Sanitizing submitted URLs

Question

I have a webforms app that allows users to submit URLs of images to the site. These images are then screened by myself in the admin console before making them available on the site for everyone to see. They do not have to submit an image, it could be a link to a page where the image is contained.

Webforms protects against malicious input by default, but only when injecting javascript into the input box. So it will instantly pick up things like <script type="text/javascript">alert('nasty code');</script> but not http://www.nastysite.com/nastyScript.js as this is simply a url, and 'could' be a valid image.

in the admin console i list all submissions in a datalist control and use an asp:Image control to display the image for inspection.

If a user were to submit a malicious script could this be executed in my browser when the admin console page is rendered? I have tried this myself by writing a script that hooks into document loaded to show an alert, and nothing happens.

I figure i should display the submitted URL as well as rendering it so i can check for any odd looking submissions.

One other thing that concerns me is that if i approve an image from another site - could they later swap the valid image out for a nasty script? i would assume not if its in an img tag?

Am i overlooking any potential weaknesses?

Answer 1

When a web browser loads a resource as the SRC of an IMG tag, it will parse the response as an image file. If someone were to submit a URL to a JavaScript file instead, the result would merely be a broken/missing image.

That said, there are still security concerns with externally-linked photos:

1. As you've already stated, someone could swap the image out after the fact to, say, pr0n.

2. They will be able to track the IP address, timestamp, and browser identity of all of the visitors to your site who see the image. Depending on your visitors' browser settings, they could also set cookies to track your users as they visit both your site and others that allow similar linking. This is of course how pretty much all of the image-only banner ad services work.

3. If a particular browser were susceptible to a malformed image file, they could swap the image out to such a file, which could then crash or lock up the users' browsers. In the extreme case, it could allow them to breach browser security. Browsers in general tend to be relatively hardened against malformed image attacks, but it is a possibility another one could be discovered.

4. They could theoretically change the image file to a 302 redirect response to some other URL, which might not be an image at all. The visitor would only see a broken image, but if you have enough traffic, they could wield those redirects to, say, perform a DDoS on another web site. (I'd put this in the "paranoia" category.)

Answer 2

Any images that are pulled from another site should be saved on your local server as if the user had uploaded it directly. Not only does this prevent the user from later changing the image after you've approved it, but it prevents the image from becoming dead after you've approved it should the parent website delete it.

As for sanitizing incoming files - is it possible to check that incoming file at upload time and get its content-type or perhaps even its extension and validate it against a list of good extensions. For instance, users can only submit images that are png, jpg, and gif, perhaps?