1

I've created a web application that lets users create cool Avatars of themselves. I want users to be able to share their created Avatars to be displayed on our "Recent Creations" page.

What I am worried about though is that if I accept POST requests from my app (currently as a Base64 encoded string in the POST body) , technically malicious users could send ANY string representing any sort of photo, which would then be posted to the gallery!

How do I make sure that posts are ONLY images that were created on my app?

CodyBugstein
  • 21,984
  • 61
  • 207
  • 363
  • Depending on how far an attacker wants to reach, it can even be impossible. If they go far enough to alter the .apk file for example. I am not sure I fully understood your concern though. Are you afraid that they will start sending random images using some other software (e.g. a web browser), or through your application. Anyhow, probably the best by far solution (but not very practical) is to review the images before allowing them to be on the website. – Iakovos Feb 23 '17 at 01:34
  • @jackgu1988 I didn't say anything about an apk. It's a web app – CodyBugstein Feb 23 '17 at 03:23
  • Sorry, my mistake. On a web app there is not much you can do on the client side, except if the image is not actually generated on the client. If the avatars for example can only use image components that you provide, you can upload an XML file instead of an image, with the IDs of the image icons and the coordinates where the user placed them. The server generate the image again based on that XML – Iakovos Feb 23 '17 at 10:22

0 Answers0