We recently ran a cyber security penetration test by a third-party company.One of the findings (rated as medium) was that our file upload was not secure enough.Currently, when a user uploads a file into our reactive app, we ran a call to a third-party Rest API which scans the file and returns the result.The issue with this approach was that since the API returns the result in a JSON response (including a boolean flag to say if the file is clean or not), that communication is vulnerable to MITM attacks that might manipulate the response value and allow malicious files.
Our plan is to have two stages of file scanning: One on the file upload (client side), another when the file actually lands and is stored in azure storage. However, is there a way, or is there a recommendation or advice on the best way to implement the client side file scan (for malicious content) that can minimize the threat on relying on a third party API response? Is there a way to do this with OutSystems?
Hi Hugo,You should always validate user input on server side, I recommend moving the third-party rest API scan to the server side and then you can decide whether to save the file in azure storage or notRunning validations on the client side only is not enough and can always be bypassed.
How would you suggest scanning a file for virus/malicious content server side?
Do you mean moving the API check to the server side? The problem is it will always be relying on trusting an API json response, which is the main point for man in the middle attack.
Yes you should move the API call and check to the server side.
Because on the client side an attacker can upload a malicious file and intercept the response of the third party API to change it and allow uploading the file. However, if you have one action that gets called from the client side and that action validates and saves the file then then the user on the client side will not be able to see the response of the third party file check API.
As for the man in the middle concerns then you should communicate with the third party API only over https and make sure that the response is coming from a party with valid certificate (check with your network team).
@Hugo Seixas : I have a different proposal for you
My understanding is that you can do basic file validation using JavaScript ( like extension, mime , size etc.) and you need a specialised software for in-depth analysis.
Use server side validation to check. or use some cloud server and trigger function which can check the file like lambda function in aws. use https to secure the communication between client and server.
If you are using rest api make sure that you consume that api on server side as well.
Your planning is looking good too.