Application Security: Validate uploaded files before processing them

This is not a “how to” but a “what to”.

If you’re a software developer working on a system that allows file uploads, before you allow any code to process the file (i.e.  the file has uploaded, now you want to do something with it), you first need to check the file extension matches the “content” of the actual file.

A simple example: A user may upload a file with an “.ico” file extension, but it’s actually an image file with EXIF data, and your system has an EXIF data vulnerability. You can’t trust the underlying software libraries you use will first validate the file extension matches the actual data embedded in the file.

What this means is the software libraries you use may see the .ico extension, think that it’s OK (just an icon), not run any checks that would ordinarily be run to verify the file on file extensions containing EXIF data, but while processing the file it will still executes EXIF functions and processes the vulnerability.

You think that won’t happen? Think again. That’s an attack vector Black hat hackers use. And it works.

As a software developer, when you think about security you have to assume all the things that are “not likely” to happen are going to be the most likely attack vectors for hackers.

 

Our job as software developers is harder than ever. We have to think every “not likely to happen” scenario is going to be a step in an attack by someone malicious.