\n\n
HTTP multipart, specifically multipart/form-data, is a media type that allows the encoding of information as a series of parts in a single message. This was introcuded way back in 1998 as RFC 2388. It is commonly used for forms that are expressed in HTML and where the form values are sent via HTTP. However, it can also be used for forms that are presented using representations other than HTML (like spreadsheets, Portable Document Format, etc), and for transport using other means than HTTP.
\n
In breif, this is how it works:
\n
\n- In forms, there are a series of fields to be supplied by the user who fills out the form. Each field has a name. Within a given form, the names are unique.
\nmultipart/form-data contains a series of parts. Each part is expected to contain a content-disposition header where the disposition type is form-data, and where the disposition contains an (additional) parameter of name, where the value of that parameter is the original field name in the form.- Each part has an optional
Content-Type, which defaults to text/plain. If the contents of a file are returned via filling out a form, then the file input is identified as the appropriate media type, if known, or application/octet-stream. \n- If multiple files are to be returned as the result of a single form entry, they should be represented as a
multipart/mixed part embedded within the multipart/form-data. \n- Each part may be encoded and the
content-transfer-encoding header supplied if the value of that part does not conform to the default encoding. \n
\n
Below is an example of an HTTP Multipart Request and Response sequence. In this example, the Content-Type header specifies that the body of the request is multipart/form-data and provides a boundary string that is used to separate the different parts of the message. The body of the request contains two parts: one named \"text\" with the value \"Hello World\", and one named \"file\" with the filename \"example.txt\" and the content \"This is the content of the file example.txt.\".
\n
POST /upload HTTP/1.1\nHost: example.com\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW\nContent-Length: 343\n\n------WebKitFormBoundary7MA4YWxkTrZu0gW\nContent-Disposition: form-data; name=\"text\"\n\nHello World\n------WebKitFormBoundary7MA4YWxkTrZu0gW\nContent-Disposition: form-data; name=\"file\"; filename=\"example.txt\"\nContent-Type: text/plain\n\nThis is the content of the file example.txt.\n------WebKitFormBoundary7MA4YWxkTrZu0gW--\n
\n
Here's an example of a possible HTTP response to this request:
\n
HTTP/1.1 200 OK\nDate: Tue, 14 Jun 2023 12:00:00 GMT\nContent-Type: application/json\nContent-Length: 30\n\n{\n \"status\": \"upload successful\"\n}\n
\n
In this example, the server responds with a status code of 200 (OK) and a JSON body indicating that the upload was successful. The Content-Type header in the response specifies that the body of the response is JSON.
\n
In relation to multipart, MIME types are used to specify the data type of each part in a multipart/form-data message. Each part in a multipart message can have a different MIME type. For example, one part could be plain text (text/plain), while another part could be a JPEG image (image/jpeg). This allows a single HTTP request to contain different types of data.
\n
When sending large binary data or files, using multipart can be more efficient than other methods. This is because the data doesn't need to be encoded and decoded as it would if you were using a method like JSON. Multipart is a well-established standard and is supported by virtually all modern web browsers and web servers.
\n\n
\n
\n
\n
\n
\n
\n
As with any data input, multipart data can be a vector for attacks if not handled properly. For instance, an attacker might attempt to exploit the system by sending maliciously crafted multipart data. This could include things like sending overly large files, or files that contain malicious code. Therefore, it's important to validate and sanitize all incoming data, limit the size of incoming files, and handle all data in a secure manner to prevent potential security issues.
\n
Here's an example of a maliciously crafted HTTP multipart request. In this case, the attacker is attempting to perform a Path Traversal attack by providing a filename that includes directory traversal sequences.
\n
\n
\n
\n
\n
\n
\n
POST /upload HTTP/1.1\nHost: example.com\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW\nContent-Length: 343\n\n------WebKitFormBoundary7MA4YWxkTrZu0gW\nContent-Disposition: form-data; name=\"file\"; filename=\"../../etc/passwd\"\nContent-Type: text/plain\n\nMalicious content here.\n------WebKitFormBoundary7MA4YWxkTrZu0gW--\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
In this example, the attacker is trying to overwrite the /etc/passwd file, which is a critical system file on Unix-like operating systems.
\n
To mitigate such an attack, you can use an F5 iRule to inspect the filename in the Content-Disposition header of each part in a multipart request and reject the request if the filename contains a directory traversal sequence. Here's an example of what that iRule might look like:
\n
when HTTP_REQUEST {\n if { [HTTP::header exists \"Content-Type\"] } {\n set content_type [HTTP::header \"Content-Type\"]\n if { [string tolower $content_type] starts_with \"multipart/form-data\" } {\n HTTP::collect\n }\n }\n}\n\nwhen HTTP_REQUEST_DATA {\n set data [HTTP::payload]\n if { $data contains \"filename=\\\"../\" } {\n HTTP::respond 400 content \"Invalid filename\"\n } else {\n HTTP::release\n }\n}\n
\n
This iRule works by collecting the body of the request if the Content-Type header indicates that it is a multipart request. When the body of the request is available, it checks if the body contains the string filename=\"../. If it does, it responds with a 400 Bad Request error. Otherwise, it allows the request to proceed.
\n\n\n
\n
\n\n\n| Bad multipart/form-data request parsing | \nWhen the content type of a request header contains the Multipart/form-data substring, the system checks whether each multipart request chunk contains a Content-Disposition header containing a name value and corresponding parameter key value. For example: name=\"parameter_key\". If the Content-Disposition header does not contain the required parameters, a violation is issued.\n Note: Content-Disposition is not covered under HTTP Standard RFC 2616, but is instead covered separately under RFC 2183 - Communicating Presentation Information in Internet Messages: The Content-Disposition Header Field. \n | \n
\n\n| Bad multipart parameters parsing | \nThe system examines the requests to verify that the Content-Disposition header matches the format: name=\"param_key\";\\r\\n.\n The system also checks that the following is true:
* A boundary follows immediately after the request headers.
* The parameter value matches the format: ‘name=\"param_key\";\\r\\n.
* A chunked body contains at least one CRLF.
* A chunked body ends with CRLF.
If one of these is false, a violation is issued. \n | \n
\n\n
\n\n
\n
\n
\n
\n
\n
\n
\n
\n
Overview
\n
HTTP multipart, specifically multipart/form-data, is a media type that allows the encoding of information as a series of parts in a single message. This was introcuded way back in 1998 as RFC 2388. It is commonly used for forms that are expressed in HTML and where the form values are sent via HTTP. However, it can also be used for forms that are presented using representations other than HTML (like spreadsheets, Portable Document Format, etc), and for transport using other means than HTTP.
\n
In breif, this is how it works:
\n
\n- In forms, there are a series of fields to be supplied by the user who fills out the form. Each field has a name. Within a given form, the names are unique.
\nmultipart/form-data contains a series of parts. Each part is expected to contain a content-disposition header where the disposition type is form-data, and where the disposition contains an (additional) parameter of name, where the value of that parameter is the original field name in the form.- Each part has an optional
Content-Type, which defaults to text/plain. If the contents of a file are returned via filling out a form, then the file input is identified as the appropriate media type, if known, or application/octet-stream. \n- If multiple files are to be returned as the result of a single form entry, they should be represented as a
multipart/mixed part embedded within the multipart/form-data. \n- Each part may be encoded and the
content-transfer-encoding header supplied if the value of that part does not conform to the default encoding. \n
\n
Below is an example of an HTTP Multipart Request and Response sequence. In this example, the Content-Type header specifies that the body of the request is multipart/form-data and provides a boundary string that is used to separate the different parts of the message. The body of the request contains two parts: one named \"text\" with the value \"Hello World\", and one named \"file\" with the filename \"example.txt\" and the content \"This is the content of the file example.txt.\".
\n
POST /upload HTTP/1.1\nHost: example.com\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW\nContent-Length: 343\n\n------WebKitFormBoundary7MA4YWxkTrZu0gW\nContent-Disposition: form-data; name=\"text\"\n\nHello World\n------WebKitFormBoundary7MA4YWxkTrZu0gW\nContent-Disposition: form-data; name=\"file\"; filename=\"example.txt\"\nContent-Type: text/plain\n\nThis is the content of the file example.txt.\n------WebKitFormBoundary7MA4YWxkTrZu0gW--\n\n
Here's an example of a possible HTTP response to this request:
\n
HTTP/1.1 200 OK\nDate: Tue, 14 Jun 2023 12:00:00 GMT\nContent-Type: application/json\nContent-Length: 30\n\n{\n \"status\": \"upload successful\"\n}\n\n
In this example, the server responds with a status code of 200 (OK) and a JSON body indicating that the upload was successful. The Content-Type header in the response specifies that the body of the response is JSON.
\n
In relation to multipart, MIME types are used to specify the data type of each part in a multipart/form-data message. Each part in a multipart message can have a different MIME type. For example, one part could be plain text (text/plain), while another part could be a JPEG image (image/jpeg). This allows a single HTTP request to contain different types of data.
\n
When sending large binary data or files, using multipart can be more efficient than other methods. This is because the data doesn't need to be encoded and decoded as it would if you were using a method like JSON. Multipart is a well-established standard and is supported by virtually all modern web browsers and web servers.
\n
Security Implications
\n
\n
\n
\n
\n
\n
\n
As with any data input, multipart data can be a vector for attacks if not handled properly. For instance, an attacker might attempt to exploit the system by sending maliciously crafted multipart data. This could include things like sending overly large files, or files that contain malicious code. Therefore, it's important to validate and sanitize all incoming data, limit the size of incoming files, and handle all data in a secure manner to prevent potential security issues.
\n
Here's an example of a maliciously crafted HTTP multipart request. In this case, the attacker is attempting to perform a Path Traversal attack by providing a filename that includes directory traversal sequences.
\n
\n
\n
\n
\n
\n
\n
POST /upload HTTP/1.1\nHost: example.com\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW\nContent-Length: 343\n\n------WebKitFormBoundary7MA4YWxkTrZu0gW\nContent-Disposition: form-data; name=\"file\"; filename=\"../../etc/passwd\"\nContent-Type: text/plain\n\nMalicious content here.\n------WebKitFormBoundary7MA4YWxkTrZu0gW--\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
In this example, the attacker is trying to overwrite the /etc/passwd file, which is a critical system file on Unix-like operating systems.
\n
To mitigate such an attack, you can use an F5 iRule to inspect the filename in the Content-Disposition header of each part in a multipart request and reject the request if the filename contains a directory traversal sequence. Here's an example of what that iRule might look like:
\n
when HTTP_REQUEST {\n if { [HTTP::header exists \"Content-Type\"] } {\n set content_type [HTTP::header \"Content-Type\"]\n if { [string tolower $content_type] starts_with \"multipart/form-data\" } {\n HTTP::collect\n }\n }\n}\n\nwhen HTTP_REQUEST_DATA {\n set data [HTTP::payload]\n if { $data contains \"filename=\\\"../\" } {\n HTTP::respond 400 content \"Invalid filename\"\n } else {\n HTTP::release\n }\n}\n\n
This iRule works by collecting the body of the request if the Content-Type header indicates that it is a multipart request. When the body of the request is available, it checks if the body contains the string filename=\"../. If it does, it responds with a 400 Bad Request error. Otherwise, it allows the request to proceed.
\n
File Upload Security
\n\n
\n
\n\n\n| Bad multipart/form-data request parsing | \nWhen the content type of a request header contains the Multipart/form-data substring, the system checks whether each multipart request chunk contains a Content-Disposition header containing a name value and corresponding parameter key value. For example: name=\"parameter_key\". If the Content-Disposition header does not contain the required parameters, a violation is issued.\n Note: Content-Disposition is not covered under HTTP Standard RFC 2616, but is instead covered separately under RFC 2183 - Communicating Presentation Information in Internet Messages: The Content-Disposition Header Field. \n | \n
\n\n| Bad multipart parameters parsing | \nThe system examines the requests to verify that the Content-Disposition header matches the format: name=\"param_key\";\\r\\n.\n The system also checks that the following is true:
* A boundary follows immediately after the request headers.
* The parameter value matches the format: ‘name=\"param_key\";\\r\\n.
* A chunked body contains at least one CRLF.
* A chunked body ends with CRLF.
If one of these is false, a violation is issued. \n | \n
\n\n
\n
ASM File Upload Specific Mitigtions
\n
\n
\n
\n
\n
\n
\n
\n
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}
