Sunday 3:10 p.m.–3:50 p.m.

The dangerous, exquisite art of safely handing user-uploaded files

Tom Eastman

Audience level:
Intermediate

Description

"Come On, What Harm Can a User Profile photo Do?". The most dangerous thing you can do with your web application is allow people to upload files to it, not even the best web frameworks can fully protect you from the range of damage that can be done. I'll show you every scary thing I know about that can be done with a file upload, and how to protect yourself from -- hopefully -- most of them.

Abstract

Every web application has an attack surface -- the exposed points of interaction where a malicious or mischievous user can commit malice, or mischief (respectively). Possibly nowhere, however, is more vulnerable than places a user is allowed to upload arbitrary files.

The scope for abuse is eye-widening: The contents of the file, the type of the file, the size and encoding of the file, even the name of the file can be a potent vector for attacking your system.

The scariest part? Even the best and most secure web-frameworks (yes, I'm talking about Django) can't protect you from all of it.

In this talk, I'll show you every scary thing I know about that can be done with a file upload, and how to protect yourself from -- hopefuly -- most of them.