Sometimes the client needs to upload files to the server or into a database, like photos or Word documents, PDF and so on. You can check the extension but some attackers can change the file extension and upload the file to the server.

Let's see use a scenario, where you only want to upload a PDF file but the attacker can change the extension of a text file and upload it.

Open Notepad and type some text into it.



Save the file named "TestMe.pdf" and choose "Save as type" to "All files".



It will save the file in PDF format.



And if you open the file it will not open, but it will save as a PDF on the server or in the database. To prevent this kind of problem, you need to validate the MIME type of the file. Some common MIME Types are:



Click here for more MIME Types

To learn more about that see the following.

Add a new "Website" named "Website1".

And you will get the default page named "Default.aspx".



Add a File upload control named "FileUpload1" and button with "Upload" text on the page.



Add the following namespace in the .cs file:

1. using System.Runtime.InteropServices;  

Add the following code to access the "urlmon.dll" file which is a URL moniker file.

1. [DllImport(@"urlmon.dll", CharSet = CharSet.Auto)]  
2. private extern static System.UInt32 FindMimeFromData(System.UInt32 pBC,  
3. [MarshalAs(UnmanagedType.LPStr)] System.String pwzUrl,  
4. [MarshalAs(UnmanagedType.LPArray)] byte[] pBuffer,   
5. System.UInt32 cbSize, [MarshalAs(UnmanagedType.LPStr)] System.String pwzMimeProposed,  
6. System.UInt32 dwMimeFlags,  
7. out System.UInt32 ppwzMimeOut,  
8. System.UInt32 dwReserverd);  

 
Note: Click the following link to learn more about this file.

https://msdn.microsoft.com/en-us/library/ms775149%28v=vs.85%29.aspx

To learn more about the MIME type validation check the following links:

https://msdn.microsoft.com/en-us/library/ms775147%28v=vs.85%29.aspx

https://msdn.microsoft.com/en-us/library/ms775107%28v=vs.85%29.aspx

Add the code on the click event of the button:

1. protected void Button1_Click(object sender, EventArgs e)  
2.     {  
3.   
4.         HttpPostedFile file = FileUpload1.PostedFile;  
5.         byte[] document = new byte[file.ContentLength];  
6.         file.InputStream.Read(document, 0, file.ContentLength);  
7.         System.UInt32 mimetype;  
8.         FindMimeFromData(0, null, document, 256, null, 0, out mimetype, 0);  
9.         System.IntPtr mimeTypePtr = new IntPtr(mimetype);  
10.         string mime = Marshal.PtrToStringUni(mimeTypePtr);  
11.         Marshal.FreeCoTaskMem(mimeTypePtr);  
12.   
13.         if (mime == "application/pdf")  
14.         {  
15.             // upload the File because file is valid  
16.             Response.Write("This is Valid File");  
17.         }  
18.         else  
19.         {  
20.             //  file is Invalid  
21.             Response.Write("This is Invalid File");  
22.              
23.         }  
24.     }  

 Now if I run the page it will look like:



Case 1: In this case I will upload the invalid text file that I converted into a PDF file.



And the output will be "Invalid file".



Case 2: In this case I will upload a valid PDF file.



And the output will be "Valid file".