File Upload Security


#1

How to detect malicious image file upload?
Supposed you have a website that allows users to upload their pictures.

Thanks.


#2

if you are saving to the file system with the correct file extension, your anti virus protection
software may detect and quarantine the file


#3

Ok, it seems AV is the solution, thanks.


#4

you could also strip out all the headers from the files on upload too, adobe software sometimes leaves heaps of xml in files depending on the export mode, most malware will be embedded in the headers.

i.e.


#5

Interesting, thanks.


#6

Trailing on to what @Zac_Spitzer suggested about removing headers… that is (in part) what services like TinyPNG.com do to reduce the size of image files. So, you get the benefit of reducing file sizes (download faster, use less bandwidth) and at the same time help sterilize the images of any corrupted header data.

That said, I have an API wrapper for TinyPNG here if you’re interested:

HTH

– Denny


#7

Thanks for the info, When the project moves to that stage I’ll keep it in mind.


#9

If you are concerned with the content of the image you can use one of the cloud image analysis engines. We use Amazon Rekognition. This will also send error if content is not image.
I would also recommend that you never place uploaded files into web exposed directories. Upload into a validation path and validate before exposing any further.


#10

Thanks for the input, I’ll check it out when the project reaches that stage.