, PHP. The developer is a novice and inexperienced with many of the security principles surrounding the language but the web app is programmed to simply accept popular image types like .JPG, .GIF, and .PNG.
His web app is developed to use the global variable $_Request to become the user submitted image then uses that paradigm as part of the input to some other PHP part.
The assaulter concacts a unproblematic PHP script to list all the contents of a directory on the server to gain more information and formulate another attack:
The aggressor now renames the .PHP file to a .JPG file, hands skirting the rudimentary information validation implemented by the web app then uploads information technology to the spider web app to be executed.
Risks Associated with Malicious File Execution Vulnerabilities
The potential risks associated with the execution of malicious files varies greatly. Attackers can exploit these vulnerabilities with a number of different goals including simply not express to:
- Uploading a phishing page into a website
- Uploading and covertly hosting malware, illegal software and other objects.
- Storing malicious scripts or a stored Cross Site Scrip (XSS) file.
- Gaining command of a web server, modifying it's file construction or taking it out of committee completely.
Preventing and Testing for Malicious File Execution Vulnerabilities
Preventing malicious file execution vulnerabilities starts in the blueprint phase of the application. Coffee programmer and security blogger John Melton wrote a great post that gives a bully rundown of factors to exist considered.
| Common Design Problems | Description |
| Insufficient Input Validation: | Too much freedom naming files and not scrubbing names correctly for special characters could lead to directory traversal and overwriting system files. Could disrupt operation of unabridged spider web server. |
| No Virus Scanning | All uploaded files should be virus scanned. Failed scans should remove files and security incidents logged. |
| No Size Checks | Reasonable file limits should be prepare, adamant past the type of files being uploaded (e.g. spreadsheets VS video files). |
| Invalid File Blazon Processing | Simply take file types relevant to what the expected upload is (e.g. don't allow .doctor files if an image file is expected). |
| Straight Object Reference (DOM) Problems | DOR is an consequence where the bodily filename is pointed to direct. |
| Not Authorizing Access | Once a user is authenticated, many times they can perform whatever function in the application. Actress attention should exist given to user authorization and permissions equally well. |
Considerations for the Auditor
As an auditor, y'all are unable to dictate how applications should (or should have been) designed and coded, but at that place are quite a few safeguards and best practices that the organisation should accept in identify to secure web applications and adjacent applications and infrastructure.
- Isolate web servers either physically or by VLAN. Systems located within other VLANs and subnets should Non be allowed to traverse the network to production web servers. Preferably, access to the web servers should utilize a bastion host or bound server.
- Verify that firewalls protecting spider web servers are configured with default Deny All rules for both incoming and approachable traffic and that web servers are prevented from making new connections to both external and internal systems.
- Verify that Information Security is function of the official SDLC and that developers and PMs adhere to the SDLC.
- Verify that effective penetration testing has been performed, and identified bug have been addressed.
- Verify that an antivirus solution is implemented and kept up to date and that all appropriate software, OS and security patches have been practical.
- Review process, user and program permissions and verify that the Principle of Least Privilege in in play, meaning that the minimal amount of privilege/potency is given to each module/component of the surround.
- Review web server configuration files to verify but needed services and features are enabled/installed on the web server (with the goal beingness to minimize the attack surface).
PBC Requests:
- Network topology diagrams.
- Relevant firewall and router ACL rules.
- The systems development lifecycle documentation.
- Periodic penetration testing results and reports.
- Evidence of antivirus software implementation and evidence that virus software and definitions are kept upwards to date.
- Software security patching policy and evidence that the plan is in place and systems are regularly patched.
- System generated listings of process, user and awarding permissions outlining the permissions granted to each module in the arrangement.
- Change management documentation to prove that malicious file executions are a consideration during the QA/QC process Further, you could request to inspect a sliver of source code, demonstrating where an effect was addressed.
- Web server configuration settings.
Are we missing annihilation?
Share This Story, Cull Your Platform!
5 Comments
Source: https://risk3sixty.com/2015/01/08/pen-testing-malicious-file-execution/
Thank you guys. Your weblog is very useful for someone new to the Information technology Audit world. Go along upwards the good piece of work.
Another groovy article, simply I would disagree with the notion that auditors tin't dictate – or rather touch how applications are designed and adult. Our focus should be on ensuring applications are developed securely from the beginning. And that goes beyond the basic SDLC. The application development grouping should be following secure coding techniques that are enforced through numerous lawmaking reviews past as many people as possible. There are also Secure Code Analysis Tools that tin can exist leveraged to further validate secure coding. Finally security scanning or penetration tests should exist conducted as code is developed and migrated through lower environments. You don't want to expect until your code is in product earlier y'all conduct your commencement pen examination. I recall you alluded to some of these points in your post, but I would be more forceful in the notion that we as auditors can influence the development procedure.
Steve,
Thank you for the amazing response. I may update the post with your points. Only not sure what my and my co-author's perspective is on doing that at the moment.
I'd be interested in knowing what capacity yous work as an accountant. I retrieve I run across it every bit I am unable to dictate how development is washed because I am e'er an external political party working for internal audit, express to created process improvement memos after my review is complete.
I gauge if I were office of the internal audit squad as a full fourth dimension employee, or Info Sec management, and then yes I completely see your indicate.
@Shane @Steve –
From an internal inspect perspective I recall Steve makes a great point. Getting involved early and often, from a consultative and adventure mitigation standpoint, is a plus.
For case, on one projection a client was implementing a self service password reset option and we walked through the risks and solutions prior to development. Nosotros ultimately settled on a dual authentication (e-mail + text) solution.
@Shane
My auditing career (11 years) has been exclusively on the Internal side. I've also spent a few years in It including application evolution. As a side note – I highly recommend It auditors or auditors in general spend some time in the operations to circular out their perspective.
My approach in the by has been to evaluate the overall application development process to ensure a solid framework exists, including secure coding, code reviews, and testing, and information technology is practical to all development projects. Of class there may exist some variances for external vs. internal facing applications. And so as Christian noted, I would monitor development activities as role of any loftier profile project. A project inspect will comprehend a wide array of activities including project management, financials, and customer communications as well as evolution. Unfortunately, when projects run low on funds or long on schedule, development and testing efforts tend to be the offset that are squeezed.