Preventing content sniffing vulnerabilities when handling images with a user interface?

Question

Preventing content sniffing vulnerabilities when handling images with a user interface?

Problem:

I am working on an internal tool that allows users to upload images - and then displays these images to them and others.

This is a Java / Spring application. I only need to worry about IE11 for sure and Firefox v38 + (Chrome v43 + would be nice to have)

After the first development of the function, it seems that users can simply create a text file, for example:

 <script>alert("malicious code here!")</script>

and save it as "maliciousImage.jpg" and load it.

Later, when this image is displayed inside the image tags, for example:

 <img src="blah?imgName=foobar" id="someImageID">

actualImage.jpg is displayed normally, and maliciousImage.jpg is displayed as a broken link - and, most importantly, no malicious content is interpreted!

, " "... .

"-" , , "maliciousImage.jpg" HTML . script JavaScript , , .

,

, , , . , , stackoverflow , , , X- IE.

x-content- , . , , , .

response.setHeader("X-Content-Type-Options", "nosniff"); 
response.setContentType("image/jpg");

, , , , , ...

, , , ...

:

- , ( , ..), , HTML/javascript , HTML /CDATA'- ... , , .

+4

javascript html security xss penetration-testing

Paul 15 . '15 11:58

3

, . , X-Content-Type-Options?

, , , html, gif javascript. , HTML, script ( ):
http://research.insecurelabs.org/content-sniffing/gifjs.html

, "X-Content-Type-Options: nosniff", script :
http://research.insecurelabs.org/content-sniffing/nosniff/gifjs.html

Btw, FF/IE, Chrome.

, , :
http://research.insecurelabs.org/content-sniffing/stackexchange.html

, - , , , . script "view image".

Edit:
Firefox, , X-Content-Type-Options: nosniff

, "Content-disposition: attachment; filename = image.gif" . , , URL- , , .

: http://research.insecurelabs.org/content-sniffing/attachment/

0

Erlend 15 . '15 21:13

adeneo is pretty much spot-on. You should use any image library that you want to check if the downloaded file is a valid file for the type that it claims. Everything that the client sends can be manipulated.

-1

Tom Dec 15 '15 at 12:49

source share

Paul · Accepted Answer · 2016-04-14T11:26:22+0000

, , :

1:

, , , - , imageio lib:

import javax.imageio.ImageIO;

//...... 

Image img = attBO.getImage(imgId);

InputStream x = new ByteArrayInputStream(img.getData());
BufferedImage s;
try {
    s = ImageIO.read(x);
    s.getWidth();
} catch (Exception e) {
    throw new myCustomException("Invalid image");
}

, , , , .

:

 <script>alert("malicious code here!")</script>

, XSS - .

2:

, -, , , CSS, , ..

, , /png, ( ) -, , '- /html content-type , , .

, RESTful, , .

, - , .

, site-mesh ( , , ...):

<decorators defaultdir="/WEB-INF/decorators">
<excludes>
    <pattern>*blah.ctl*</pattern>
</excludes>
<decorator name="foo" page="myDecorator.jsp">
    <pattern>*</pattern>
</decorator>

.

3:

, , , - , .

Spring, " ", . "accepts" , "messageconverters" .

Spring messageconverter image/png, /html - .

, Spring 4, :

@Produces("image/png")

- ...

4:

, , Spring 3.0.5 ( ). .

messageconverters, post-method, "image/png", .

/ - Spring

.... , , - !

Preventing content sniffing vulnerabilities when handling images with a user interface?

Problem:

,

:

1:

2:

3:

4:

More articles: