Monday, September 5, 2011

Scams In India

Saturday, September 3, 2011

Validate uploaded image content in ASP.NET


A very few day ago i had to face the situation where hacker uploaded the malicious ASP script to the web server by changing its extension to .JPG through user interface which allow user to upload image file. Although developer team had put the validation on extension. But unfortunately extension of ASP script was .JPG and hence it is allowed extension. So hacker could upload that malicious script.

After this situation i thought just checking only extension for uploaded file is not the sufficient. We need to check content as well of the uploaded file.

So i decided to check header information in uploaded image file. If it found valid header information then only save uploaded file otherwise discard uploaded file. After Digging couple of hour onhttp://www.wotsit.org(I am fan of www.wotsit.org for more than 5 years), found following Header Information about different image file format.

Image File Header Information Table
File Format
Offset
Length
Value
JPG / JPEG
0
4
0xFF, 0xD8, 0xFF, 0xE0
PNG
0
4
0x89, 0x50, 0x4E, 0x47
TIF / TIFF
0
4
0x49, 0x49, 0x2A, 0x00
GIF
0
4
0x47, 0x49, 0x46, 0x38
BMP
0
2
0x42, 0x4D
ICO
0
4
0x00, 0x00, 0x01, 0x00

Instead of checking only header, we could also check whole file content against its file format. But checking only header could serve our purpose and it is also speedy process than checking whole file content so i am not checking whole file content.

Following code snippet validate header of known image types (JPG, PNG, TIFF, GIF, BMP, ICO) Please do let me know if i have missed any image types.

NOTE: In code snippet fuImage refer to ASP.NET file upload control

01protected void btnUpload_Click(object sender, EventArgs e)
02{
03    // DICTIONARY OF ALL IMAGE FILE HEADER
04    Dictionary<stringbyte[]> imageHeader = new Dictionary<stringbyte[]>();
05    imageHeader.Add("JPG"new byte[] { 0xFF, 0xD8, 0xFF, 0xE0 });
06    imageHeader.Add("JPEG"new byte[] { 0xFF, 0xD8, 0xFF, 0xE0 });
07    imageHeader.Add("PNG"new byte[] { 0x89, 0x50, 0x4E, 0x47 });
08    imageHeader.Add("TIF"new byte[] { 0x49, 0x49, 0x2A, 0x00 });
09    imageHeader.Add("TIFF"new byte[] { 0x49, 0x49, 0x2A, 0x00 });
10    imageHeader.Add("GIF"new byte[] { 0x47, 0x49, 0x46, 0x38 });
11    imageHeader.Add("BMP"new byte[] { 0x42, 0x4D });
12    imageHeader.Add("ICO"new byte[] { 0x00, 0x00, 0x01, 0x00 });
13 
14    byte[] header;
15    if (fuImage.HasFile)
16    {
17        // GET FILE EXTENSION
18        string fileExt;
19        fileExt = fuImage.FileName.Substring(fuImage.FileName.LastIndexOf('.') + 1).ToUpper();
20 
21        // CUSTOM VALIDATION GOES HERE BASED ON FILE EXTENSION IF ANY
22         
23        byte[] tmp = imageHeader[fileExt];
24        header = new byte[tmp.Length];
25 
26        // GET HEADER INFORMATION OF UPLOADED FILE
27        fuImage.FileContent.Read(header, 0, header.Length);
28 
29        if (CompareArray(tmp, header))
30        {
31            lblMessage.Text = "Valid ." + fileExt + " file.";
32            // VALID HEADER INFORMATION
33            // CODE TO PROCESS FILE
34        }
35        else
36        {
37            lblMessage.Text = "Invalid ." + fileExt + " file.";
38            // INVALID HEADER INFORMATION
39        }
40    }
41    else
42    {
43        lblMessage.Text = "Please select image file.";
44    }
45}
46 
47private bool CompareArray(byte[] a1, byte[] a2)
48{
49    if (a1.Length != a2.Length)
50        return false;
51 
52    for (int i = 0; i < a1.Length; i++)
53    {
54        if (a1[i] != a2[i])
55            return false;
56    }
57 
58    return true;
59}
Any input on above is greatly appreciated...

Source: http://www.dotnetexpertguide.com/2011/05/validate-uploaded-image-content-in.html
dotnet Expert Guide

@Blog.Author(Nandip Makwana)