For most organizations, web application security begins with solutions designed to address the Open Web Application Security Project (OWASP) Top Ten Web Application Security Risks[1]. These risks include the most common web application attack vectors, such as SQL injection and cross-site scripting (XSS). However, OWASP also catalogues dozens of additional vulnerabilities, such as unrestricted file uploads[2], which “represent a severe risk to applications.”
OPSWAT recently published its Web Application Security Report 2021, which reveals almost all (99%) of the companies surveyed are concerned about protecting against malware and cyberattacks from file uploads to varying degrees. Organizations deploy file upload portals for a variety of reasons, such as submitting forms and applications or sharing and collaborating on content. More than half (51 percent) of the organizations with a file upload portal process more than 5,000 file uploads per day. This volume (including submissions from 3rd party sources) provides a wide attack surface for hackers to exploit.
OPSWAT recommends 10 Best Practices for File Upload Security, yet only 8 percent of organizations with file upload portals have fully implemented all ten. More than half the organizations with file upload portals have implemented less than half of these best practices. This is a major blind spot in their web application security strategy, especially considering the rapid increase in targeted attacks.
A major challenge is the ever-evolving and increasingly sophisticated nature of cyberattacks. Organizations cannot rely on traditional ‘check-the-box’ defenses. Relying on half-way measures provides a false sense of security and is not in line with the zero-trust approach vital for critical infrastructure protection. With that in mind, let us look at a few common web application security myths that need debunking.
Myth #1: My Web Applications Are Secure Because I Have a Web Application Firewall (WAF)
FACT: For most organizations, web application security begins with a WAF; unfortunately, for many organizations it also ends there. WAFs monitor and control HTTP traffic to web services, making them ideal for addressing the OWASP Top Ten, which is why they are such a popular web application security solution. However, a WAF’s functionality to manage HTTP traffic is also its limitation, as it is unable to provide deeper inspection into other types of traffic, such as files uploaded through a web application. This leaves the door open for any attack or malicious payload hosted within them to slip by undetected.
Myth #2: My File Uploads Are Secure Because I Limit the Specific Types of Files That Can Be Uploaded
FACT: It is true that limiting specific file types is a best practice because many file types may contain malicious executables – in fact, nearly two-thirds of organizations with file upload portals already do so. For example, an organization may offer its customers the ability to upload files to streamline the process of sharing documents – in this case it would make sense to block .exe files. However, it would be counterproductive to block common document files, such as .doc and .pdf. Yet even these most common document file types are vulnerable to exploit; macros can easily obfuscate malicious code that can download malicious payloads. Organizations would be much better off using a prevention-based technology like CDR (Content Disarm and Reconstruction) which strips out anything malicious from individual components of a document to deliver a ‘safe-to-consume’ file.
Myth #3: My Web Applications Are Secure Because I Scan File Uploads with an Anti-Virus Engine
FACT: Scanning for known malware is also a best practice for file upload security – and again, nearly two-thirds of organizations with file upload portals already do so. However, malware can easily bypass a single AV engine. But integrating multiple AV and anti-malware engines is challenging and resource intensive. OPSWAT research has shown that it takes more than 20 AV engines to reach detection rates greater than 99 percent, yet 95 percent of organizations have less than 20 AV engines. Different AV engines also have varying response times to new malware. A key protection against both known and unknown malware – Content Disarm and Reconstruction (CDR), deconstructs files into their individual elements, sanitizes them to eliminate malicious content, and restores them to a functional file. However, only one-third of organizations have fully deployed CDR – even less than AV.
Secure File Uploads for Web Application Security
When it comes to web application security, organizations need to think beyond the OWASP Top Ten and the deployment of just web application firewalls. When it comes to file uploads, organizations need to balance security and productivity – blocking executables may reduce risk, but blocking common document types is infeasible. Likewise, when scanning for malware, a single AV engine may reduce the risk of known attacks but is still susceptible to zero-day attacks and APTs.
OPSWAT’s MetaDefender platform offers comprehensive solutions for File Upload Security and helps organizations close Web Application Security gaps by integrating simultaneous scans with multiple AVs and other key technologies like Deep CDR. MetaDefender Multiscanning integrates more than 30 AV engines to detect over 99 percent of known malware. MetaDefender Deep CDR prevents zero-day attacks and APTs by sanitizing more than 100 common file types. MetaDefender can also detect file-based vulnerabilities and verify more than 4,500 common file types, which are some other key best practices for file upload security.