Cited By
View all- Oz HTuncay SAris AAcar ABabun LUluagac S(2024)Ransomware Over Modern Web Browsers: A Novel Strain and a New Defense MechanismACM Transactions on the Web10.1145/3708514Online publication date: 17-Dec-2024
(In)Security of File Uploads in Node.js
Authors: 
Harun Oz, Abbas Acar, Ahmet Aris, Güliz Seray Tuncay, Amin Kharraz, Selcuk UluagacAuthors Info & Claims
Harun Oz, Abbas Acar, Ahmet Aris, Güliz Seray Tuncay, Amin Kharraz, Selcuk UluagacAuthors Info & ClaimsPages 1573 - 1584
Abstract
File upload is a critical feature incorporated by a myriad of web applications in an effort to enable users to share and manage their files conveniently. It has been used in many useful services such as file-sharing and social media. While file upload is an essential component of web applications, the lack of rigorous checks on the file name, type, and content of the uploaded files can result in security issues, often referred to as Unrestricted File Upload (UFU). In this study, we analyze the (in)security of popular file upload libraries and real-world applications in the Node.js ecosystem. To automate our analysis, we propose and implement NodeSEC- a tool designed to analyze file upload insecurities in Node.js applications and libraries. NodeSEC generates unique payloads and thoroughly evaluates the application's file upload security against 13 distinct UFU-type attacks. Utilizing NodeSEC, we analyze the most popular file upload libraries and real-world applications in the Node.js ecosystem. Our analysis results reveal that some real-world web applications are vulnerable to UFU attacks and disclose serious security bugs in file upload libraries. As of this writing, we received 19 CVEs and two US-CERT cases for the security issues that we reported. Our findings provide strong evidence that dynamic features of Node.js applications introduce security shortcomings and that web developers should be cautious when implementing file upload features in their applications. Finally, combining our responsible disclosure experience and root cause analysis, we identified the main causes of significant security weaknesses in file uploads in Node.js.
Supplemental Material
MP4 File
Supplemental video
- Download
- 39.76 MB
References
[1]
Abbas Acar, Güliz Seray Tuncay, Esteban Luques, Harun Oz, Ahmet Aris, and Selcuk Uluagac. 2024. 50 Shades of Support: A Device-Centric Analysis of Android Security Updates. In Network and Distributed System Security Symposium.
[2]
Mehdi Chehel Amirani, Mohsen Toorani, and A. Beheshti. 2008. A new approach to content-based file type detection. In IEEE Symposium on Computers and Communications.
[3]
Anton Barua, Hossain Shahriar, and Mohammad Zulkernine. 2011. Server-Side Detection of Content Sniffing Attacks. In International Symposium on Software Reliability Engineering.
[4]
Shrenik Bhansali, Ahmet Aris, Abbas Acar, Harun Oz, and Selcuk Uluagac. 2022. A First Look at Code Obfuscation for WebAssembly. In In the Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks.
[5]
D. Cayir, A. Acar, R. Lazzeretti, M. Angelini, M. Conti, and S. Uluagac. 2024. Augmenting Security and Privacy in the Virtual Realm: An Analysis of Extended Reality Devices. IEEE Security & Privacy (2024).
[6]
James Davis, Arun Thekumparampil, and Dongyoon Lee. 2017. Node.fz: Fuzzing the Server-Side Event-Driven Architecture. In Proceedings of the Twelfth European Conference on Computer Systems. Association for Computing Machinery.
[7]
Jin Huang, Yu Li, Junjie Zhang, and Rui Dai. 2019. UChecker: Automatically Detecting PHP-Based Unrestricted File Upload Vulnerabilities. In 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).
[8]
Jin Huang, Junjie Zhang, Jialun Liu, Chuang Li, and Rui Dai. 2021. UFuzzer: Lightweight Detection of PHP-Based Unrestricted File Upload Vulnerabilities Via Static-Fuzzing Co-Analysis. In Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses.
[9]
Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses.
[10]
Taek-Jin Lee, Seongil Wi, Suyoung Lee, and Sooel Son. 2020. FUSE: Finding File Upload Bugs via Penetration Testing. In Network and Distributed System Security Symposium.
[11]
R. Lerdorf, K. Tatroe, B. Kaehms, R. McGredy, N. Torkington, and P.M. Ferguson. 2002. Programming PHP. O'Reilly Media.
[12]
Xiaowei Li and Yuan Xue. 2014. A Survey on Server-Side Approaches to Securing Web Applications. ACM Comput. Surv. (2014).
[13]
Magnus Madsen, Frank Tip, and Ond?ej Lhoták. 2015. Static analysis of eventdriven Node.js JavaScript applications. In Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications.
[14]
Jonas Magazinius, Billy K. Rios, and Andrei Sabelfeld. 2013. Polyglots: crossing origins by crossing formats. ACM conference on Computer & communications security (2013).
[15]
Yassine Mekdad, Giuseppe Bernieri, Mauro Conti, and Abdeslam El Fergougui. 2021. The rise of ICS malware: A comparative analysis. In European Symposium on Research in Computer Security. Springer.
[16]
MITRE. 2022. CWE-1287: Improper Validation of Specified Type of Input. https://cwe.mitre.org/data/definitions/1287.html.
[17]
Jens Müller, Dominik Noss, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk. 2021. Processing Dangerous Paths--On Security and Privacy of the Portable Document Format. In Network and Distributed System Security Symposium.
[18]
Benjamin Barslev Nielsen, Martin Toldam Torp, and Anders Møller. 2021. Modular Call Graph Construction for Security Scanning of Node.Js Applications. In ACM International Symposium on Software Testing and Analysis.
[19]
Andres Ojamaa and Karl Düüna. 2012. Assessing the security of Node.js platform. In International Conference for Internet Technology and Secured Transactions.
[20]
Behzad Ousat, Mohammad Ali Tofighi, and Amin Kharraz. 2023. An End-to-End Analysis of Covid-Themed Scams in the Wild. In Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security. 509--523.
[21]
OWASP. 2022. File Content Validation OWASP . https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html#file-content-validation.
[22]
OWASP. 2023. Unrestricted File Upload. https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload.
[23]
Harun Oz, Ahmet Aris, Abbas Acar, Güliz Seray Tuncay, Leonardo Babun, and Selcuk Uluagac. 2023. {RøB}: Ransomware over Modern Web Browsers. In 32nd USENIX Security Symposium (USENIX Security 23). 7073--7090.
[24]
Harun Oz, Ahmet Aris, Albert Levi, and A. Selcuk Uluagac. 2022. A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ACM Comput. Surv. (jan 2022). https://doi.org/10.1145/3514229
[25]
Harun Oz, Faraz Naseem, Ahmet Aris, Abbas Acar, Guliz Seray Tuncay, and A Selcuk Uluagac. 2022. Poster: Feasibility of Malware Visualization Techniques against Adversarial Machine Learning Attacks. In 43rd IEEE Symposium on Security and Privacy (S&P).
[26]
Upasana Sarmah, D.K. Bhattacharyya, and J.K. Kalita. 2018. A survey of detection methods for XSS attacks. Journal of Network and Computer Applications (2018).
[27]
Ax Sharma. 2022. NodeJS module downloaded 7M times lets hackers inject code. https://www.bleepingcomputer.com/news/security/nodejs-moduledownloaded-7m-times-lets-hackers-inject-code/.
[28]
Konstantinos Solomos, Panagiotis Ilia, Soroush Karami, Nick Nikiforakis, and Jason Polakis. 2022. The Dangers of Human Touch: Fingerprinting Browser Extensions through User Actions. In 31st USENIX Security Symposium.
[29]
Mahdi Soltani, Behzad Ousat, Mahdi Jafari Siavoshani, and Amir Hossein Jahangir. 2023. An Adaptable Deep Learning-based Intrusion Detection System to Zero-day Attacks. Journal of Information Security and Applications 76 (2023), 103516.
[30]
Cristian Staicu and Michael Pradel. 2018. Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers. In USENIX Security Symposium.
[31]
Cristian Staicu, Michael Pradel, and Benjamin Livshits. 2018. SYNODE: Understanding and Automatically Preventing Injection Attacks on Node.js. In Network and Distributed System Security Symposium.
[32]
Phil Stokes. 2019. Malicious PDFs. https://www.sentinelone.com/blog/maliciouspdfs-revealing-techniques-behind-attacks/.
[33]
Nasir Uddin and Mohammad Jabr. 2016. File Upload Security and Validation in Context of Software as a Service Cloud Model. In 6th International Conference on IT Convergence and Security (ICITCS).
[34]
Daniel Votipka, Kelsey R. Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, and Michael Hicks. 2020. Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It. In 29th USENIX Security Symposium.
[35]
Feng Xiao, Jianwei Huang, Yichang Xiong, Guangliang Yang, Hong Hu, Guofei Gu, and Wenke Lee. 2021. Abusing Hidden Properties to Attack the Node.js Ecosystem. In USENIX Security Symposium.
[36]
Markus Zimmermann, Cristian Staicu, Cam Tenny, and Michael Pradel. 2019. Small World with High Risks: A Study of Security Threats in the npm Ecosystem. In 28th USENIX Security Symposium.
Index Terms
- (In)Security of File Uploads in Node.js
Comments
Information & Contributors
Information
Published In
May 2024
4826 pages
ISBN:9798400701719
DOI:10.1145/3589334
- General Chairs:
- Tat-Seng Chua,
- Chong-Wah Ngo,
- Proceedings Chair:
- Roy Ka-Wei Lee,
- Program Chairs:
- Ravi Kumar,
- Hady W. Lauw
Copyright © 2024 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
WWW '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,899 of 8,196 submissions, 23%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 636Total Downloads
- Downloads (Last 12 months)636
- Downloads (Last 6 weeks)94
Reflects downloads up to 09 Jan 2025
Other Metrics
Citations
Cited By
View all- Oz HTuncay SAris AAcar ABabun LUluagac S(2024)Ransomware Over Modern Web Browsers: A Novel Strain and a New Defense MechanismACM Transactions on the Web10.1145/3708514Online publication date: 17-Dec-2024
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in