Validating file inputs
Any files that users can upload to your system also need to be scanned for malicious content. For the filename, check all the variables listed in Chapter 5, Black-Box Functional Testing. These tests are standard across many applications, and this section draws heavily from the OWASP website, which I highly recommend you visit for further reading and details.
Testing file uploads
For the file uploads, consider testing the following requirements:
- Only authorized users should be allowed to upload files
- Only accept specific file extensions
- Check the file type rather than relying on the Content-Type header
- Check the minimum and maximum file sizes
- Virus-check all files
- Protect the file against Cross-Site Request Forgery (CSRF) attacks (see the CSRF attacks section for more details)
Acting as an attacker, you should attempt all those attacks to see whether your system is vulnerable.
Within the file, does your application scan...
