Share via


Browser Security: Why you can’t get the file that the user doesn’t want you to get?

In the year 1995, there were eight options for the “type” attribute of the “input” element. These were “CHECKBOX”, “RADIO”, “HIDDEN”, “TEXT”, “PASSWORD”, “IMAGE”, “RESET” AND “SUBMIT”. The “FILE” option was added later on to the HTML DTD (Document type definition) to allow for users to upload files to the web server. Internet Explorer 3.02 and 4.0 released in 1997 had support for this option. Before web browsers started supporting this option, custom applications had to be built only to support the feature of uploading files.

When the “<input type=file/>” element (file upload element) is used to upload files from the client to the web server, the name of the file that gets uploaded is in the “value” attribute of this element. Internally, the browser opens the file (specified in the “value” attribute), reads it, and sends its contents as a POST request.

Can you think of a possible security flaw here? What if the creator of the website could set the “value” attribute of this element, hide the element and submit the form immediately after loading? A file from the user’s machine would be uploaded to the server without the user’s knowledge. Consider this

<html>

    <body onload="window.document.forms.form1.submit();">

        <form name="form1" method="post" action="upload.aspx" id="form1" enctype="multipart/form-data">

            <input type="file" value=”c:\Users\UserName(NeedToKnow)\AppData\Local\Microsoft\Outlook\outlook.ost” style=”visibility:hidden”/>

        </form>

    </body>

</html>

As it turns out, the value attribute is read-only. It can’t be set by JavaScript or by a default value. Only the browser can set the “value” attribute, either after showing the file select dialogue or as the user enters text in the file upload element’s text area. As a result, the user is well aware of which file is being sent to the server.

This is also the reason that it is difficult to change the style of the file upload element. You cannot create a custom textbox and a custom browse button, use them to get the user to select a file, and set the file name in the “value” attribute of the file upload element.

References:-

[1]https://www.ietf.org/rfc/rfc1867.txt

[2]https://www.microsoft.com/technet/security/bulletin/MS00-093.mspx

Comments