Adding New Test Case - oversized image file upload

OWASP / wstg

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.

https://owasp.org/www-project-web-security-testing-guide/

Creative Commons Attribution Share Alike 4.0 International

7.1k stars 1.31k forks source link

Adding New Test Case - oversized image file upload #1018

Closed 0xmaximus closed 1 year ago

0xmaximus commented 1 year ago

What would you like added? Pixel/Frame flood attack

Would you like to be assigned to this issue?

[ ] Assign me, please!

kingthorin commented 1 year ago

Got a reference?

0xmaximus commented 1 year ago

https://github.com/0xmaximus/Galaxy-Bugbounty-Checklist/tree/main/DOS#4-pixel-floodimage-with-a-huge-pixelsframe-floodgif-with-a-huge-frame-attack

and Hackerone reports.

kingthorin commented 1 year ago

It should be added to a section such as: https://github.com/OWASP/wstg/blob/master/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md

I’d be surprised if the guide doesn’t already have a bit on image processing but I don’t currently have a convenient way to check (on my cell phone).

rbsec commented 1 year ago

@kingthorin we probably need to be a bit careful about how big that section gets - because any file type that you upload and the server processes can potentially have vulnerabilities (especially DoS). Image upload is probably a common enough format that it's worth including as a specific section (although it's technical covered in the "other file formats").

0xmaximus commented 1 year ago

Great! Ready to add.