Help Us Identify UFUs: (Em)Powering Vulnerability Scanners with FUEL (gpn22)

Published: May 31, 2024, 8 a.m.

Nowadays, many websites rely on user-generated content, e.g., by allowing users to upload images, videos, documents, or other files. If not handled carefully, Unrestricted File Uploads (UFUs) may appear and become a serious security issue.\nOur academic results show that some UFU types still fly under the state-of-the-art vulnerability scanners' radars, leaving websites at risk of severe vulnerabilities, such as Remote Code Execution or Cross-Site Scripting. \nThus, we propose a File Upload Exploitation Lab (FUEL) to (em)power vulnerability scanners to become better at identifying UFUs and invite the community to reFUEL.\n\nIf web applications fail to validate or handle user uploaded files properly, security issues such as Cross-Site Scripting or Remote Code Execution may arise. While PHP-based web applications are known to be prone to Unrestricted File Upload (UFU) vulnerabilities, other programming languages and web frameworks might be affected, too.\n\nAcademic and non-academic work has covered many types of UFUs vulnerabilities and created vulnerability scanners to identify them.\nWe have compared four different vulnerability scanners (BurpSuite, ZAP, FUSE and Fuxploider) with our novel File Upload Exploitation Lab (FUEL) to identify potential shortcomings in the detection capabilities. The results show that none of these state-of-the-art scanners manages to identify the UFU vulnerability in all of the 15 FUEL scenarios.\n\nAttendees of this talk will learn about UFUs and some less-known file upload bypasses. Further, we hope to raise the awareness that, similar to humans, no tool is perfect. Last but not least, we will invite the community to extend FUEL with more UFU scenarios to create a more thorough vulnerability scanner evaluation framework.\n\nThe academic paper is to be published at DIMVA 2024, but we wanted to give the community a sneak preview :)\nabout this event: https://cfp.gulas.ch/gpn22/talk/FSMH9M/