Typical File Extensions to Block in Uploads in Web Apps

Blocking Malicious File Uploads, Part 1: Best Practices

June 01, 2017 | published by George Prichici

In order to keep a business organisation running properly, you need to share files with and from internal employees, partners, and customers. File uploading is ordinarily washed past the departments that often handle sensitive information — accounting, 60 minutes, legal, etc. Nonetheless, users no longer demand to install a rogue awarding in guild to get infected — that can happen by opening what appears to be a resume, an invoice, a courier receipt, or any other productivity file.

Any files coming inside an organization should be audited and analyzed, even when the sender seems to be a trusted, reliable source.

To ban file uploads altogether would be impractical. Clearly, it is necessary to make file uploading and importing more secure in society for businesses to role.

See Office two of this series.
Run across Role 3 of this series.

Productivity Files and File Uploads

The most commonly uploaded and shared files in office settings are:

• Microsoft Office files: dr.(x), xls(x), ppt(ten), etc.
• Images: jpeg, png, tiff, etc.
• PDFs

Virtually solar day-to-day activities rely on these file types, and at first glance, they seem harmless. But advanced features in these file formats tin be exploited by attackers. Nearly people are enlightened of malicious macros, but Microsoft Office documents (and not just Discussion or Excel files) can incorporate many other kinds of avant-garde threats every bit well. For case, OLE objects disguised as embedded multimedia or script-enabled ActiveX controls tin be configured by attackers to download malicious payloads. PDFs may contain JavaScript that performs malicious actions.

Below are a few examples of how easy it was for hackers using regular productivity files to target enterprises or government agencies with loftier-security standards:

• 2017 (Medico): Attack against major Israeli institutions and government officials
• 2017 (RAR containing PDF): Shamoon malware infection
• 2017 (DOC): Give-and-take macro attack on Mac users
• 2017 (HWP): Republic of korea Department of Defence is hacked*

*HWP documents are widely used in Due south Korea.

Additionally, malicious files can be disguised as ane of these file types — these are called "spoofed" files.

Offset Steps to Keeping File Uploads Secure

Every organization has unlike workflows and dissimilar security needs. When designing a strategy to keep productivity file uploads secure, it'south important to appraise your unique situation. Start by asking questions similar:

• How many restrictions can y'all add together without impacting productivity?
• How much tin can you rely on user preparation? How confident are you that your users volition actually utilise everything they learn in security preparation?
• Even if you will kickoff open up files in a sandbox surround, how confident are y'all that the imitation environment will replicate to perfection the real surroundings?

Too consider your apply case. When and why practise users demand files uploaded on your portal? What formats are used? What are the risks in assuasive those files to enter your organization?

If yous are simply receiving scanned documents or resumes, collaborating with your partners' drafting agreements, or sharing invoices or POs:

• Why would y'all allow a PDF with embedded JavaScript?
• Are you sure you lot can trust a document that contains hyperlinks, macros, OLE objects, or ActiveX controls?
• How do you know if an image is legitimate and hasn't been crafted by an attacker?

But it's one thing to decide that whatsoever files containing scripts or macros should not enter an organization; information technology's another affair to enforce that policy. It is not a uncomplicated matter to determine what exactly a file contains without opening it.

This is why further steps are necessary to block malicious files disguised as common productivity files.

All-time Practices

Just allow sure types of file formats. This is a simple simply necessary step. The idea is to block whatever file that volition not impact your team'due south productivity, while avoiding unnecessary risks. Make business organization-driven decisions near which kinds of files employees and users need, and which kinds are unnecessary. Doing so will eliminate only a small part of the risk of malicious file uploads, merely information technology'southward a get-go.

Block unnecessary file types, bearded files, and spoofed files. Identifying and verifying the true type of a file is a tricky thing. A lot of file verification solutions rely on but reading the file extension. This is actually more dangerous than not having a solution in identify at all, since users volition expect that any file that comes through is condom to open up. In fact that'southward not true — faking the true type of a file is a very old method of hiding malicious software, and whatsoever hacker worth their table salt will have this step.

Additionally, with the simplified interfaces of contemporary operating systems that don't display already-known file extensions, it's even easier for a spoofed file to hibernate in plainly sight.

It is essential to detect and implement a solution that can identify the true type of a file even when it is bearded.

Don't make the exception a dominion. If only the design team needs to use and upload .psd and .ai files, set customized rules for them, rather than assuasive everyone to utilise those files. Keep the general allowed file types fix to a minimum.

Set up security policies that exceed the blank minimum. This may involve creating a custom solution for your awarding or organization. The best arroyo is to integrate with anti-malware scanning software and then that all file uploads are scanned for malware, and all files containing malicious content are detected. An anti-malware integration of this kind would crave the use of antivirus APIs.

Using a MetaDefender API integration, all file uploads volition exist scanned — non just with one anti-malware engine, but with 30 or more, without significantly impacting user experience or upload speed.

At the cease of the mean solar day, avant-garde threats require more advanced prevention measures. At that place is no one-size-fits-all solution out there.

Encounter Part 2 of this serial.
See Function 3 of this serial.

For more information, please contact ane of our cybersecurity experts.

rhoadshustend1977.blogspot.com

Source: https://www.opswat.com/blog/blocking-malicious-file-uploads-part-1-best-practices

Share this post