Man In The Middle Attack On File Uploads

Information Security Asked by Mojo on December 7, 2020

I am using a web service (call it X) which allows files to be uploaded to AWS S3.

The way it works is that an initial call is made to X which then returns a list of file descriptors and also meta information which should be injected into the web form as hidden fields that the user is presented with to choose a file to upload. One of these hidden fields is the url of the S3 bucket where the file will be uploaded to.

When the user chooses a file and clicks submit the file is sent as byte streams to the S3 location.

I see two security concerns here:

  1. The url which is returned from calling X and then set as a hidden field in the form could be hijacked and substituted for another url of the hacker’s choosing
  2. I am not sure if this is possible but the byte stream from the user’s browser to the S3 bucket could be diverted?

Is this paranoia or actual real security concerns?

2 Answers

if the security measures were taken in both client side and server side there shouldn't be any problem. all web services should implement these things:

  • the connection should be secure via SSL.
  • if you are posting data to server there should be CSRF tokens in your form fields so untrusted users can't send data to server
  • on the server never trust entered data by users and do data validation

so if you are using third party service just check it's documentation or ask directly from its developers.

please note that setting a filed hidden in the form is not a security measure, it is just for UI so the user don't see unnecessary input field when entering data.

Answered by Soheil on December 7, 2020

actual real security concerns?

This depends on whether or not the application is properly secured.

  • Is the url served via a secure connection (HTTPS)?
  • Are all common security headers set, especially strict-transport-security?
  • ...and other important headers, like X-Frame-Options to prevent clickjacking?
  • Does the web application have a proper CORS policy/configuration=
  • Is the web page secured against XSS (no vulnerable javascript frameworks used, X-XSS-Protection header properly set)?
  • Is the form submitted via a secure connection (HTTPS)?
  • Is "Service X" trustworthy?

When all of the above is true, and/or set up correctly, I don't see why this shouldn't be less or more secure than having the url already pre-set in the web application.

It would be preferable if service X was under the same control of the owner of the web application itself, since things like "trustworthyness" may change over time.

Just make sure that the application doesn't allow arbitrary upload urls for assets. I've seen that before, that webpage APIs allowed the user to specify the upload-url path, making it possible to create signed upload- and even download-links.

Answered by Martin Fürholz on December 7, 2020

Add your own answers!

Related Questions

NTRUEncrypt in TLS and GPG encryption

3  Asked on November 17, 2020 by rubo77


XXE Injection in docx: entity not defined

1  Asked on November 5, 2020 by sorokine


How to send cookie to API on seperate domain in safari

1  Asked on October 29, 2020 by harrison-lucas


Pentesting Webserver Dead End (MySQL White Listing Bypass)

1  Asked on October 25, 2020 by cromwell-rosalin


Proxying MetaSploit through BurpSuite

1  Asked on October 16, 2020 by python


Why would hackers attack a DNS server with a DoS?

1  Asked on September 1, 2020 by alexis-wilke


OIDC Hybrid flow

1  Asked on August 21, 2020 by pdstat


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir