RE: Content monitorting in Application Security

[Antoine Martin <antoine () nagafix co uk>]

On Sun, 2005-01-09 at 16:22 -0500, Ofer Shezaf wrote:
> Hi Jeremiah,
>
> I was researching lately the issue of ensuring that files (uploaded and
> downloaded) are of the right type. 
>
> Do you think that matching extension and content type header would be
> enough? If no, are you aware of any technology to determine a file type
> according to its content?
man file

Antoine
> ~ Ofer
>
> Ofer Shezaf
> CTO, Breach Security
>
> Tel: +972.9.956.0036 ext.212
> Cell: +972.54.443.1119
> ofers () breach com
> http://www.breach.com
>
> > -----Original Message-----
> > From: Jeremiah Grossman [mailto:jeremiah () whitehatsec com]
> > Sent: Saturday, January 08, 2005 3:44 AM
> > To: Alfred Hitchcock
> > Cc: webappsec () securityfocus com
> > Subject: Re: Content monitorting in Application Security
> >
> > Sounds like common web site functionality and the resulting security
> > challenge.
> >
> > Here are techniques that may help...
> >
> > 1) When receiving an uploaded file of any kind, use various parser
> > libraries to sanity check the actual format of data. Ensuring the file
> > being uploaded is what it claims to be. With the incoming file
> > extension and content type header in agreement. jpeg's should be
> > formatted like jpegs, mp3's like mp3's, html like html and so on.
> >
> > 2) If you plan on handling files beyond plain text, such as zips and
> > exe's, you may consider using some type of A/V product as well. A nice
> > security add-on that can be useful depending on the situation.
> >
> > 3) This following method is strictly about XSS and HTML/JavaScript
> > content.
> >
> > While its fairly easy to filter all HTML tags from a file to prevent
> > XSS, its exponentially harder to separate HTML from executable
> > client-side code (JavaScript). Especially when the HTML is freeform
> and
> > most tags need to be supported on the web site. I've long said its a
> > slippery slope to support use-submitted HTML, but sometimes it can't
> be
> > helped.
> >
> > There are a few things than can do help mitigate the risk of the
> > uploaded files.
> >
> >     a. Filter out potentially malicious HTML tags or only allows a
> > strict
> > set of safe HTML tags.
> >     b. Filter out potentially malicious tag attributes or only
> allows a
> > strict set of safe tag attributes.
> >
> >     * The either or is a  give and take of security vs.
> > functionality/ease-of-use.
> >
> >     Depending on the programming language you are using, there might
> be
> > some libraries available that could help make this process easier. I
> > haven't used them, but I noticed there are libraries available for
> Perl.
> > http://cpan.uwinnipeg.ca/dist/HTML-StripScripts
> > http://cpan.uwinnipeg.ca/dist/HTML-Scrubber-StripScripts
> >
> > There might be some available if you use some other language.
> >
> >
> > best of luck!
> >
> >
> > jeremiah-
> >
> >
> >
> >
> >
> >
> > On Friday, January 7, 2005, at 04:55  AM, Alfred Hitchcock wrote:
> > > Hi All,
> > > I have a major doubt it would be of great help if anybody can
> provide
> > > solution to this.
> > > I have a web page which allows to upload files such as jpeg and html
> > > files.
> > > Is there any mechanisms which can detect malicious html files. E.g.
> if
> > > a html page has got a malicious java script such as alert('xss')
> then
> > > how can we check these things. One more point to be noted here is
> that
> > > uploading of file can be done by any user.