“Arbisoft is an integral part of our team and we probably wouldn't be here today without them. Some of their team has worked with us for 5-8 years and we've built a trusted business relationship. We share successes together.”
“They delivered a high-quality product and their customer service was excellent. We’ve had other teams approach us, asking to use it for their own projects”.
“Arbisoft has been a valued partner to edX since 2013. We work with their engineers day in and day out to advance the Open edX platform and support our learners across the world.”
81.8% NPS78% of our clients believe that Arbisoft is better than most other providers they have worked with.
Arbisoft is your one-stop shop when it comes to your eLearning needs. Our Ed-tech services are designed to improve the learning experience and simplify educational operations.
“Arbisoft has been a valued partner to edX since 2013. We work with their engineers day in and day out to advance the Open edX platform and support our learners across the world.”
Get cutting-edge travel tech solutions that cater to your users’ every need. We have been employing the latest technology to build custom travel solutions for our clients since 2007.
“Arbisoft has been my most trusted technology partner for now over 15 years. Arbisoft has very unique methods of recruiting and training, and the results demonstrate that. They have great teams, great positive attitudes and great communication.”
As a long-time contributor to the healthcare industry, we have been at the forefront of developing custom healthcare technology solutions that have benefitted millions.
I wanted to tell you how much I appreciate the work you and your team have been doing of all the overseas teams I've worked with, yours is the most communicative, most responsive and most talented.
We take pride in meeting the most complex needs of our clients and developing stellar fintech solutions that deliver the greatest value in every aspect.
“Arbisoft is an integral part of our team and we probably wouldn't be here today without them. Some of their team has worked with us for 5-8 years and we've built a trusted business relationship. We share successes together.”
Unlock innovative solutions for your e-commerce business with Arbisoft’s seasoned workforce. Reach out to us with your needs and let’s get to work!
The development team at Arbisoft is very skilled and proactive. They communicate well, raise concerns when they think a development approach wont work and go out of their way to ensure client needs are met.
Arbisoft is a holistic technology partner, adept at tailoring solutions that cater to business needs across industries. Partner with us to go from conception to completion!
“The app has generated significant revenue and received industry awards, which is attributed to Arbisoft’s work. Team members are proactive, collaborative, and responsive”.
“Arbisoft partnered with Travelliance (TVA) to develop Accounting, Reporting, & Operations solutions. We helped cut downtime to zero, providing 24/7 support, and making sure their database of 7 million users functions smoothly.”
“I couldn’t be more pleased with the Arbisoft team. Their engineering product is top-notch, as is their client relations and account management. From the beginning, they felt like members of our own team—true partners rather than vendors.”
Arbisoft was an invaluable partner in developing TripScanner, as they served as my outsourced website and software development team. Arbisoft did an incredible job, building TripScanner end-to-end, and completing the project on time and within budget at a fraction of the cost of a US-based developer.
File upload vulnerabilities have existed since the early days of web applications. Due to the absence of robust security mechanisms, these flaws were introduced and remained unnoticed for years. These vulnerabilities often existed in plain sight until someone discovered and exploited them, deploying a backdoor and continuously accessing the system through it for a long time.
In a typical flow, a user uploads an image or file to a website, which gets stored on the server. When accessed, the file is retrieved from the server. However, weak security mechanisms allow attackers to upload malicious files to the server. At first glance, this may not seem like an issue, but a security researcher is always ahead of the curve.
In fact, if developers learn to code with broad and in-depth knowledge, they start identifying security issues independently. An in-depth understanding of any system often triggers critical questions like, "What if I do this?" or "What if I switch it with another value?" These questions can expose unintended behaviors in the system's functionality, potentially confirming the presence of vulnerabilities. Follow-up research may lead to critical exploits or reveal less severe bugs. In simple terms, only by deeply understanding how something is built can you figure out how to break it.
On the other hand, security novices who jump straight into attacking systems without understanding how they work are often called "script kiddies." These individuals typically rely on exploits created by experts rather than uncovering vulnerabilities themselves.
The rapid advancement of technology has introduced new elements into the equation, such as the S3 bucket. In this blog, we will explore how unrestricted file uploads on S3 buckets can be abused.
Background of File Uploads
Conventional file uploads are stored on the server in one of the folders within the web root. The web root is executable by default. Let’s suppose our application is written in PHP and has a folder called upload where all uploaded media is stored. If an attacker uploads a file containing malicious code with a .php extension, wouldn’t it appear similar to other legitimate PHP files? And upon retrieval, wouldn’t the code be executed? Let’s explore this further below:
A functionality to upload image files with weak security checks in place. [Security checks, validation, and bypasses are beyond the scope of this blog.] The following one-liner code will be placed in the file to be uploaded
<?php echo "Shell";system($_GET['cmd']); ?>
The malicious code has been uploaded; let's break it down.
<?php ?> → syntax of the beginning of php echo “ shell ”; →will simply print the word Shell when we retrieve the page System() → System is a function that takes OS commands and executes them $GET[ ‘cmd’ ] →$GET is HTTP get variable which defines the URL parameter and ‘cmd’ is the name parameter
Assume that example.com/file.php?cmd =id. Our malicious code will take a URL parameter and pass its value to the system function, and the result will be displayed on the web page.
The file is successfully uploaded on the server. “echo Shell” is displayed on the webpage when the file is being retrieved.
The file is successfully uploaded on the server. “echo Shell” is executed and displayed on the webpage when the file is being retrieved.
Webshell: The id command is passed into the URL parameter and the result is displayed on the webpage. Now we can execute shell commands on the web, hence the name WebShell
There are security defenses in place that can be bypassed and there are ultimate secure defenses as well but that is the topic for another day. This is remote code execution via file upload, infects the server side which can be elevated to compromise the server and it is critical.
The question arises: If an end user's file is being stored on an S3 bucket instead of the backend server, the server will be oblivious to this particular attack. But is there still a vulnerability if the application has no checks in place for uploading? Perhaps a different attack vector and impact?
The Intervention of S3 Bucket
Amazon Simple Storage Service (S3) requires no introduction. It is a flexible solution for storing various types of data, serving multiple purposes, one of which is uploading and retrieving media for end users.
For example, when a user uploads a profile picture, the JPG or PNG file is stored in and retrieved from an S3 bucket instead of the server. If an attacker uploads a file with a backend language extension, such as .php or .py, it may seem like no big deal since S3 buckets serve files and media as static content. This means that code execution is not possible due to the absence of a server, the file will simply be served as it is in the browser (keep this in mind).
However, the real question arises: If a file is served as-is in the browser, what happens if we upload frontend language code with a specific content type? And what if, upon retrieval, it is served to the browser?
The Innocent Browser
Browsers are designed to render front-end languages. Any HTML, CSS, or JavaScript code will be parsed and executed by the browser, regardless of where it originates, whether it's from the backend server you're interacting with or elsewhere. This is how client-side injection works, where an attacker injects malicious code into the application's front-end code, causing harmful actions on the client side.
The responsibility for security checks lies on the server side to prevent anyone from injecting code that could be interpreted as front-end code or any other type of executable code. Browsers are not involved in these types of security checks because they operate on the client side and their job is simply to parse and execute specific languages. However, in the current scenario, any front-end language code will be executed by the browser.
Request
The HTML code has been executed, and the legitimate domain name is displayed at the top
Exploitation
In the current scenario, malicious code is uploaded to the S3 bucket, and upon retrieval, the code is executed on the client side, all while appearing under a legitimate domain name. We can design a phishing page that mimics the application and spread the URL, such as:
Response
Attackers can exploit this in various scenarios, but here are the top concerns:
Phishing Users
Since the domain name is legitimate, an attacker can set up a phishing page that offers a massive discount, prompting users to enter their credit card information or login credentials. The page may redirect to an external site, followed by an alert. Any theme can be customized to lure users, depending on the business logic of the application.
Malware distribution
There are no checks on the type of file that can be uploaded, allowing an attacker to easily upload malware to the S3 bucket. Although this doesn't directly affect the bucket itself, the attacker can use phishing techniques, as discussed earlier in the "Phishing Users" section, to convince victims to download and install the malicious file. Hosted on the trusted S3 bucket, the file appears to come from a legitimate source, increasing the likelihood that it will be trusted by the victim.
Remediation
All data uploaded from the client side must be thoroughly validated. Based on business requirements, review the files and documents to establish a whitelist of allowed extensions and content types. Any file that does not match the whitelist criteria should be rejected.
Conclusion
As we've explored, file upload vulnerabilities can be a serious security risk, even when the files are hosted on seemingly secure platforms like Amazon S3. Attackers can exploit weak security measures to upload malicious files, which can then be used for phishing or malware distribution. While S3's static content delivery may seem harmless at first glance, the ability for browsers to execute certain types of code on the client side opens the door for exploitation. To mitigate these risks, businesses must implement strong validation and security checks on all uploaded content. Only by proactively addressing these vulnerabilities can we ensure that our applications remain safe from exploitation and our users' data stays secure.
I am an offensive security professional specialized in attacking and defending network infrastructure, vulnerability assessment and penetration testing of mobile, web & desktop applications. In my spare time, I research on reverse engineering binaries, custom shellcode writing & exploit development.