File Type Filtering

Websites may attempt to Blacklist dangerous file types, but fail to account for parsing discrepancies when checking the file extensions. As with any Blacklist, it's also easy to accidentally omit more Obscure file types that may still be dangerous.

• File Type Filtering: Verifies that the contents of a file are acceptable to be Uploaded.
• MIME Validation: Used as an identifier for Files. MIME type for a file Upload is attached in the Header of the Request <type>/<subtype>, and looks like this:

Content-Disposition: form-data; name="fileToUpload"; filename="php-reverse-shell.png"
Content-Type: image/png

• Magic Number Validation: Magic Numbers are the Accurate way of determining the contents of a file.. The Magic Number of a file is a String of Bytes at the very beginning of the file content which Identify the content.
• PNG Signature: 89 50 4E 47 0D 0A 1A 0A

┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐
│00000000│ 89 50 4e 47 0d 0a 1a 0a ┊ 00 00 00 0d 49 48 44 52 │×PNG__•_┊000_IHDR│
│00000010│ 00 00 02 f8 00 00 02 9e ┊ 08 02 00 00 00 5f ed f8 │00•×00•×┊••000_××│
└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘

Other Types Of Filtering

• Extension Validation: Blacklisting & Whitelisting

• File Length Filtering: Used to prevent Huge Files from being Uploaded to the Server.

• File Name Filtering:
  • [1] Files uploaded to a Server should be Unique.
  • [2] Adding a Random aspect to the file name. Check if a file with the same name already exists on the server.
  • [3] File Names should be Sanitized on Upload to ensure that they don't contain any Bad Characters, which could potentially cause problems on the File System when Uploaded. [If this filtering is in place additional enumeration is Required after the Upload]

• File Content Filtering: More complicated filtering systems may Scan the full contents of an Uploaded File to ensure that it's not spoofing its extension, MIME type and Magic Number.