Securing Web Uploads: Extension Denylisting

Securing Web Uploads

At the forefront of cybersecurity lies an ever-present battle between web defenders and attackers; one such battleground is file uploads – an integral component of many web applications that, if neglected properly, can become an entryway for cyber threats to enter.

Uploading web shells without authorization stands out as one particularly risky tactic that allows attackers to gain entry to web servers; this comprehensive guide explores this innovative method of bypassing extension deny listing to upload web shells while providing information on both its mechanics as well as strategies necessary to combat it.

The Threat Landscape: Denylisting and Their Vulnerabilities

To secure file upload features, developers often employ extension deny listing, which prohibit the upload of files with extensions (.php, .exe, .js, etc.) known to be executable or harmful.

Consequently, this security measure aims to prevent the direct upload of scripts that could be executed on the server to initiate a web shell or other forms of attacks.

However, reliance on deny listing specific extensions can be an Achilles’ heel if not implemented with a deep understanding of the underlying server behavior and potential bypass techniques.

Anatomy of an Extension Bypass Attack

Bypassing denylisting is not about brute force; it’s an art that combines creativity with technical acumen. Here’s how attackers typically orchestrate this type of bypass:

  1. Initial Reconnaissance:
    Once reconnaissance is complete, attackers move on to identifying server types to exploit their unique characteristics.
  2. Server Type Identification:
    With server type identified, attackers proceed to manipulate server behaviour to bypass security measures.
  3. Manipulating Server Behaviour:
    For Apache servers, an attacker might upload a .htaccess file with directives that force the server to interpret files with a custom, non-standard extension (like .l33t) as executable PHP files. This step is about outsmarting the server into defying its own rules.
  4. Crafting and Uploading the Web Shell:
    With the pathway cleared, the web shell can be uploaded using the newly allowed extension. This web shell can then act as a gateway for the attacker to execute commands, steal data, or further compromise the server.

Strengthening Defenses Against Extension Deny listing Bypass Techniques

The prevention of such attacks necessitates a layered and nuanced approach to security. Here are essential strategies:

  • Robust File Validation:Moving beyond validation, attention to Allowlisting and server configurations is paramount for a comprehensive defense strategy.
  • Use of Allowlisting:Beyond Allowlisting, continuous monitoring and maintenance are critical for staying ahead of evolving threats.
  • Security Configuration:Ongoing vigilance against evolving threats necessitates continuous monitoring and maintenance.
  • Regular Updates and Audits:Essential for promptly identifying and mitigating vulnerabilities, maintaining up-to-date systems and conducting routine audits are imperative.

Practical:

Goal: Find Carlos’s secret

  1. Navigate to https://portswigger.net/web-security/all-labs#file-upload-vulnerabilities> Access the following lab from the file upload vulnerabilities.
  1. Navigate to “My account” tab.
  1. Login with the default credentials (wiener: peter).
portswigger Login
  1. Try uploading a image file with .png extension and you may notice that you are successfully able to upload an image file.
portswigger upload acoount page
  1. During penetration testing, an attempt to upload a web shell with a “.php” extension may initially seem futile due to server restrictions on allowable file extensions. This limitation often leads to a moment of discouragement, where many might consider abandoning this avenue of attack. However, for those testing Apache servers (in this lab), the presence of a “.htaccess” file can be a game-changer. This configuration file for Apache allows for detailed management of server behaviour, including how file types are handled. By crafting a custom “.htaccess” file, pentesters can redefine server rules to accept and execute files with non-standard extensions, effectively bypassing the extension denylisting. This method highlights the importance of understanding server specifics and leveraging them to circumvent seemingly strict upload policies.
  2. Next go back to the “My Account” tab.
  3. Upload any text file.
portswigger text file uplaod

8.Intercept the “Upload” request using Burp Suite.

portswigger upload using Burp Suite
  1. Observe the file name parameter and remove any contents of the original file.
Observe the file name parameter and remove any contents of the original file

10. Change the filename parameter to “.htaccess” and add the following in the body of the request AddType application/x-httpd-php .l33t and click “Forward”.

portswigger intercepter
  1. This step involves modifying the request to upload a “.htaccess” file, instructing the server to treat files with the custom “.l33t” extension as executable PHP scripts, thereby bypassing the restriction on executing files with standard executable extensions.
  2. Next go back to the file upload page, upload a random “image” file with “.png” extension and intercept the upload request.
  3. Change file name parameter to “exploit.l33t”, Add the following <?php echo file_get_contents(‘/home/carlos/secret’); ?> to the body of the request and click “Forward”.
portswigger intercepter 2
  1. This step updates the file name in the request to “exploit.l33t” and incorporates a PHP script into the request body. You may change this script to any php shell code according to your need in real world scenarios). In our case this script is designed to read and display the contents of the file located at ‘/home/carlos/secret’.
  2. Go back to the “My Account” tab, Right-click the image icon and select the “Open image in new tab”.
Open image in new tab in my account in portswigger
  1. Observe that we retrieve the goal of this lab that is to retrieve the Carlos’s secret.
portswigger intercepter 3
TL;DR

The exploration of bypassing denylisting to upload web shells, demonstrated in the PortSwigger Web Security Academy’s lab, is a stark reminder of the game between cyber attackers and defenders.

It not only showcases the attackers’ ingenuity in finding loopholes but also highlights the indispensable need for robust, layered security defenses in web applications. Through this exercise, the critical role of stringent file validation, preference for Allowlisting, and continuous security auditing is brought to the forefront, emphasizing that security is an ongoing process that requires constant vigilance and adaptation.

This scenario underscores the vital lesson for cybersecurity professionals: understanding vulnerabilities and implementing proactive, resilient strategies amid evolving cyber threats demands continuous learning and improvement.

Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems and provide recommendations to remediate them.

Join us on our journey of growth and development by signing up for our comprehensive courses.