(In)Security of File Uploads in Node.js

Download PDF

Harun Oz, Abbas Acar, AHMET ARIS, Güliz Seray Tuncay, Amin Kharraz, Selcuk Uluagac

Published: 23 Jan 2024, Last Modified: 23 May 2024TheWebConf24EveryoneRevisionsBibTeX
Keywords: Node.js, Unrestricted File Upload
TL;DR: In this study, we analyze the (in)security of popular file upload libraries and real-world applications in the Node.js ecosystem.
Abstract: File upload is a critical feature incorporated by a myriad of web applications in an effort to enable users to share and manage their files conveniently. It has been used in many useful services such as file-sharing and social media. While file upload is an essential component of web applications, the lack of rigorous checks on the file name, type, and content of the uploaded files can result in security issues, often referred to as Unrestricted File Upload (UFU). In this study, we analyze the (in)security of popular file upload libraries and real-world applications in the Node.js ecosystem. To automate our analysis, we propose and implement NodeSEC– a tool designed to analyze file upload insecurities in Node.js applications and libraries. NodeSEC generates unique payloads and thoroughly evaluates the application’s file upload security against 13 distinct UFU-type attacks. Utilizing NodeSEC, we analyze the most popular file upload libraries and real-world applications in the Node.js ecosystem. Our analysis results reveal that some real-world web applications are vulnerable to UFU attacks and disclose serious security bugs in file upload libraries. As of this writing, we received 19 CVEs and two US-CERT cases for the security issues that we reported. Our findings provide strong evidence that dynamic features of Node.js applications introduce security shortcomings and that web developers should be cautious when implementing file upload features in their applications. Finally, combining our responsible disclosure experience and root cause analysis, we identified the main causes of significant security weaknesses in file uploads in Node.js.
Track: Security
Submission Guidelines Scope: Yes
Submission Guidelines Blind: Yes
Submission Guidelines Format: Yes
Submission Guidelines Limit: Yes
Submission Guidelines Authorship: Yes
Student Author: Yes
Submission Number: 160