Man In The Middle Attack On File Uploads

Information Security Asked by Mojo on December 7, 2020

I am using a web service (call it X) which allows files to be uploaded to AWS S3.

The way it works is that an initial call is made to X which then returns a list of file descriptors and also meta information which should be injected into the web form as hidden fields that the user is presented with to choose a file to upload. One of these hidden fields is the url of the S3 bucket where the file will be uploaded to.

When the user chooses a file and clicks submit the file is sent as byte streams to the S3 location.

I see two security concerns here:

  1. The url which is returned from calling X and then set as a hidden field in the form could be hijacked and substituted for another url of the hacker’s choosing
  2. I am not sure if this is possible but the byte stream from the user’s browser to the S3 bucket could be diverted?

Is this paranoia or actual real security concerns?

2 Answers

if the security measures were taken in both client side and server side there shouldn't be any problem. all web services should implement these things:

  • the connection should be secure via SSL.
  • if you are posting data to server there should be CSRF tokens in your form fields so untrusted users can't send data to server
  • on the server never trust entered data by users and do data validation

so if you are using third party service just check it's documentation or ask directly from its developers.

please note that setting a filed hidden in the form is not a security measure, it is just for UI so the user don't see unnecessary input field when entering data.

Answered by Soheil on December 7, 2020

actual real security concerns?

This depends on whether or not the application is properly secured.

  • Is the url served via a secure connection (HTTPS)?
  • Are all common security headers set, especially strict-transport-security?
  • ...and other important headers, like X-Frame-Options to prevent clickjacking?
  • Does the web application have a proper CORS policy/configuration=
  • Is the web page secured against XSS (no vulnerable javascript frameworks used, X-XSS-Protection header properly set)?
  • Is the form submitted via a secure connection (HTTPS)?
  • Is "Service X" trustworthy?

When all of the above is true, and/or set up correctly, I don't see why this shouldn't be less or more secure than having the url already pre-set in the web application.

It would be preferable if service X was under the same control of the owner of the web application itself, since things like "trustworthyness" may change over time.

Just make sure that the application doesn't allow arbitrary upload urls for assets. I've seen that before, that webpage APIs allowed the user to specify the upload-url path, making it possible to create signed upload- and even download-links.

Answered by Martin Fürholz on December 7, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP