[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] How to avoid XSS into PDF Files, using java

From: steve jensen <sjensen1207@xxxxxxxxxxx>
Subject: RE: [WEB SECURITY] How to avoid XSS into PDF Files, using java
Date: Fri, 18 May 2007 16:03:14 -0500

--_ba67ff57-df58-4fa2-9ee2-f4019bfc18e7_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

The content type/disposition can still be spoofed by a person entering a va=
lid pdf signature into the malicious file. The browser and application migh=
t still assume the malicious file is a valid. XSS in pdf's are really only =
a concern if the user is opening the file directly in the browser, as oppos=
ed to either using a valid adobe pdf reader plugin or downloading the file =
to their machines.  Another concern is if these are pdf files are being upl=
oaded to your server, in which case ensure the upload location is outside t=
he sites directory structure so a request to the malicious file can't be ma=
de directly.


Date: Fri, 18 May 2007 13:16:36 -0400From: edwin.cruz@ge.comTo: websecurity=
@webappsec.orgSubject: [WEB SECURITY] How to avoid XSS into PDF Files, usin=
g java



Hi folks...
=20

I have to create a routine that verify the content of a PDF File uploaded t=
hroughout an html Form. I check the content type, but if some malicious xss=
 code is inserted into that PDF file, it is not detected. I=92d like to kno=
w if there is a known way to avoid this problem. Should I use the java pdf =
library to verify the content??? I know that I could avoid the problem if I=
 send a content disposition into the headers, but I can not do it.
=20
Any suggestions are wellcome
=20
Thanks in advanced=85
=20
=20
--
Ing. Edwin Cruz
Sofware Engineer
Softtek GDC-Aguascalientes, GE Treasury
=20
_________________________________________________________________
Download Messenger. Start an i=92m conversation. Support a cause. Join now.
http://im.live.com/messenger/im/home/?source=3DTAGWL_MAY07=

--_ba67ff57-df58-4fa2-9ee2-f4019bfc18e7_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style>
P
{
margin:0px;
padding:0px
}
body
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body>The content type/disposition can still be spoofed by a person enterin=
g a valid pdf signature into the malicious file. The browser and applicatio=
n might still assume the malicious file is a valid. XSS in pdf's are really=
 only a concern if the user is opening the file directly in the browser, as=
 opposed to either using a valid adobe pdf reader plugin or downloading the=
 file to their machines.&nbsp; <BR><BR>Another concern is if these are pdf =
files are&nbsp;being uploaded to your server, in which case ensure the uplo=
ad location is outside the sites directory structure so a request to the ma=
licious file can't be made directly.<BR><BR><BR><BR>
<BLOCKQUOTE>
<HR id=3DEC_stopSpelling>
Date: Fri, 18 May 2007 13:16:36 -0400<BR>From: edwin.cruz@ge.com<BR>To: web=
security@webappsec.org<BR>Subject: [WEB SECURITY] How to avoid XSS into PDF=
 Files, using java<BR><BR>
<META content=3D"Microsoft SafeHTML" name=3DGenerator>
<STYLE>
</STYLE>

<DIV><FONT face=3DArial size=3D2><SPAN class=3DEC_427221417-18052007>Hi fol=
ks...</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3DEC_427221417-18052007></SPAN=
></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial><SPAN class=3DEC_427221417-18052007>
<P class=3DEC_MsoNormal><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"=
>I have to create a routine that verify the content of a PDF File uploaded =
throughout an html Form. I check the content type, but if some malicious xs=
s code is inserted into that PDF file, it is not detected. I=92d like to kn=
ow if there is a known way to avoid this problem. Should I use the java pdf=
 library to verify the content??? I know that I could avoid the problem if =
I send a content disposition into the headers, but I can not do it.</SPAN><=
/P>
<P class=3DEC_MsoNormal><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"=
></SPAN>&nbsp;</P>
<P class=3DEC_MsoNormal><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"=
><SPAN class=3DEC_427221417-18052007>Any suggestions are wellcome</SPAN></S=
PAN></P>
<P class=3DEC_MsoNormal><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"=
>&nbsp;</SPAN></P><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial">
<P class=3DEC_MsoNormal><FONT color=3D#0000ff></FONT><FONT color=3D#0000ff>=
</FONT><BR>Thanks in advanced=85</P>
<P class=3DEC_MsoNormal><FONT color=3D#0000ff></FONT>&nbsp;</P>
<P class=3DEC_MsoNormal><FONT face=3D"Arial Unicode MS"></FONT>&nbsp;</P>
<P class=3DEC_MsoNormal><SPAN class=3DEC_427221417-18052007><FONT face=3D"A=
rial Unicode MS">--</FONT></SPAN></P>
<P class=3DEC_MsoNormal><SPAN class=3DEC_427221417-18052007><FONT face=3D"A=
rial Unicode MS">Ing. Edwin Cruz</FONT></SPAN></P>
<P class=3DEC_MsoNormal><SPAN class=3DEC_427221417-18052007><FONT face=3D"A=
rial Unicode MS">Sofware Engineer</FONT></SPAN></P>
<P class=3DEC_MsoNormal><SPAN class=3DEC_427221417-18052007><FONT face=3D"A=
rial Unicode MS">Softtek GDC-Aguascalientes, GE Treasury</FONT></SPAN></P>
<P class=3DEC_MsoNormal><SPAN class=3DEC_427221417-18052007><FONT face=3D"A=
rial Unicode MS"></FONT></SPAN></SPAN>&nbsp;</P></SPAN></FONT></DIV></BLOCK=
QUOTE><br /><hr />Download Messenger. Start an i=92m conversation. Support =
a cause. <a href=3D'http://im.live.com/messenger/im/home/?source=3DTAGWL_MA=
Y07' target=3D'_new'>Join Now!</a></body>
</html>=

--_ba67ff57-df58-4fa2-9ee2-f4019bfc18e7_--

Prev by Date: Re: [WEB SECURITY] POST arbitarily changed to GET after form submission
Next by Date: Re: [WEB SECURITY] How to avoid XSS into PDF Files, using java
Previous by thread: [WEB SECURITY] POST arbitarily changed to GET after form submission
Next by thread: [WEB SECURITY] OWASP Top 10 2007 Released
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site