top of page

Does your manufacturing website have an upload function a cybercriminal could abuse?

Manufacturing, like other industries, have been transformed by technology. Anyone from anywhere can contract with you to produce bespoke 3D printed parts based on their designs. But with increased convenience comes increased risks and if you haven’t put in place ways to mitigate them then this risk could turn into a business nightmare.

Male using electronic design pad

What risk is there?

Someone uploads a malicious file which could even include server-side scripts that enable remote control execution i.e., someone could get access to all your files. Considering those files might include proprietary content or other sensitive information that is not good.


They can do that?

Its rare that web developers wouldn’t have put restrictions on the types of files allowed however these might be inherently flawed or can be easily bypassed.


If you want to read about the technical aspect of how an attack might work Portswigger’s Web Security Academy has an easy to understand breakdown of the different attacks.


What can I do, I’m not a web developer?

Business people sat talking outside

When you are getting your website built ensure that your developer knows that security if a key aspect and that they have considered this from the outset. Share with them Portswigger’s recommendations to use all the following practices:

  • Check the file extension against a whitelist of permitted extensions rather than a blacklist of prohibited ones. It's much easier to guess which extensions you might want to allow than it is to guess which ones an attacker might try to upload.

  • Make sure the filename doesn't contain any substrings that may be interpreted as a directory or a traversal sequence (../).

  • Rename uploaded files to avoid collisions that may cause existing files to be overwritten.

  • Do not upload files to the server's permanent filesystem until they have been fully validated.

  • As much as possible, use an established framework for pre-processing file uploads rather than attempting to write your own validation mechanisms.

How do I know if my website has this vulnerability?

If you want to check whether your website has this or other vulnerabilities, why not speak to us about our affordable web vulnerability assessments. We work with local university students, who are trained and mentored by senior ethical hackers, which gives them great work experience, while you benefit from affordable pricing. You can get a free no obligation quote just by speaking with us.


Further guidance & support

The Eastern Cyber Resilience Centre is a not-for-profit organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.


  • Threat alerts both regionally and nationally

  • Signposting to free tools and resources from both Policing and the NCSC

  • Little steps programme – series of weekly emails which aligns to cyber essentials looking at bite-sized practical information to build cyber resilience

  • Discussion area to meet and discuss other companies in the region and our partners

Contact us to find out more.


Policing led – business focussed.



Comments


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page