arbisoft brand logo
arbisoft brand logo

A Technology Partnership That Goes Beyond Code

  • company logo

    “Arbisoft is an integral part of our team and we probably wouldn't be here today without them. Some of their team has worked with us for 5-8 years and we've built a trusted business relationship. We share successes together.”

    Jake Peters profile picture

    Jake Peters/CEO & Co-Founder, PayPerks

  • company logo

    “They delivered a high-quality product and their customer service was excellent. We’ve had other teams approach us, asking to use it for their own projects”.

    Alice Danon profile picture

    Alice Danon/Project Coordinator, World Bank

1000+Tech Experts

550+Projects Completed

50+Tech Stacks

100+Tech Partnerships

4Global Offices

4.9Clutch Rating

Trending Blogs

    • company logo

      “Arbisoft has been a valued partner to edX since 2013. We work with their engineers day in and day out to advance the Open edX platform and support our learners across the world.”

      Ed Zarecor profile picture

      Ed Zarecor/Senior Director & Head of Engineering

    81.8% NPS78% of our clients believe that Arbisoft is better than most other providers they have worked with.

    • Arbisoft is your one-stop shop when it comes to your eLearning needs. Our Ed-tech services are designed to improve the learning experience and simplify educational operations.

      Companies that we have worked with

      • MIT logo
      • edx logo
      • Philanthropy University logo
      • Ten Marks logo

      • company logo

        “Arbisoft has been a valued partner to edX since 2013. We work with their engineers day in and day out to advance the Open edX platform and support our learners across the world.”

        Ed Zarecor profile picture

        Ed Zarecor/Senior Director & Head of Engineering

    • Get cutting-edge travel tech solutions that cater to your users’ every need. We have been employing the latest technology to build custom travel solutions for our clients since 2007.

      Companies that we have worked with

      • Kayak logo
      • Travelliance logo
      • SastaTicket logo
      • Wanderu logo

      • company logo

        “Arbisoft has been my most trusted technology partner for now over 15 years. Arbisoft has very unique methods of recruiting and training, and the results demonstrate that. They have great teams, great positive attitudes and great communication.”

        Paul English profile picture

        Paul English/Co-Founder, KAYAK

    • As a long-time contributor to the healthcare industry, we have been at the forefront of developing custom healthcare technology solutions that have benefitted millions.

      Companies that we have worked with

      • eHuman logo
      • Reify Health logo

      • company logo

        I wanted to tell you how much I appreciate the work you and your team have been doing of all the overseas teams I've worked with, yours is the most communicative, most responsive and most talented.

        Matt Hasel profile picture

        Matt Hasel/Program Manager, eHuman

    • We take pride in meeting the most complex needs of our clients and developing stellar fintech solutions that deliver the greatest value in every aspect.

      Companies that we have worked with

      • Payperks logo
      • The World Bank logo
      • Lendaid logo

      • company logo

        “Arbisoft is an integral part of our team and we probably wouldn't be here today without them. Some of their team has worked with us for 5-8 years and we've built a trusted business relationship. We share successes together.”

        Jake Peters profile picture

        Jake Peters/CEO & Co-Founder, PayPerks

    • Unlock innovative solutions for your e-commerce business with Arbisoft’s seasoned workforce. Reach out to us with your needs and let’s get to work!

      Companies that we have worked with

      • HyperJar logo
      • Edited logo

      • company logo

        The development team at Arbisoft is very skilled and proactive. They communicate well, raise concerns when they think a development approach wont work and go out of their way to ensure client needs are met.

        Veronika Sonsev profile picture

        Veronika Sonsev/Co-Founder

    • Arbisoft is a holistic technology partner, adept at tailoring solutions that cater to business needs across industries. Partner with us to go from conception to completion!

      Companies that we have worked with

      • Indeed logo
      • Predict.io logo
      • Cerp logo
      • Wigo logo

      • company logo

        “The app has generated significant revenue and received industry awards, which is attributed to Arbisoft’s work. Team members are proactive, collaborative, and responsive”.

        Silvan Rath profile picture

        Silvan Rath/CEO, Predict.io

    • Software Development Outsourcing

      Building your software with our expert team.

    • Dedicated Teams

      Long term, integrated teams for your project success

    • IT Staff Augmentation

      Quick engagement to boost your team.

    • New Venture Partnership

      Collaborative launch for your business success.

    Discover More

    Hear From Our Clients

    • company logo

      “Arbisoft partnered with Travelliance (TVA) to develop Accounting, Reporting, & Operations solutions. We helped cut downtime to zero, providing 24/7 support, and making sure their database of 7 million users functions smoothly.”

      Dori Hotoran profile picture

      Dori Hotoran/Director Global Operations - Travelliance

    • company logo

      “I couldn’t be more pleased with the Arbisoft team. Their engineering product is top-notch, as is their client relations and account management. From the beginning, they felt like members of our own team—true partners rather than vendors.”

      Diemand-Yauman profile picture

      Diemand-Yauman/CEO, Philanthropy University

    • company logo

      Arbisoft was an invaluable partner in developing TripScanner, as they served as my outsourced website and software development team. Arbisoft did an incredible job, building TripScanner end-to-end, and completing the project on time and within budget at a fraction of the cost of a US-based developer.

      Ethan Laub profile picture

      Ethan Laub/Founder and CEO

    Contact Us
    contact

    A Hole in the Bucket: Compromising Amazon Simple Storage Service

    November 26, 2024
    https://d1foa0aaimjyw4.cloudfront.net/A_Hole_in_the_Bucket_Compromising_Amazon_Simple_Storage_Service_cc9469ee7d.png

    File upload vulnerabilities have existed since the early days of web applications. Due to the absence of robust security mechanisms, these flaws were introduced and remained unnoticed for years. These vulnerabilities often existed in plain sight until someone discovered and exploited them, deploying a backdoor and continuously accessing the system through it for a long time.

     

    In a typical flow, a user uploads an image or file to a website, which gets stored on the server. When accessed, the file is retrieved from the server. However, weak security mechanisms allow attackers to upload malicious files to the server. At first glance, this may not seem like an issue, but a security researcher is always ahead of the curve.

     

    In fact, if developers learn to code with broad and in-depth knowledge, they start identifying security issues independently. An in-depth understanding of any system often triggers critical questions like, "What if I do this?" or "What if I switch it with another value?" These questions can expose unintended behaviors in the system's functionality, potentially confirming the presence of vulnerabilities. Follow-up research may lead to critical exploits or reveal less severe bugs. In simple terms, only by deeply understanding how something is built can you figure out how to break it.

     

    On the other hand, security novices who jump straight into attacking systems without understanding how they work are often called "script kiddies." These individuals typically rely on exploits created by experts rather than uncovering vulnerabilities themselves.

     

    The rapid advancement of technology has introduced new elements into the equation, such as the S3 bucket. In this blog, we will explore how unrestricted file uploads on S3 buckets can be abused.

     

    Background of File Uploads

    Conventional file uploads are stored on the server in one of the folders within the web root. The web root is executable by default. Let’s suppose our application is written in PHP and has a folder called upload where all uploaded media is stored. If an attacker uploads a file containing malicious code with a .php extension, wouldn’t it appear similar to other legitimate PHP files? And upon retrieval, wouldn’t the code be executed? Let’s explore this further below:

     

    am 1.png

     

    A functionality to upload image files with weak security checks in place. [Security checks, validation, and bypasses are beyond the scope of this blog.]
    The following one-liner code will be placed in the file to be uploaded
     

    <?php echo "Shell";system($_GET['cmd']); ?>

     

    Screenshot 2024-11-26 at 1.15.42 PM.png

     

    The malicious code has been uploaded; let's break it down.


    <?php ?>    → syntax of the beginning of php
    echo “ shell ”;     →will simply print the word Shell when we retrieve the page
    System()    → System is a function that takes OS commands and executes them
    $GET[ ‘cmd’ ]     →$GET is HTTP get variable which defines the URL parameter and ‘cmd’ is the name parameter
     

    Assume that example.com/file.php?cmd =id. Our malicious code will take a URL parameter and pass its value to the system function, and the result will be displayed on the web page.

    The file is successfully uploaded on the server. “echo Shell” is displayed on the webpage when the file is being retrieved.

     

    Screenshot 2024-11-26 at 1.19.40 PM.png

     

    The file is successfully uploaded on the server. “echo Shell” is executed and displayed on the webpage when the file is being retrieved.

     

    Screenshot 2024-11-26 at 1.21.06 PM.png
     

     

    Webshell: The id command is passed into the URL parameter and the result is displayed on the webpage. Now we can execute shell commands on the web, hence the name WebShell

    There are security defenses in place that can be bypassed and there are ultimate secure defenses as well but that is the topic for another day. This is remote code execution via file upload, infects the server side which can be elevated to compromise the server and it is critical.
     

     

    Case Study

    US Dept of Defense RCE via File upload

    The question arises: If an end user's file is being stored on an S3 bucket instead of the backend server, the server will be oblivious to this particular attack. But is there still a vulnerability if the application has no checks in place for uploading? Perhaps a different attack vector and impact?

     

    The Intervention of S3 Bucket 

    Amazon Simple Storage Service (S3) requires no introduction. It is a flexible solution for storing various types of data, serving multiple purposes, one of which is uploading and retrieving media for end users.

     

    For example, when a user uploads a profile picture, the JPG or PNG file is stored in and retrieved from an S3 bucket instead of the server. If an attacker uploads a file with a backend language extension, such as .php or .py, it may seem like no big deal since S3 buckets serve files and media as static content. This means that code execution is not possible due to the absence of a server, the file will simply be served as it is in the browser (keep this in mind).

     

    However, the real question arises: If a file is served as-is in the browser, what happens if we upload frontend language code with a specific content type? And what if, upon retrieval, it is served to the browser?

     

    The Innocent Browser

    Browsers are designed to render front-end languages. Any HTML, CSS, or JavaScript code will be parsed and executed by the browser, regardless of where it originates, whether it's from the backend server you're interacting with or elsewhere. This is how client-side injection works, where an attacker injects malicious code into the application's front-end code, causing harmful actions on the client side.

     

    The responsibility for security checks lies on the server side to prevent anyone from injecting code that could be interpreted as front-end code or any other type of executable code. Browsers are not involved in these types of security checks because they operate on the client side and their job is simply to parse and execute specific languages. However, in the current scenario, any front-end language code will be executed by the browser.

     

    Request

    Screenshot 2024-11-26 at 1.23.13 PM.png

     

    The HTML code has been executed, and the legitimate domain name is displayed at the top
     

    Exploitation


    In the current scenario, malicious code is uploaded to the S3 bucket, and upon retrieval, the code is executed on the client side, all while appearing under a legitimate domain name. We can design a phishing page that mimics the application and spread the URL, such as:

     

    ah 2.png

     

     

    Response

    Screenshot 2024-11-26 at 1.25.22 PM.png

     

    Attackers can exploit this in various scenarios, but here are the top concerns:

     

    Phishing Users

    Since the domain name is legitimate, an attacker can set up a phishing page that offers a massive discount, prompting users to enter their credit card information or login credentials. The page may redirect to an external site, followed by an alert. Any theme can be customized to lure users, depending on the business logic of the application.

     

    Malware distribution

    There are no checks on the type of file that can be uploaded, allowing an attacker to easily upload malware to the S3 bucket. Although this doesn't directly affect the bucket itself, the attacker can use phishing techniques, as discussed earlier in the "Phishing Users" section, to convince victims to download and install the malicious file. Hosted on the trusted S3 bucket, the file appears to come from a legitimate source, increasing the likelihood that it will be trusted by the victim.

     

    Remediation

    All data uploaded from the client side must be thoroughly validated. Based on business requirements, review the files and documents to establish a whitelist of allowed extensions and content types. Any file that does not match the whitelist criteria should be rejected.

     

    Conclusion

    As we've explored, file upload vulnerabilities can be a serious security risk, even when the files are hosted on seemingly secure platforms like Amazon S3. Attackers can exploit weak security measures to upload malicious files, which can then be used for phishing or malware distribution. While S3's static content delivery may seem harmless at first glance, the ability for browsers to execute certain types of code on the client side opens the door for exploitation. To mitigate these risks, businesses must implement strong validation and security checks on all uploaded content. Only by proactively addressing these vulnerabilities can we ensure that our applications remain safe from exploitation and our users' data stays secure.

      Share on
      https://d1foa0aaimjyw4.cloudfront.net/Ameer_f312ae118a.jpeg

      Ameer Hamza

      I am an offensive security professional specialized in attacking and defending network infrastructure, vulnerability assessment and penetration testing of mobile, web & desktop applications. In my spare time, I research on reverse engineering binaries, custom shellcode writing & exploit development.

      Related blogs

      0

      Let’s talk about your next project

      Contact us