http webrequest content type null - http-headers

is it necessary to mention content-type in http header while uploading the file. i tried using c#. i had set it "image/png" while uploading a pdf file and when i downloaded the uploaded file, the pdf file was perfect. it didn't get corrupted.
so what is the role of specifying content-type in http header.
can it be null or any other wrong value.
because the application that i am making, user will just give the file and and i just need to upload it.
any help highly appreciated. thanks in advance.

Weird that nobody answered this question.
You should always set the content-type, some software (servers) may break when it's omitted.
You could give it any value that the target system can handle.
Since you can easily fake http request, you can also fake the headers.
So your target system (in this case an upload processor) should only accept content-type
values it's able to handle and you MUST validate if the given content-type actually matches the data that is send in the body (the uploaded file itself).
You can never trust the content-type value, until you validate it somehow.
As a PHP developer I always check any file upload against a mime-type validator to be sure I got what I expected. For example I use getimagesize() to detect whether it's an image or not and if it is to get it's file format type (PNG).
Since both PNG and PDF files are binary file formats your upload succeeded.
This is because you coded it that way or the target system falls back on default settings or does some checking for itself.

Related

Modify File upload HTTP POST request boyd with file content

I'm learning to become a security researcher so my question is solely to understand/learn what happens and not for doing bad stuff.
I'm currently looking at file upload. In the specific case the file upload occurs with a HTTP Post request with the content-type header set to the actual MIME-type of the file (e.g. image/png) and not multipart/form-data. The HTTP request body contains the actual file content without any encoding, at least as far as I can see (when I save the raw HTTP request body to a file and compare it with the original file they are identical).
I would like to modify the HTTP request body to include the content of another file. The question is how can I obtain the actual content of this second file and replace the HTTP request body with this in a correct way (formatting, encoding,...).
I've used already tried many things (cat + copy paste, texteditor, xclip and alternatives, piping etc...) but for some reason the content always change (formatting,encoding, etc...) and the request is rejected by the servers as invalid. Even if I modify it with the content of the same file and when I save the raw request body the are different.
I know my issue is actually related to a lack of basic file content/handling etc. knowledge so I've already spend hours to search the web but seems I'm missing the correct terminology to find interesting resources.
So more than just having a solution for this specific use case I would like to understand what is happening in the process. So please feel free to point me to any resources that could help me to understand the underlying better.
I really appreciate any help, info. Many thanks in advance.
Best regards,

Can't send a binary attachment to Slack using LogicApp

I'm trying to use a logicapp to get the content of an email and post it to slack. By content I mean:
the body of the email and other elements like From:, Subject:
any attachment in the email (which usually are binary like PDF, Excel, image)
the email itself saved in a blob as .eml file
Slack chat.postMessage API works without any problem to send any text element. This API has some attachment argument but doesn't seemto be designed or binary files (or not for files at all, only strings)
I've tried slack files.upload one but couldn't figure out the syntax, especially the syntax using a regular HTTP POST. Could find examples online using curl, Python, JS and C# SDK but I don't know how to translate them to HTTP POST just like I do with chat.PostMessage
I've tried the API on SOAP UI, using file as argument as per the documentation, and I've used it in different sections: in the header, in the body, and using the Attachment Tab, none of the work and always the same error message : no_file_data
Unfortuatelly slack documentation lacks of details. Here's what it says about files.upload:
You must provide either a file or content parameter.
The content of the file can either be posted using an enctype of multipart/form-data (with the file parameter named file), in the usual way that files are uploaded via the browser, or the content of the file can be sent as a POST var called content. The latter should be used for creating a "file" from a long message/paste and forces "editable" mode.
In both cases, the type of data in the file will be intuited from the
filename and the magic bytes in the file, for supported formats.
I could use alternatives like just saving the attachments in blobs and use Azure functions to send the file, but I want to understand what's the limitations before changing the method.
Any clue?

Allowing multiple content types in HTTP POST Amazon S3 upload policy document

Does anybody know how to allow multiple content types in an Amazon S3 upload policy when uploading using HTTP POST? I can't seem to find the answer to this anywhere.
I am aware that I can restrict an upload to any file with a MIME type that starts with "image/" as follows:
{"expiration": "2015-02-28T00:00:00Z",
"conditions": [
["starts-with", "$Content-Type", "image/*"]
]
}
But how would I go about allowing only a certain few MIME types which might not all start with the same characters?
This isn't supported. It's either a single pattern match (including a wildcard), or you have to allow all.
Depending on how the form is being generated -- dynamically, one assumes -- you might be able to simply tell the application the content-type of the file you intend to upload when requesting the resource that builds the form, hence, telling the application what content-type value to use on the form and when generating the policy document.
If the application doesn't find that content-type in its list of acceptable values, it could just refuse to render the form, and refuse to create and sign a matching policy statement.
Depending on the application, there may be little point in worrying too much about the Content-Type field here, because this is not actually restricting the content-types that can be uploaded... it's only restricting the value passed in the value parameter of input type="input" name="Content-Type". That's all this actually restricts.
There's no validation being performed as to whether that value accurately represents the MIME type of the payload that is being updated, so the policy document isn't restricting what kind of content you can upload. It's only restricting what kind of content you can claim you are uploading.
It may also be more appropriate to just accept otherwise-unusable uploads and handle the problem on the back-end, after the fact.

Amazon S3 - setting content-type while uploading an object is important

I need to know setting the content-type for an S3 object while uploading is important or it will take the default content-type automatically? Also, which is the good practice?
Also, I want to know if I set the content-type to some thing else
(for ex: application/vnd.openxmlformats-officedocument.wordprocessingml.document) when uploading and specify the content-type as "application/octet-stream" when downloading, will it work?
Thanks in advance.
It depends on how you are going to use content-type.
As far as S3 is concerned, it doesn't matter.
But if you intend to transmit this file to a user via browser then it is good to have right content-type so that browser can identify file type and act accordingly instead of simply showing a "download file" dialog.
Right content type can help a browser to open the file with proper application either integrated with browser(like pdf reader) or stand alone application (like MS Word)

OAuth 1.0 binary data upload with RESTful api

I have a DESKTOP application which interacts with a web service through their RESTful api and OAuth 1.0. I can use all the resources fine, authentication, get/post calls to retrieve and send simple text data etc, no problems there.
However, I'm struggling to send binary data. The service allows sending pictures. For one part, they have a non-OAuth api through which you can also send a file in plain binary, simply pass some params in the URL and put the entire binary file in the post.
Now to do this through the OAuth api, becomes an issue:
The service specifies the post needs 2 parameters (not to be included in the URL since this is REST, but in the POST parameters):
image A binary file, base64 data, or a URL
type The type of file that's being sent in. Accepted values: file, base64, url
So we have 2 parameters: image contains the file itself, and type would be "file" to specify binary. But how am I supposed to include this through OAuth? given that the -image- and -type- parameters (and their values) must be used to generate the base string for the signature, which is matched against the parameters included in the POST.. I can't include the entire binary there as a value for the image parameter; so how is it done in this case?
nvm, their OAuth api expects the file as multipart/form-data with the variables there, and none in the base string for the signature (their non-OAuth api instead doesn't need multipart, so I expected their OAuth wouldn't either; their documentation is a bit lacking in this area).