0

I have an issue on upload images in web based application. The image format should accept only jpeg,png,gif,jpeg. There is an restriction to upload only these formats. But with respect to malicious attack, If attacker trying to upload suppose image1.exe.png and after upload successfully, Using a proxy, attacker will remove .png extension and change the Content-Type to match the malicious file and can storeimage1.exe file into application which will lead to attack the web application. I want the logic in dotnet core. How to restrict only to upload images using dotnet core or REACT.

sekhar
  • 3
  • 3
  • You could check some advice here on validating file type: https://stackoverflow.com/a/65241818/1658906. In addition, running a malware scanner on the files. – juunas Sep 01 '23 at 07:39
  • 1
    You've combined multiple problems into a single question. You need to figure out the individual components of that group of problems... How to check file contents, how to prevent that proxy thing from happening, etc... – Cerbrus Sep 01 '23 at 07:40
  • I want to check the file contents – sekhar Sep 01 '23 at 12:08
  • Make sure you have full control over creating the filename. (Use explicit case/switch for jpg/png/gif and choose/write the filename and extension accordingly). Not sure what this attack vector is describing, "Using a proxy, attacker will remove .png extension" Is this proxy a human being with access to the server's directory?... someone in control of a reverse proxy you are using? If you're talking about client-side, no worries, as you will control the filename server-side. (still a good idea to scan untrusted files... you don't really want them there even if the extension is wrong) – pcalkins Sep 01 '23 at 19:02

0 Answers0