[WEB SECURITY] Serverside Virus Scan

Stephen de Vries stephen at twisteddelight.org
Sun May 4 11:07:12 EDT 2008


The OWASP ESAPI project is tackling this functionality, see:

https://lists.owasp.org/pipermail/owasp-esapi/2008-February/000125.html
and

http://www.owasp.org/index.php/ESAPI

The code base is continually changing, so best to take a look to see  
what the current status of this functionality is.

Stephen


On May 3, 2008, at 3:44 PM, Bil Corry wrote:

> rajat karnwal wrote on 5/2/2008 5:43 PM:
>> So requirement is to check extension spoofing and
>> virus scanning before this file can be stored in
>> database. I am in a stage where I have to make a
>> design decision how this can be achived.
>
> You might be able to use "file" to determine the type of file,  
> independent of the mime type or extension:
>
>   <http://en.wikipedia.org/wiki/File_(Unix)>
>
>
> And FWIW, pdp has written about various attack vectors with uploaded  
> files:
>
>   <http://www.google.com/search?q=upload+site:www.gnucitizen.org>
>
>
> One of my favorites is his "Cross-site File Upload Attacks" -- you  
> can't implicitly trust content even from yourself:
>
>   <http://www.gnucitizen.org/blog/cross-site-file-upload-attacks/>
>
>
> All that said, I too would be interested in a "Best Practices" guide  
> for validating uploaded files, including recommended tools.
>
>
> - Bil
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS  
> Feed]
>


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list