/ Java Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

OWASP Top 10 number 3: Malicious File Execution

DZone's Guide to

OWASP Top 10 number 3: Malicious File Execution

by
Carol McDonald
·
Oct. 09, 09 · Java Zone
Free Resource

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Download Microservices for Java Developers: A hands-on introduction to frameworks and containers. Brought to you in partnership with Red Hat.

The Top 10 Web Application security vulnerabilities Number 3 in the Top 10 most critical web application security vulnerabilities identified by the Open Web Application Security Project (OWASP) is Malicious File Execution, which occurs when attacker's files are executed or processed by the web server. This can happen when an input filename is compromised or an uploaded file is improperly trusted.

Examples

  • file is accepted from the user without validating content
  • filename is accepted from the user

In the example below a file name is accepted from the user and appended to the server's filesystem path.

// get the absolute file path on the server's filesystem 
String dir = servlet.getServletContext().getRealPath("/ebanking")
// get input file name
String file = request.getParameter(“file”); 
//  Create a new File instance from pathname string   
File f = new File((dir + "\\" + file).replaceAll("\\\\", "/"));  
If the filename was compromised to  ../../web.xml , it might allow access to web server properties

Malicious File Execution can result in:
  • files loaded from another server and executed within the context of the web server
  • modifying paths to gain access to directories on the web server
  • malicious scripts put into a directory with inadequate access controls

Protecting against Malicious File Execution

  • the Java EE Security Manager should be properly configured to not allow access to files outside the web root.
  • do not allow user input to influence the path name for server resources
    • Inspect code containing a file open, include, create, delete...
  • firewall rules should prevent new outbound connections to external web sites or internally back to any other server. Or isolate the web server in a private subnet
  • Upload files to a destination outside of the web application directory.
    • Enable virus scan on the destination directory.

Java specific Protecting against Malicious File Exection

Use the OWASP ESAPI  HTTPUtilities interface:

  • The ESAPI HTTPUtilities interface is a collection of methods that provide additional security related to HTTP requests, responses, sessions, cookies, headers, and logging.

    The HTTPUtilities getSafeFileUploads method uses the Apache Commons FileUploader to parse the multipart HTTP request and extract any files therein

    public class HTTPUtilities 

        public void getSafeFileUploads(java.io.File tempDir,
                                   java.io.File finalDir)
                            throws ValidationException


References and More Information:



Download Building Reactive Microservices in Java: Asynchronous and Event-Based Application Design. Brought to you in partnership with Red Hat

Like This Article? Read More From DZone

A Data Exploration Journey With Cars and Parallel Coordinates
Apply Caching and Offline Storage in your iOS App
Livecoding: 3D Is Hard, WebAR Defeats Me

Free DZone Refcard

Getting Started With Play Framework
DOWNLOAD
Topics:

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Opinions expressed by DZone contributors are their own.

Java Partner Resources

Easily Build Continuous Delivery Pipelines with Jenkins and Pipeline Plugin
How To Resolve Network Partitions In Seconds With Lightbend Enterprise Suite
Combine the Innovations of NoSQL with the Critical Capabilities of Relational Databases
CA App Experience Analytics, a whole new level of visibility. Learn more.
Get Started with Spring Boot, OAuth 2.0, and Okta
We have the data behind great user experiences. Now you can too. Read the infographic.
Scale Out your Deployment with an Automated Sharding Process that Ensures Zero Application Downtime
Building Reactive Microservices in Java: Asynchronous and Event-Based Application Design
The single app analytics solutions to take your web and mobile apps to the next level. Try today!
Play Framework: The JVM Architect's Path to Super-Fast Web Apps
Secure a Spring Microservices Architecture with Spring Security and JWTs
Top 10 Java Performance Problems

Java Partner Resources

Easily Build Continuous Delivery Pipelines with Jenkins and Pipeline Plugin
How To Resolve Network Partitions In Seconds With Lightbend Enterprise Suite
Combine the Innovations of NoSQL with the Critical Capabilities of Relational Databases
CA App Experience Analytics, a whole new level of visibility. Learn more.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone