• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Prevent multi upload with users

#1
Hi
In my app,user can upload file to server with username and password
There are no any problem for upload or authentication
Big problem is
If user have username and password,can upload file with php script
Example
Post: username=user&password=1234 and contain file form

If hacker execute this url in php script,can upload file to server

How do i can prevent upload file only with app
Thanks
Reply

#2
(07-18-2018, 08:39 AM)omid_student Wrote: Post: username=user&password=1234 and contain file form

Are username and password on the URL - www.mydomain.com/upload/?username=user&password=1234

Or you mean when user makes a POST request, effectively they are posting their username and password at the same time as the file?
Reply

#3
(07-18-2018, 11:16 AM)Pertti Wrote:
(07-18-2018, 08:39 AM)omid_student Wrote: Post: username=user&password=1234 and contain file form

Are username and password on the URL - www.mydomain.com/upload/?username=user&password=1234

Or you mean when user makes a POST request, effectively they are posting their username and password at the same time as the file?
Yes make a POST request
However i encrypt data with AES but we assume it is not encryption
Reply

#4
Got it.

So you are worried that if hacker knows endpoint URL, username and password, they can just keep uploading?

CodeIgniter CSRF protection might help, it won't stop them posting data at your server, which could become DDoS issue on it's own, but it will help you to filter out valid requests and ignore the rest.
Reply

#5
(07-18-2018, 11:51 AM)Pertti Wrote: Got it.

So you are worried that if hacker knows endpoint URL, username and password, they can just keep uploading?

CodeIgniter CSRF protection might help, it won't stop them posting data at your server, which could become DDoS issue on it's own, but it will help you to filter out valid requests and ignore the rest.

No my problem is not file type or content
My problem is only upload file from app and prevent upload file with username and password with restful tools or php
I try prevent with useragent or api key special for mobile but it is not necessary
Reply

#6
(07-18-2018, 12:12 PM)omid_student Wrote: No my problem is not file type or content
My problem is only upload file from app and prevent upload file with username and password with restful tools or php
I try prevent with useragent or api key special for mobile but it is not necessary

CSRF is not for file type, it's for making sure the incoming requests originate from server in the first place.

There's more stuff on it here:
https://www.owasp.org/index.php/Cross-Si...heat_Sheet
Reply

#7
(07-18-2018, 12:39 PM)Pertti Wrote:
(07-18-2018, 12:12 PM)omid_student Wrote: No my problem is not file type or content
My problem is only upload file from app and prevent upload file with username and password with restful tools or php
I try prevent with useragent or api key special for mobile but it is not necessary

CSRF is not for file type, it's for making sure the incoming requests originate from server in the first place.

There's more stuff on it here:
https://www.owasp.org/index.php/Cross-Si...heat_Sheet

Yes i know but it is good in web
When user open forms,during open form,we add token into form body and codeigniter check it when we post it
But in application there is no form and i have to get token before upload file that i think it is bad,isn't it?
Reply

#8
(07-18-2018, 12:39 PM)Pertti Wrote:
(07-18-2018, 12:12 PM)omid_student Wrote: No my problem is not file type or content
My problem is only upload file from app and prevent upload file with username and password with restful tools or php
I try prevent with useragent or api key special for mobile but it is not necessary

CSRF is not for file type, it's for making sure the incoming requests originate from server in the first place.

There's more stuff on it here:
https://www.owasp.org/index.php/Cross-Si...heat_Sheet

Finally i deiced to generate token and get it from app and send it for each request and check it in server
I save token in session for 7200s and use JWT for token
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.