0

I have a WCF service that is publicly exposing a JSON endpoint that I want a user to be able to POST an image to.

This image will be stored within our internal network and used by other systems. How can I do this in a secure manner that eliminates the risk of malicious files being sent through?

I have seen this answer. Is that, or something similar, likely to be my best option?

Community
  • 1
  • 1
Corey
  • 1,445
  • 4
  • 13
  • 26

1 Answers1

0

in a secure manner that eliminates the risk of malicious files being sent through?

You can't. There can always be someone with knowledge of the systems you use, knowing those systems use a library function which has a (zero-day) vulnerability they can trigger with a payload hidden inside an otherwise valid image. They will then be running code, from an image, on a machine in your network.

MIME sniffing and virus scanning eliminate most of this, but never all of it.

CodeCaster
  • 131,656
  • 19
  • 190
  • 236
  • For images you can also re-render those images. You will ensure that these are, in fact images and you will save bandwidth by lowering the quality if you must. – Stan Sep 30 '14 at 10:32
  • @Steve the image resizing library [can also have a vulnerability](http://www.cvedetails.com/vulnerability-list/vendor_id-1749/Imagemagick.html). There can be flaws in EXIF handling for example, preserving EXIF data while resizing will still allow for code execution or DoS-attacks in the receiving or other systems. – CodeCaster Sep 30 '14 at 10:34
  • I see what your saying, its impossible to completely eliminate all risks, and my word choice could have been better, but by employing the previously mentioned techniques would that offer a suitable level of protection? – Corey Sep 30 '14 at 12:37