040 – Compare file format and extension

Summary

The system must validate that the format (structure) of the files corresponds to their extension.

Description

This is a security measure that can be useful for validating the integrity and authenticity of files in a system or application. This process involves verifying that the actual content or format of a file matches the file extension it claims to have. Mismatches between file formats and extensions can indicate potential security risks or attempted attacks.

Supported In

Essential: True

Advanced: True

References

• CAPEC-11. Cause web server misclassification
• CAPEC-165. File manipulation
• CWE-434. Unrestricted upload of file with dangerous type
• CWE-646. Reliance on file name or extension of externally-supplied file
• SANS25-10. Unrestricted upload of file with dangerous type
• WASSEC-6_2_4_10. Command execution - Potential malicious file uploads
• NISTSSDF-PS_3_1. Archive and protect each software release
• ISSAF-J_7_3_5. Network security - Anti-virus system (methodology)
• ISSAF-Q_16_27. Host security - Windows security (DLL injection attack)
• OWASPSCP-12. File management
• CWE25-434. Unrestricted upload of file with dangerous type
• NIST800115-3_6. File integrity checking
• ASVS-12_5_1. File download
• ASVS-12_5_2. File download

Weaknesses

• 354 – Insecure file upload - Files Limit
• 413 – Insecure file upload - DLL Injection
• 027 – Insecure file upload

Last updated

2024/01/18