A guide to secure file uploads: how to make your website bullet-proof

If you manage a website with user-generated content, you should know how to protect yourself from potential threats hiding in the upload process. Every day, 300 million images are uploaded to Facebook alone. Add to this almost 100 million photos and videos shared on Instagram daily, and the unmeasurable amount of all the other uploads on the internet… It’s no wonder that attackers take advantage of this opportunity to insert various malware into the system.

In fact, every 10th attack on a WordPress website is conducted via file upload services. To make a long story short, the action plan to protect your website from the “bad guys” looks like this.

How to secure your file uploads step by step

  1. Understand what the “bad guys” want
  2. Explore which scenarios they use to attack your site
  3. Learn how to secure all the sensitive parts of the upload environment

So what can you do to secure a file upload site? For this guide, we selected the most common malware tactics and found the best security solutions that will let you sleep well at night.

Tactic #1. Overwrite and control

If this type of attack happened offline, it would look like this: a criminal breaks into your office, opens a safe with all the company documents, and substitutes, say, the company’s regulations with another document which is outwardly indistinguishable from the original. A similar activity occurs in the virtual dimension: a hacker uploads a file with the same name and extension as one you already have, which results in some very serious problems. The new file overwrites the existing one and the chaos begins.

What happens next? You have a Trojan horse in your sanctum sanctorum. Using the malicious file, hackers can launch an attack on your server, change security settings, crash your website, or open a faster path for future malware uploads.

Look at the case of Equifax: three years ago, the company suffered a massive cyberattack that resulted in the exposure of full names, birth dates, Social Security numbers and other personal data of almost 50% of the US population. The hackers found a vulnerability allowing them to execute malicious commands on the server when uploading files based on the parser. Among other malicious activities, they installed several fraudulent applications on the affected Equifax servers, and tried to infect the root directory and disable the firewall service on system boot.

How to deal with it? First sign in, then upload

Build a barrier that will restrict all anonymous users from uploading anything to your website. How to implement it? Here’s how we do it with File Uploader by Uploadcare: with the Signed Uploads feature, every user needs your permission to upload a file.

Also, it’s a good idea to use Authenticated URLs to control who has access to the uploaded information and for how long. Both techniques are important, and help us to make sure that an API key won’t be enough to break into your server and that no anonymous users get access to the data.

Tactic #2. Intercepting transferred files

If your service invites users to upload ID cards or any other personal documents, and if you store the uploaded files on a cloud service, security is especially crucial. Attackers often use so-called spoofing activity aimed at getting access to files stored in the cloud or transferred over the Internet.

Cybercriminals can easily intercept unencrypted files, so there’s a risk of not only putting private data in the wrong hands, but also besmirching your reputation for reliability, which will ensure that you won’t be a player in the same sector for very long.

How to deal with it? Encryption, encryption, encryption

The good news is that spoofing, or spying, is a very common hacking method, which means there is a variety of strong security measures you can implement. The best option is to have two types of encryption.

Firstly, use the SSL protocol to secure all traffic between the user’s browser and the upload servers, so as to make it troublesome for attackers to obtain the access token (basically an access key given to the upload service by uploading sources like Facebook, Dropbox, etc.).

Secondly, if the hackers still manage to overcome the first layer of security and intercept the data, it’s better to further encrypt the access token passed in the upload request so it can’t be used anywhere but on your own server.

Basically, the best way to protect sensitive data is not to gather it at all. For instance, at Uploadcare, when connecting your social media or other upload sources, we never request your passwords, store them, or have access to any of your data. As a result, there’s no risk of exposing any personal data, since there’s no such data on the server.

Tactic #3. The infamous DoS and similar attacks

Remember those movie scenes when a poor speaker gets a sudden shower of rotten tomatoes from the audience? These episodes often end with the speaker shamefully leaving the stage. In this scenario, attackers play the part of the angry audience: they simultaneously upload extremely large files, flooding your bandwidth with huge amounts of traffic.

Denial of service (DoS) and botnets are just a couple examples of this type of attack. This tactic leads to your website crashing — it becomes inaccessible and “leaves the stage” just like the victim of the rotten tomatoes.

How to deal with it? Limit the file sizes

To protect the stability of your service, you want to keep control over who and when can upload files to your website. Two-step verification can be useful here, as well as limiting the size of the file: both very large and very small files can be used for a DoS attack, so don’t forget to establish a minimum file size limit as well.

Tactic #4. Data vulnerability — a shortcut through the URL

This is a modern version of the old adage: “Never keep all your eggs in one basket.” Here, we assume that some attackers have managed to upload a malware file to your storage. How can you minimize the risks for your website and your clients’ data? The only option is to block the malicious file from being executed via the URL path; in other words, you’ll localize the negative effect in the storage folder and cut the access to your website’s information.

How to deal with it? Opt for an external storage directory or use a third-party uploader

What you need to do here is to direct user-generated content to a place outside of your website’s public directory. There are two ways to achieve this: you might prefer to create an external storage folder yourself, or you could use a third-party upload service like File Uploader by Uploadcare.

The first option is good for companies that can afford to pay developers to spend time creating an uploading infrastructure. The second one, on the other hand, is good for businesses who want to delegate the task to professionals and not spend their time maintaining and updating the security system. A reliable third-party solution, like an online data room, makes it easier to scale up the service, because all the infrastructure is already there, and experienced engineers will help tailor it according to your needs.

If you choose to try File Uploader, you don’t really need to keep reading this guide, since all the security solutions mentioned above and below are implemented there, and operate under the watchful eye of our developers.

Tactic #5. File extension manipulations

The file extension is always shown after the dot in the filename, like .gif or .png, right? Not quite, actually. When attempting to bypass security barriers, attackers often use “masks.” They can easily rename a malicious .exe file to .jpeg or any other allowed and commonly used file extension. That’s a surprisingly common way a virus can sneak into your system unnoticed.

How to deal with it? Verify file types after blacklisting the suspicious ones

Protection from “undercover” invasions includes two steps. First, make sure you restrict all the unnecessary and potentially harmful file types from being uploaded. Second, as the “masking tactic” can overcome this measure, you also need a feature which verifies if the contents of the files actually correspond to the extensions provided. Then, only verified files will be uploaded to the server.

No time to worry about security? Delegate it!

If you feel that you have no time or desire to dive into these topics yourself, let us take care of both your security and your clients’ privacy.

File Uploader is compliant with the Health Insurance Portability and Accountability Act (HIPAA), a set of privacy standards protecting patients' medical records which is essential for all businesses that transmit health-related information; as well as with the GDPR, a regulation in EU law regarding data protection and privacy, which aims at granting control to individuals over their personal data.

Data encryption, access control, backups and more: all of it made convenient with the full support of Uploadcare engineers.

Infrastructure for user images, videos & documents