skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
Vulnerabilities Identified in Multipart Form-Data Parsers

Vulnerabilities Identified in Multipart Form-Data Parsers

/ 4 min read

stories , web application security , file upload validation , multipart/form-data , bypass techniques , waf

Quick take - The article discusses the vulnerabilities in web application firewalls (WAFs) and multipart form-data handling due to non-compliance with RFC standards in existing parsers, highlighting the need for improved validation techniques and ongoing scrutiny to mitigate security risks.

Fast Facts

  • Current web application firewalls (WAFs) and multipart form-data handling face scrutiny due to vulnerabilities in parsers that do not fully comply with RFC standards.
  • The Octofence WAAP project is transitioning from ModSecurity to a new Lua-based WAF engine to enhance compliance and validation of user inputs.
  • Various bypass techniques exploit weaknesses in multipart handling, including duplicating parameters and omitting critical components like boundary strings.
  • Recommended countermeasures for file upload validation include checking file extensions, verifying MIME types, and scanning for malware, though many parsers still fall short of RFC compliance.
  • Established WAFs, including FortiWeb and Barracuda, are vulnerable to specific bypass techniques, highlighting the need for ongoing scrutiny and improvements in multipart parsers.

Security Landscape of Web Application Firewalls and Multipart Form-Data Handling

The security landscape surrounding web application firewalls (WAFs) and multipart form-data handling is currently under scrutiny due to vulnerabilities associated with existing parsers. An investigation into various parsers has revealed that none fully comply with RFC standards. This non-compliance leads to multiple opportunities for bypassing validation of filenames and content uploaded by users.

Critical Testing Scope

The issue is particularly critical as testing will encompass commonly used technologies, including PHP, Node.js, and Python parsers. Established WAFs and load balancers such as HAProxy, FortiWeb, and Barracuda are also part of the testing scope. The Octofence WAAP project has shifted from utilizing ModSecurity to developing a new WAF engine written in Lua. The objective of this shift is to achieve strict compliance with RFC guidelines for improved validation of user inputs.

Current Lua parsers designed for multipart requests have proven ineffective in achieving this goal. Overly flexible parsers can create security vulnerabilities, allowing malicious inputs to bypass validation processes. Multipart form-data is a specific standard designed to facilitate file uploads alongside traditional form fields. Each component of a multipart message is separated by a unique boundary string, which is critical to the integrity of the request. The Content-Disposition header plays a pivotal role in defining the parameter name and filename for the content within multipart requests.

Exploitation Techniques

Various techniques exist that can exploit weaknesses in multipart handling:

  • Bypass #0: Utilizing URL-encoded data in multipart requests.
  • Bypass #1: Duplicating name parameters in multipart headers.
    • Bypass #1.1: Duplicating filename parameters.
    • Bypass #1.2: Duplicating Content-Disposition headers.
  • Bypass #2: Breaking CRLF sequences.
  • Bypass #3: Omitting double quotes from parameters.
  • Bypass #4: Neglecting the closing boundary string.
  • Bypass #5: Using the filename*=utf-8” parameter in requests.

To counter these vulnerabilities, various file upload validation techniques are recommended:

  • Conducting file extension checks to limit uploads to specific file types.
  • Verifying MIME types to ensure the Content-Type header aligns with expectations.
  • Inspecting magic bytes to confirm the actual format of uploaded files.
  • Implementing file size limitations to prevent excessively large uploads.
  • Scanning for viruses and malware within uploaded files.
  • Performing content inspections to ensure files do not contain harmful elements.
  • Validating filenames to check for illegal characters and sequences.

Ongoing Challenges and Vulnerabilities

Despite these countermeasures, many existing multipart parsers still do not adhere strictly to RFC directives, creating a breeding ground for potential exploitation. PHP applications, in particular, may accept malformed multipart messages, leading to serious security implications. Various WAFs, including FortiWeb and Barracuda, are susceptible to specific bypass techniques. The access control list (ACL) functionality of HAProxy can be circumvented by reformulating requests into multipart format. AWS WAF and Lambda functions lack integrated multipart parsers, leading to comparable vulnerabilities.

ModSecurity’s multipart parser has seen improvements, but it remains possible for it to block legitimate requests due to its stringent validation processes. The overarching conclusion highlights the significant challenges and vulnerabilities linked to multipart parsers in web applications. Ongoing scrutiny and improvement are necessary to safeguard against potential security breaches.

Original Source: Read the Full Article Here

Check out what's latest

New File Transfer Protocol Developed for Enhanced Security and Performance
New File Transfer Protocol Developed for Enhanced Security and Performance
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Introduces Benchmark for Evaluating Cryptographic Protocols
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks