oliver.karowgmx.de
Date: Mon Jan 10 2005 - 01:30:45 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

/etc/magic contains "signatures" helping to determine the file type
according to its content.

----- Original Message -----
From: "Ofer Shezaf" <Ofer.Shezafbreach.com>
To: "Jeremiah Grossman" <jeremiahwhitehatsec.com>
Cc: <webappsecsecurityfocus.com>; "Alfred Hitchcock"
<alfredhitchcock_007yahoo.com>
Sent: Sunday, January 09, 2005 10:22 PM
Subject: RE: Content monitorting in Application Security

Hi Jeremiah,

I was researching lately the issue of ensuring that files (uploaded and
downloaded) are of the right type.

Do you think that matching extension and content type header would be
enough? If no, are you aware of any technology to determine a file type
according to its content?

~ Ofer

Ofer Shezaf
CTO, Breach Security

Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofersbreach.com
http://www.breach.com

> -----Original Message-----
> From: Jeremiah Grossman [mailto:jeremiahwhitehatsec.com]
> Sent: Saturday, January 08, 2005 3:44 AM
> To: Alfred Hitchcock
> Cc: webappsecsecurityfocus.com
> Subject: Re: Content monitorting in Application Security
>
> Sounds like common web site functionality and the resulting security
> challenge.
>
> Here are techniques that may help...
>
> 1) When receiving an uploaded file of any kind, use various parser
> libraries to sanity check the actual format of data. Ensuring the file
> being uploaded is what it claims to be. With the incoming file
> extension and content type header in agreement. jpeg's should be
> formatted like jpegs, mp3's like mp3's, html like html and so on.
>
> 2) If you plan on handling files beyond plain text, such as zips and
> exe's, you may consider using some type of A/V product as well. A nice
> security add-on that can be useful depending on the situation.
>
> 3) This following method is strictly about XSS and HTML/JavaScript
> content.
>
> While its fairly easy to filter all HTML tags from a file to prevent
> XSS, its exponentially harder to separate HTML from executable
> client-side code (JavaScript). Especially when the HTML is freeform
and
> most tags need to be supported on the web site. I've long said its a
> slippery slope to support use-submitted HTML, but sometimes it can't
be
> helped.
>
> There are a few things than can do help mitigate the risk of the
> uploaded files.
>
> a. Filter out potentially malicious HTML tags or only allows a
> strict
> set of safe HTML tags.
> b. Filter out potentially malicious tag attributes or only
allows a
> strict set of safe tag attributes.
>
> * The either or is a give and take of security vs.
> functionality/ease-of-use.
>
> Depending on the programming language you are using, there might
be
> some libraries available that could help make this process easier. I
> haven't used them, but I noticed there are libraries available for
Perl.
>
> http://cpan.uwinnipeg.ca/dist/HTML-StripScripts
> http://cpan.uwinnipeg.ca/dist/HTML-Scrubber-StripScripts
>
> There might be some available if you use some other language.
>
>
> best of luck!
>
>
> jeremiah-
>
>
>
>
>
>
> On Friday, January 7, 2005, at 04:55 AM, Alfred Hitchcock wrote:
> >
> > Hi All,
> > I have a major doubt it would be of great help if anybody can
provide
> > solution to this.
> > I have a web page which allows to upload files such as jpeg and html
> > files.
> > Is there any mechanisms which can detect malicious html files. E.g.
if
> > a html page has got a malicious java script such as alert('xss')
then
> > how can we check these things. One more point to be noted here is
that
> > uploading of file can be done by any user.
> >

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]