Bringing UFUs Back into the Air With FUEL: A Framework for Evaluating the Effectiveness of Unrestricted File Upload Vulnerability Scanners

TL;DR

This paper introduces FUEL, a comprehensive framework for evaluating UFU vulnerability scanners, demonstrating that current tools miss many vulnerabilities and that their own tool Fuxploider-NG significantly improves detection accuracy.

Contribution

The paper presents FUEL, a reproducible testing framework for UFU scanners, and introduces Fuxploider-NG, an improved scanner that surpasses existing tools in detection accuracy.

Findings

Existing UFU scanners miss many vulnerabilities.

Fuxploider-NG achieves over 90% detection accuracy.

FUEL enables reproducible evaluation of UFU scanners.

Abstract

Unrestricted file upload (UFU) is a class of web security vulnerabilities that can have a severe impact on web applications if uploaded files are not sufficiently validated or securely handled. A review of related work shows an increased interest in finding new methods to discover such vulnerabilities. However, each publication evaluates its new vulnerability scanner against a different set of artificial or real-world applications available at the time of writing. Thus, we identify the need for a comprehensive testing framework to allow a reproducible comparison between existing and future UFU vulnerability scanners. Our contributions include the File Upload Exploitation Lab (FUEL), which models 15 distinct UFU vulnerabilities in isolated scenarios to enable a reproducible evaluation of UFU scanners' capabilities. The results of evaluating four black-box UFU scanners against FUEL show that no scanner manages to identify all UFU vulnerabilities, leaving real-world websites at risk of compromise due to false negatives. Our work aims to solve this problem by extending an existing UFU scanner with multiple new detection and exploitation techniques, which we call Fuxploider-NG, to increase its accuracy from ~50% to over 90%, thereby surpassing the capabilities of existing UFU scanners and showcasing the importance of FUEL as a UFU vulnerability evaluation framework. To foster open science and future work in this area, we open-source FUEL and Fuxploider-NG.