OWASP Top 10 number 3: Malicious File Execution
By
·
·
Interview
Likes
(1)
Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!
Comment
Save
11.6K Views
Join the DZone community and get the full member experience.
Join For Free
The Top 10 Web Application security vulnerabilities
Number 3 in the Top
10 most critical web application security vulnerabilities
identified by the Open
Web Application Security Project (OWASP)
is Malicious File Execution, which occurs when
attacker's files are executed or processed by the web server. This can
happen when an input filename is compromised or an uploaded file is
improperly trusted.
Malicious File Execution can result in:
Protecting against Malicious File Execution
Java specific Protecting against Malicious File Exection
References and More Information:
Examples
- file is accepted from the user without validating content
- filename is accepted from the user
In the example below a file name is accepted from the user and appended to the server's filesystem path.
// get the absolute file path on the server's filesystemIf the filename was compromised to ../../web.xml , it might allow access to web server properties
String dir = servlet.getServletContext().getRealPath("/ebanking")
// get input file name
String file = request.getParameter(“file”);
// Create a new File instance from pathname string
File f = new File((dir + "\\" + file).replaceAll("\\\\", "/"));
Malicious File Execution can result in:
- files loaded from another server and executed within the context of the web server
- modifying paths to gain access to directories on the web server
- malicious scripts put into a directory with inadequate access controls
Protecting against Malicious File Execution
- the Java EE Security Manager should be properly configured to not allow access to files outside the web root.
- do not allow user input to influence the path name for server resources
- Inspect code containing a file open, include, create, delete...
- firewall rules should prevent new outbound connections to external web sites or internally back to any other server. Or isolate the web server in a private subnet
- Upload files to a destination outside of the web application directory.
- Enable virus scan on the destination directory.
Java specific Protecting against Malicious File Exection
Use the OWASP ESAPI HTTPUtilities interface:
- The
ESAPI HTTPUtilities interface is a collection of methods that provide
additional security related to HTTP requests, responses, sessions,
cookies, headers, and logging.
The HTTPUtilities getSafeFileUploads method uses the Apache Commons FileUploader to parse the multipart HTTP request and extract any files thereinpublic class HTTPUtilities
public void getSafeFileUploads(java.io.File tempDir,
java.io.File finalDir)
throws ValidationException
References and More Information:
- Top 10 most critical web application security vulnerabilities
- Open Web Application Security Project (OWASP)
- OWASP TOP 10 FOR JAVA EE
- OWASP Enterprise Security API
- OWASP ESAPI Overview Presentation
Web application
Execution (computing)
Web server
Opinions expressed by DZone contributors are their own.
Comments