Help Us Identify UFUs: (Em)Powering Vulnerability Scanners with FUEL

Sebastian Neef aka gehaxelt and Moaath

Playlists: 'gpn22' videos starting here / audio

Nowadays, many websites rely on user-generated content, e.g., by allowing users to upload images, videos, documents, or other files. If not handled carefully, Unrestricted File Uploads (UFUs) may appear and become a serious security issue.
Our academic results show that some UFU types still fly under the state-of-the-art vulnerability scanners' radars, leaving websites at risk of severe vulnerabilities, such as Remote Code Execution or Cross-Site Scripting.
Thus, we propose a File Upload Exploitation Lab (FUEL) to (em)power vulnerability scanners to become better at identifying UFUs and invite the community to reFUEL.

If web applications fail to validate or handle user uploaded files properly, security issues such as Cross-Site Scripting or Remote Code Execution may arise. While PHP-based web applications are known to be prone to Unrestricted File Upload (UFU) vulnerabilities, other programming languages and web frameworks might be affected, too.

Academic and non-academic work has covered many types of UFUs vulnerabilities and created vulnerability scanners to identify them.
We have compared four different vulnerability scanners (BurpSuite, ZAP, FUSE and Fuxploider) with our novel File Upload Exploitation Lab (FUEL) to identify potential shortcomings in the detection capabilities. The results show that none of these state-of-the-art scanners manages to identify the UFU vulnerability in all of the 15 FUEL scenarios.

Attendees of this talk will learn about UFUs and some less-known file upload bypasses. Further, we hope to raise the awareness that, similar to humans, no tool is perfect. Last but not least, we will invite the community to extend FUEL with more UFU scenarios to create a more thorough vulnerability scanner evaluation framework.

The academic paper is to be published at DIMVA 2024, but we wanted to give the community a sneak preview :)