I have a image and video sharing website , I think which is not secure. Because anyone can upload shells or malwares instead of image and video. So I want to know how YouTube or Facebook prevent them from this vulnerability. Please tell me anybody.
Asked
Active
Viewed 94 times
1 Answers
2
You can't prevent them from being uploaded.
You have to deal with the uploaded content, and decide based on what you get and where it's from whether to keep it or not.
One quick way to do this might be to re-write, or re-multiplex photos and videos that are uploaded. So if you (say) resize the image (perhaps to make a thumbnail), and the resizing fails, then probably it's not an image. Analyze the upload - can it even be decoded as-if it's an image? Same for video - if it can't be converted (or at least read), don't allow it.
I like to work on a white-list system. Verify what you accept matches some criteria. Say you only want to accept JPEG images. Open the uploaded file, and check for the JPEG JFIF standard headers. If it's not there - it's not a JPEG, junk it. Then check for the image-size fields, if they're not there, junk it. Next check ... etc. Only accept it if you can be sure of what it is.
There's other considerations too - what if the image a completely-valid photo of a cute kitten - but at giga-pixel resolution. Your verification software needs to be smart enough no to try to decompress this.
Once you validate that the upload is an actual image (or video), then maybe you need to regulate the content of the image / video. This is a lot harder. Some images are illegal in certain jurisdictions yet perfectly legal in others. You wouldn't want to be sharing illegal images.
If you get say 3x failed uploads in a row, perhaps you could block that IP address for a few hours.
Kingsley
- 14,398
- 5
- 31
- 53