问题描述
需要测试文件上传功能的安全性.
目的是为了避免/阻止任何类型的恶意文件被上传.
Need to test file upload feature for security.
Purpose is to avoid/stop any type of malicious files from being uploaded.
谢谢!!
推荐答案
文件上载/下载通常会涉及多个漏洞.
There are multiple vulnerabilities that usually come up around file uploads/downloads.
任何上传的文件都应进行病毒检查. @CandiedOrange做出了回应,您可以为此目的使用EICAR测试.
Any uploaded file should be virus-checked. As @CandiedOrange responded, you can use the EICAR test for that purpose.
上载文件的文件名与请求中的任何其他字段是相同类型的用户输入,攻击者可以自由选择文件名.作为测试人员,您可以发送"../filename"之类的内容以尝试将其保存到意外位置或覆盖其他文件.
The filename for an uploaded file is te same type of user input as any other field in the request, an attacker can freely choose the filename. As a tester, you can send something like "../filename" to try and save it to unintended locations or to overwrite other files.
如果文件类型限制仅在客户端上,那么对安全性显然毫无用处.但是,即使文件扩展名在服务器端受到限制,例如仅允许使用.pdf,您仍然可以尝试上载something.pdf.php或something.pdf.exe或类似内容以绕过过滤器.最好是该应用程序使用一些实际内容发现来发现上载的文件是否实际上是允许的文件类型.
If the filetype restriction is only on the client, that's obviously useless for security. But even if the file extension is restricted on the server side, say only .pdf is allowed, you can still try to upload something.pdf.php or something.pdf.exe or similar to get around the filter. It's best if the application uses some real content discovery to find out if the uploaded file is actually an allowed filetype.
某些浏览器具有这一很棒的功能,下载文件时,浏览器将查看其内容并根据该内容显示它,而与从服务器接收到的内容类型头无关.这意味着即使上传被限制为.pdf,攻击者也可能在名为"something.pdf"的文件中上传包含javascript的html文件,并且当其他人下载该文件时,浏览器可能会运行javascript,从而使该应用程序成为可能.容易受到XSS的攻击.为防止这种情况,应用程序应发送X-Content-Type-Options: nosniff响应标头.
Some browsers have this awesome (not) feature that when a file is downloaded, the browser looks into its content and displays it according to the content, regardless of the content type header received from the server. This means even if uploads are restricted to say .pdf, an attacker might upload an html file with javascript, in a file named "something.pdf" and when somebody else downloads that file, the browser may run the javascript, thus making the application vulnerable to XSS. To prevent this, the application should send the X-Content-Type-Options: nosniff response header.
如果攻击者可以上传太多或太大的文件,则他可以通过填满服务器上的空间来实现拒绝服务的目的.
If an attacker can upload too many or too big files, he may be able to achieve denial of service by filling up the space on the server.
应用程序可能会将上传的文件保存到Web服务器可直接访问的位置.在这种情况下,下载链接看起来类似于/uploads/file.pdf.这仅适用于公共文件,不能以这种方式实施访问控制,任何具有链接的人都可以下载文件.
An application might save uploaded files to a location directly accessible to the webserver. In such a case, download links would look similar to /uploads/file.pdf. This is only suitable for public files, access control cannot be enforced that way, anybody that has the link can download the file.
如果文件并非对所有登录用户都可用,则应用程序必须执行授权以决定登录用户是否可以实际下载他所请求的文件.很多次此授权步骤丢失或有缺陷,导致该应用程序能够为错误地修改请求的用户提供错误的文件.
If files are not available to all logged on users, the application must perform authorization to decide whether the user that's logged in can actually download the file he is requesting. Too many times this authorization step is missing or flawed, resulting in the application being able to serve the wrong files to users cleverly modifying requests.
因此,最重要的是,文件上传/下载漏洞不仅仅是病毒检查上传的文件.
So the bottom line is, file upload/download vulnerabilities are much more than just virus checking uploaded files.
这篇关于安全测试-如何测试恶意上传的文件上传功能的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!