Our application recently went through penetration testing and the tester had found that file uploads are vulnerable to XSS attacks. We use traditional web and allow users to download and view files that they and others have uploaded. The tester found that there are no measures taken against file contents to prevent XSS attacks. They used a file with JavaScript inserted into the metadata that would be executed on a users system when they open the file from our application or download and open it on their system. We use the Upload widget for our file uploads and the Download action for downloads (in cases for viewing, we have the "Save to Disk" attribute set to False). Does OutSystems have a simple solution to this or does anyone have any recommendations on cleaning the files uploaded to prevent these attacks?
Hello Ross,
If I understood correctly, your tester has outlined the possibility of users uploading malicious files to your application, and the vector of attack is other users downloading these files and executing them on their system. This is considerably harder to resolve than code injection/XSS attacks: those are solved through proper sanitization before presenting user-generated content. The issue is that once a user downloads a file from your application, they have changed environments - you can control what a user does while they remain in your application, but not on their own local system.
This is an issue common to most public online file hosters, and I believe most of them scan uploaded files with antivirus APIs (VirusTotal comes to mind, but I have no idea of their requirements/restrictions) to try and detect most common attacks. But this is only a best effort solution, and ultimately, this is more of a user education problem rather than an application problem.
Hi Afonso,
Thanks for the response. With our application we would like to avoid using an antivirus API since it would most likely delay the file upload more and we would then have to deny upload of malicious files. Instead, we would like to sanitize them on upload. Do you have any examples of sanitization being implemented or any recommendations on how to implement it?
Using the functions seems very self-explanatory, but these work for things like text input fields. I can not find any examples or solutions to attacks that are built in to file data (in our example, the file's metadata).
Do you have suggestions for how you would handle this within the context of the application? We have a traditional web application in OutSystems cloud. We accept various file types for upload to the application such as word, pdf, excel, png, etc. If a bad actor had embedded code within the metadata of one of these file types, could we easily prevent it from being executed when served by the application for viewing in the browser? Thanks in advance for your feedback.
Hello Steven,
Honestly, I'm sticking with my original response. Sanitizing and checking data is a field into itself and the reason VirusTotal and other tools exist - developing these sorts of solutions for each individual application would be impossible.
The best advice I can give you is that most vectors of attack these days are checked at their executing application level - the Office suite of applications will warn you before opening a file that may contain malicious scripting, and so will Visual Studio, for example.
Beyond checking for viruses and actual malicious software with an antivirus API or tool, you could look into each individual filetype in order to take specific actions. PDFs can contain JavaScript, and you could use most PDF libraries to remove any code before presenting the PDF to the user. However, these sorts of solutions are going to be dependent on the file types you're working on, and barring an inordinate amount of time to handle them all, you'll have to identify what your attack surface is and how much of it you can cover.
I see. Based on your first response I thought there might have been another option we missed for protecting views from within the application. This makes sense. We will explore antivirus APIs for sanitization. Thanks again for taking the time to share your thoughts on this.
Also please check this post is more helpful.
https://tech.ndianabasi.com/how-to-avoid-sql-injections-xss-attacks-and-file-upload-attacks-in-your-web-application