Avoiding code injection / XSS attacks from uploaded files

Our application recently went through penetration testing and the tester had found that file uploads are vulnerable to XSS attacks. We use traditional web and allow users to download and view files that they and others have uploaded. The tester found that there are no measures taken against file contents to prevent XSS attacks. They used a file with JavaScript inserted into the metadata that would be executed on a users system when they open the file from our application or download and open it on their system. We use the Upload widget for our file uploads and the Download action for downloads (in cases for viewing, we have the "Save to Disk" attribute set to False). Does OutSystems have a simple solution to this or does anyone have any recommendations on cleaning the files uploaded to prevent these attacks?

Hello Ross,

If I understood correctly, your tester has outlined the possibility of users uploading malicious files to your application, and the vector of attack is other users downloading these files and executing them on their system. This is considerably harder to resolve than code injection/XSS attacks: those are solved through proper sanitization before presenting user-generated content. The issue is that once  a user downloads a file from your application, they have changed environments - you can control what a user does while they remain in your application, but not on their own local system.

This is an issue common to most public online file hosters, and I believe most of them scan uploaded files with antivirus APIs (VirusTotal comes to mind, but I have no idea of their requirements/restrictions) to try and detect most common attacks. But this is only a best effort solution, and ultimately, this is more of a user education problem rather than an application problem.

Hi Afonso,

Thanks for the response. With our application we would like to avoid using an antivirus API since it would most likely delay the file upload more and we would then have to deny upload of malicious files. Instead, we would like to sanitize them on upload. Do you have any examples of sanitization being implemented or any recommendations on how to implement it?

Using the functions seems very self-explanatory, but these work for things like text input fields. I can not find any examples or solutions to attacks that are built in to file data (in our example, the file's metadata).

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.