Security Testing on File Upload Web Applications Based on the Yii 2 Framework

Authors

  • Rico Setyawan Mahkamah Konstitusi Republik Indonesia
  • Rheva Anindya Wijayanti Politeknik Siber dan Sandi Negara
  • Hermawan Setiawan Politeknik Siber dan Sandi Negara

DOI:

https://doi.org/10.56706/ik.v20i1.148

Keywords:

Security Testing , File Upload , Yii 2 Framework , STRIDE , DREAD

Abstract

Kerangka kerja Yii 2 banyak digunakan untuk mengembangkan aplikasi web modern karena kemampuan performa tinggi dan arsitektur yang terstruktur. Namun, kerentanan nyata seperti CVE-2018-7269 menunjukkan bahwa masalah keamanan masih dapat terjadi meskipun terdapat mekanisme bawaan. Penelitian ini mengevaluasi ketahanan keamanan aplikasi unggah berkas berbasis Yii 2 dengan menggunakan kerangka pemodelan ancaman STRIDE dan model penilaian risiko DREAD. Empat vektor serangan—SQL Injection (SQLi), Cross-site Scripting (XSS), Remote Access Trojan (RAT) melalui unggahan berkas, dan Buffer Overflow—disimulasikan dalam lingkungan terkontrol dengan mengacu pada CVE dunia nyata. Hasil eksperimen menunjukkan bahwa aplikasi berhasil memblokir seluruh serangan melalui validasi bawaan, pembatasan masukan, dan pemfilteran ketat tipe MIME. Penilaian DREAD mengungkapkan tingkat risiko tinggi untuk SQLi (7.6) dan RAT (7.8), sedangkan XSS (5.6) dan Buffer Overflow (6.2) dikategorikan pada risiko sedang. Temuan ini menunjukkan bahwa aplikasi berbasis Yii 2 yang diuji memiliki mekanisme keamanan yang efektif dalam kondisi pengujian, sekaligus menekankan pentingnya pengujian berkelanjutan dan penerapan SSDLC.

References

[1] OWASP Foundation. “File Upload Cheat Sheet.” OWASP Cheat Sheet Series, 2021cheatsheetseries.owasp.org. (Guidelines for secure file upload handling, covering extension allowlists, content validation, storage location, etc.)

[2] OWASP Foundation. “Input Validation Cheat Sheet.” OWASP Cheat Sheet Series, 2021cheatsheetseries.owasp.org. (Best practices for validating and sanitizing user inputs, including file upload inputs and content checks.)

[3] Lee, T., Wi, S., Lee, S., & Son, S. (2020). “FUSE: Finding File Upload Bugs via Penetration Testing.” In Proc. Network and Distributed System Security Symposium (NDSS 2020)ndss-symposium.org. (Introduces FUSE, a penetration testing tool that discovered unrestricted file upload (UFU) vulnerabilities in real-world PHP applications.)

[4] Wichmann, P., Groddeck, A., & Federrath, H. (2022). “FileUploadChecker: Detecting and Sanitizing Malicious File Uploads in Web Applications at the Request Level.” In Proc. 17th Intl. Conf. on Availability, Reliability and Security (ARES 2022)dblp.org. (Proposes a server-side tool to automatically detect potentially malicious uploads and evaluate file upload security in popular CMS platforms.)

[5] Yenduri, R., & Al-khassaweneh, M. (2022). “PHP: Vulnerabilities and Solutions.” In Proc. 2nd Intl. Mobile, Intelligent, and Ubiquitous Computing Conference (MIUCC 2022), pp. 391–396mdpi.com. (Analyzes common PHP web application vulnerabilities—including unrestricted file uploads—and discusses prevention techniques within two custom PHP apps.)

[6] Neef, S., & Oudeh, M. (2024). “Bringing UFUs Back into the Air with FUEL: A Framework for Evaluating the Effectiveness of Unrestricted File Upload Vulnerability Scanners.” In Proc. 20th Intl. Conf. on Detection of Intrusions, Malware & Vulnerability Assessment (DIMVA 2024)it-solutions-neef.de. (Presents the FUEL framework and benchmark for systematically assessing and comparing file upload vulnerability scanners using diverse UFU scenarios.)

[7] Bui, F. M., & Khondoker, R. (2024). “STRIDE-Based Cybersecurity Threat Modeling, Risk Assessment and Treatment of an In-Vehicle Infotainment System.” Vehicles, 6(3), 1140–1163mdpi.com. (Demonstrates threat modeling with STRIDE and risk evaluation with DREAD, illustrating how to identify and mitigate security threats in complex systems – methodology applicable to secure software design and uploads.)

[8] NIST. (2022). Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities. NIST Special Publication 800-218nvlpubs.nist.gov. (Official guidelines for integrating security best practices into the Software Development Lifecycle (SSDLC), addressing areas like threat modeling, secure coding, and vulnerability mitigation processes.)

[9] Quyen, N. V. (2023). “Hands-on Training for Mitigating Web Application Vulnerabilities.” Master’s Thesis, Japan Advanced Institute of Science and Technology (JAIST). Available: http://hdl.handle.net/10119/18734

Downloads

Submitted

02-09-2025

Accepted

21-05-2026

Published

28-04-2026

Issue

Vol. 20 No. 1 (2026)

Section

Articles

License

Copyright (c) 2026 Info Kripto

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.