Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Support CenterIssue DefinitionsFile upload functionality

File upload functionality

Description

File upload functionality is commonly associated with a number of vulnerabilities, including:

  • File path traversal
  • Persistent cross-site scripting
  • Placing of other client-executable code into the domain
  • Transmission of viruses and other malware
  • Denial of service

You should review file upload functionality to understand its purpose, and establish whether uploaded content is ever returned to other application users, either through their normal usage of the application or by being fed a specific link by an attacker.

Some factors to consider when evaluating the security impact of this functionality include:

  • Whether uploaded content can subsequently be downloaded via a URL within the application.
  • What Content-type and Content-disposition headers the application returns when the file's content is downloaded.
  • Whether it is possible to place executable HTML/JavaScript into the file, which executes when the file's contents are viewed.
  • Whether the application performs any filtering on the file extension or MIME type of the uploaded file.
  • Whether it is possible to construct a hybrid file containing both executable and non-executable content, to bypass any content filters - for example, a file containing both a GIF image and a Java archive (known as a GIFAR file).
  • What location is used to store uploaded content, and whether it is possible to supply a crafted filename to escape from this location.
  • Whether archive formats such as ZIP are unpacked by the application.
  • How the application handles attempts to upload very large files, or decompression bomb files.

Remediation

File upload functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include:

  • Use a server-generated filename if storing uploaded files on disk.
  • Inspect the content of uploaded files, and enforce a whitelist of accepted, non-executable content types. Additionally, enforce a blacklist of common executable formats, to hinder hybrid file attacks.
  • Enforce a whitelist of accepted, non-executable file extensions.
  • If uploaded files are downloaded by users, supply an accurate non-generic Content-Type header, the X-Content-Type-Options: nosniff header, and also a Content-Disposition header that specifies that browsers should handle the file as an attachment.
  • Enforce a size limit on uploaded files (for defense-in-depth, this can be implemented both within application code and in the web server's configuration).
  • Reject attempts to upload archive formats such as ZIP.

References

Vulnerability classifications

Typical severity

Information

Type index

0x00500980