Imperva Cyber Community

Expand all | Collapse all

multipart/form-data : protection against malicious file upload

Jump to Best Answer
  • 1.  multipart/form-data : protection against malicious file upload

    Posted 12-08-2020 08:47

    Dear Community members,

    We recently had a pentest on an on-premise hosted & containerized webapp, which is protected by an On-Premsie WAF.

    The pentester was able to upload an EICAR test file through the webform (multipart/form-data). After reviewing the WAF alerts filtered on this webapp, I can't find it. Therefore I assume either there isn't any signature on the WAF related to the EICAR pattern, or it's not included in different policies applied on this webapp.

    From this introduction :
    - is there an existing Imperva ADC object or policy related to EICAR ?
    - beyond EICAR test file itself, is it the good approach to rely on the WAF to prevent all malicious files to be sent by the webform ? If it is, how can I be sure that I'm applying the right policies for this scenario ?

    Thank you in advance for your help,


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Ugo Schoellkopf
    Amer Sports
    ------------------------------


  • 2.  RE: multipart/form-data : protection against malicious file upload
    Best Answer

    Imperva Employee
    Posted 12-10-2020 16:31
    Ugo,

    If you are referring to the EICAR AntiMalware Testfile ( https://www.eicar.org/?page_id=3950 ), that is an entirely different use case.  Imperva doesn't check for that because it doesn't look for other file based viruses in the stream either.  You could conceivably write a policy for it, but it would only work for the test string (it would help you with pen testing results, but not real security :).

    If you are accepting file uploads, you should scan them separately.  I have heard some people might use ICAP through a router with their AV server, but most will just have a "file DMZ" with their standard AV running in auto-protect mode on a particular share.

    If you have a pen tester that just pasted the string into a field on a web page, I would look into new pen testers.  That isn't what the string is meant for  (see the link above).

    Jim

    ------------------------------
    Jim Burtoft
    Imperva
    PA
    ------------------------------