Prevent XXS through file using WAF?

Asked Oct 12 '21 at 17:03

Active Oct 12 '21 at 17:03

Viewed 76 times

I encounter a scenario which the attacker create a .jpg file containing javascript code

and after uploading, the script will be executed on the browser while the .jpg file is displaying.

I configured all xss prevention settings on fortiweb but it cannot detect this one.

What should I do more??

asked Oct 12 '21 at 17:03

Mehran

3

You should not fix such issues using your web application firewall (WAF), you should have it fixed it in the vulnerable code as this is the root cause of your problem. – Jeroen Oct 12 '21 at 17:31
I know that but we need to configure security in multiple layers too. – Mehran Oct 12 '21 at 17:41
@Mehran but if one layer will do nothing to stop the problem, why focus on that layer? The client-side is running the JPG as code. That's the layer you need to focus on. – schroeder Oct 12 '21 at 22:46
You're right. The Problem has been solved by Backend developers but I, as a WAF operator, need to present a solution too, of course if it's possible. Do file security settings working in this situation?? – Mehran Oct 13 '21 at 00:34

0 Answers0