Magic Number And Signature Audit For File Upload Security

  • Updated

Episerver has out-of-the-box field validation for file type, file size, and number of files uploaded but it does not have magic number/signature audit.  This article contains recommendations for additional magic number file upload security.

Processing application requests in the global.asax and validating the request for upload at that time.

The supported file extensions in Episerver can be seen here.  

Find a database of signature codes (that is up-to-date) and build a dictionary or list to check against. For example:

There are many discussions on this as seen here.  This would allow a developer to read the file for the header rather than evaluating the extension, but there is more on that.  

Additional security post upload can be looked at in a custom media handler, as seen here.