Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
File upload XSS (Java applet) - Vulnerability Database

File upload XSS (Java applet)

Description

The application allows file uploads without properly restricting file types, enabling attackers to upload Java Applet files (.class or .jar). When a user's browser loads these applets from the application's trusted domain, they execute without security warnings, bypassing same-origin policy protections. This creates a cross-site scripting (XSS) vulnerability where malicious applets can execute arbitrary code in the context of the trusted domain, even when embedded from external sites.

Remediation

Implement comprehensive file upload security controls to prevent malicious file uploads:

1. File Type Validation (Whitelist Approach):
Only allow explicitly approved file types using a whitelist. Validate both file extensions and MIME types:

// Example: Java/Spring validation
String[] allowedExtensions = {".jpg", ".png", ".pdf"};
String[] allowedMimeTypes = {"image/jpeg", "image/png", "application/pdf"};

if (!isAllowedExtension(filename, allowedExtensions) || 
    !isAllowedMimeType(contentType, allowedMimeTypes)) {
    throw new InvalidFileTypeException();
}
2. Content Verification:
Verify actual file content matches the declared type using magic number validation, not just the extension.

3. File Extension Hardening:
• Check for double extensions (e.g., file.jar.png)
• Detect files without names (e.g., .htaccess, web.config)
• Normalize filenames to prevent encoding bypasses

4. Storage Security:
• Store uploaded files outside the web root directory
• If files must be web-accessible, store them in a separate domain/subdomain
• Configure the upload directory with non-executable permissions
• Set appropriate Content-Disposition headers to force downloads rather than execution

5. File Renaming:
Rename uploaded files using randomly generated names to prevent direct access and extension-based execution:
// Example: Generate safe filename
String safeFilename = UUID.randomUUID().toString() + ".dat";
String storagePath = "/secure/uploads/" + safeFilename;
6. Additional Controls:
• Implement file size limits
• Scan uploaded files with antivirus software
• Set Content-Security-Policy headers to restrict applet execution
• Log all upload attempts for security monitoring

References

OWASP Unrestricted File Upload
Why File Upload Forms are a major security threat

Related Vulnerabilities

Cross-site Scripting via File Upload High
Common tags: Abuse Of Functionality Arbitrary File Creation Unauthenticated File Upload XSS
Unrestricted File Upload High
Common tags: Abuse Of Functionality Arbitrary File Creation Unauthenticated File Upload
Telerik Web UI Insecure Direct Object Reference High
Common tags: Arbitrary File Creation Unauthenticated File Upload
WordPress Plugin Shared Files-Easy Download Manager and File Sharing with Frontend File Upload Cross-Site Scripting (1.6.56) High
Common tags: Unauthenticated File Upload XSS
HTML Injection Medium
Common tags: Abuse Of Functionality XSS

Severity

High

Classification

CWE-79
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality
Arbitrary File Creation
Unauthenticated File Upload
XSS