Perfect Image Validation In Web Application

To store an image on the server, before storing it we must validate the image because the user might upload a malicious script. These malicious scripts can result in cross-site scripting (XSS) that is a type of computer security vulnerability. Due to breaches of browser security, XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. 

We check the extension of uploaded files and denied files to upload it on the server. But this kind of validation is not enough to restrict a malicious script because the user can change the extension of that file and upload the same onto the server. To resolve this problem we check the contents of the file before uploading it. Nevertheless there is another problem that could exist if the website has constraints on the image format. For example the website has the constraint that allows only PNG images to be uploaded, but the user has a JPEG image format. However the user can change the extension of JPEG to PNG and upload it to the server.

The most common way of performing a check on the extension of the uploaded file does not take the content type into consideration and allows even malicious scripts or renamed files to be uploaded, is shown below:

String ext= Path.GetExtension(fuControl.PostedFile.FileName);

To resolve all problems relevant to image validation depending on their extension, we propose the usage of GUID image formats. The GUID for each image format is already defined in the "System.Drawing.Imaging" namespace. Hence it is easy to check each image.

We are first checking the type of content of the file. If the content of the file is of type Image that is inherited from "System.Drawing" then only a check for the GUID is done. We are checking the GUID only for a fixed number of extensions of Images but it can be extended further. The code used to validate the image using GUID is shown step-by-step below.

 Step 1: To check for the type of extension of file or Content of the file

  System.Drawing.Image imgObj= System.Drawing.Image.FromStream (fuControl.FileContent);
           If (imgObj.RawFormat.Guid==System.Drawing.Imaging.ImageFormat.Jpeg.Guid)
                 //Write your code here if image has jpeg format
           else   If (imgObj.RawFormat.Guid==System.Drawing.Imaging.ImageFormat.Gif.Guid)
                 //Write your code here if image has gif  format
           else   If (imgObj.RawFormat.Guid==System.Drawing.Imaging.ImageFormat.Png.Guid)
                 //Write your code here if image has png  format
           else   If (imgObj.RawFormat.Guid==System.Drawing.Imaging.ImageFormat.Icon.Guid)
                 //Write your code here if image has ico format
           else   If (imgObj.RawFormat.Guid==System.Drawing.Imaging.ImageFormat.Bmp.Guid)
                 //Write your code here if image has bmp  format
           else
                // Invalid Format

Step 2: This is used to perform a check for the maximum size of the file

if (((fuControl.PostedFile.ContentLength)/1024) > MaxFileSizeinKB)
Where fuControl  is file upload control
MaxFileSizeinKB is the property of the validator that has the maximum limit

Using the code above you can validate:

1.    extensions of Image from predefined list of images

2.    Size of image 

Reference(s)

http://msdn.microsoft.com

http://www.codeproject.com