Skip to main content

Posts

Showing posts from September, 2018

Effective way of preventing malicious file upload

The below are all the prescribed best practices when deciding to upload a file in a web application. The below are list of implemented approaches:

A few points:

Extension whitelistng: Obvious and the first line of defense was to white listing of extensions. A simple but easily by-passable approach. Good to have this approach.File header type checking: This helps prevents the above bypass. Even if the request is captured and tampered to include a restricted file (say exe), the application will check the file header (the magic nos) of the file and reject it. Suppose an application only accepts .pdf files and expects %pdf header, but when we try uploading an exe which has a header MZ, the file will not be uploaded. In this case even though you try replacing the MZ with %pdf, the file will get uploaded but the resultant file would be treated as a pdf and not an exe, so becomes useless.Content type: The content type decides how to treat/ render this file once uploaded. The application rest…