Is there a way of (programmatically) sending files directly to the STP server via HTTP? It appears that the documented approach (using <input type="file">) cannot be used in an automated fashion, due to an explicit browser restriction designed to prevent spamming of web servers.
I don't wish to use the IOM (although we have AMO licensed) as this creates a dependency on a local SAS installation.
The current approach involves writing out to a shared directory and then calling an STP via a web query - which then lifts and drops the data to a non-shared location.
The issue is that the data is then in the wider corporate domain for those few seconds.. Would be much tidier to upload directly to SAS!
Is it possible though? Without third party software (just vanilla excel VBA)?
I don't really know if it is possible to do what you want, but I did see this and wonder if background mode would make a difference.
http://support.sas.com/kb/39/114.html
Related
I need to test how my website will deal with image files with malware embedded. I'm already satisfied with its validation of the file type using header inspection. I'm looking to test it with genuine image files with embedded malware.
Can I get a jpg that should be recognised as malware to test this? Or make one myself?
Or if there is a better way of doing it, how can I make sure that everything is wired up and working correctly?
It will be deployed on Azure with the images saved to Azure Blob storage. I want to use the [new] Azure storage security service to detect malware.
It is typically difficult to use real malware for testing. You need to be able to handle the file in your test environment with care to not infect your systems, or, escape out into the rest of your network.
To facilitate testing anti-malware solutions vendors provide a number of test files. These are benign files which are detected as malicious. Therefore it is safe to use them in your environment but will serve as a good test case of your solution.
There is one industry standard file (EICAR) which is available for testing anti-malware solutions. As you can see from VirusTotal almost every vendor will detect this file as malicious. Many of them identifying it as a test file.
In your particular use case there is one challenge here, it is not an image file. However, as you mention in the comments I believe that turning off the image detection during this test is much better than using real malware for testing.
Finally, one word of caution with EICAR. As so many products detect this as a virus you need to be careful of the anti-malware solution that is running on the systems that the file ends up on. For example, if your development environment contains an on access scanner attempting to run the test will potentially trigger the on access scanner.
Hello folks i am newbie i wanted to know suppose i am creating a web application using JHipster. Will my code available to everyone?.
I mean will the code be submitted to open source community?
The generated code belongs to you, it's not shared.
Now, if you're afraid of your code leaking out because you're working in a highly secured domain (e.g. Finance), it's another story.
The generator is open source so you can audit what it does.
But it would be simpler to configure your firewall so that it blocks outgoing traffic while still allowing incoming traffic. Generator should require only getting artifacts from public repositories (npm, maven) during generation phase.
It's like using a compiler, how do you know that it does not upload your source code somewhere? Either you audit the compiler code or you protect yourself with a firewall specifically configured each time you use it.
Finally, you should evaluate the risk of leaking generated code which has usually little value in comparison with the code that you manual add which is where business value is.
I'm possibly developing a web-based application that allows users to create individual pages. I would like users to be able to use their own domains/sub-domains to access the pages.
So far I've considered:
A) Getting users to forward with masking to their pages. Probably the most in-efficient option, as having used this before myself I'm pretty sure it iFrames the page (not entirely sure though).
B) Having the users download certain files, which then make calls to the server for information for their specific account settings via a user key of some sort. The most efficient in my mind at the moment, however, this requires letting users see a fair degree of source code, something I'd rather not do if possible
C) Getting the users to add a C-NAME record to their DNS settings, which is semi in-efficient (most of these users will be used to uploading files via FTP hence why B is the most efficient option), but at the same time means no source code will be seen by them.
The downside is, I have no idea how to implement C or what would be needed.
I got the idea from: http://unbounce.com/features/custom-urls/.
I'm wondering what method of the three I should use to allow custom urls for users, I would prefer to do C, but I have no idea how to implement it (I'm kind of asking how), and whether or not the time spent learning how-to/getting that kind of functionality set-up would even be worth it.
Any answers/opinions/comments would be very much appreciated :)!
Option C is called wildcard DNS: I've linked to a writeup that gives an example of how to do it using Apache. Other web server setups should be able to do this as well: for what you want it is well worth it.
We're writing a feature that will allow our users to "attach" things like Word documents, Excel spreadsheets, pictures, pdfs to documents in our application - just like email.
We don't however, want to allow them to attach .exe, .bat, .reg files, or anything else that might harm them if they opened it - so we're proposing to have a whitelist of allowed file types.
Does anyone know of a better way to determine whether a document is safe? (i.e. does not have the ability to harm a user's computer).
Or instead a resource that would give us a list of commonly used safe documents to add to our whitelist as defaults?
You could use a whitelist plus the result of AssocIsDangerous (http://msdn.microsoft.com/en-us/library/bb773465(VS.85).aspx) to determine if the file should be allowed. White list for files to attach without warning, AssocIsDangerous to block altogether, and the remaining could get a default warning dialog.
Be careful about the white list because complex documents can contain macros and their associated applications could contain security vulnerability in their parsers.
What about Word macro viruses? There is no one "safe" document type. What if someone renames a .exe file .doc - is that allowable? Don't depend on the file type or name alone and never just trust client input. Validate it on the server side if at all possible, most likely using an anti-virus program or some other known utility.
Use a reverse proxy setup such as
www <-> HAVP <-> webserver
HAVP (http://www.server-side.de/) is a way to scan http traffic though ClamAV or any other commercial antivirus software. It will prevent users to download infected files. If you need https or anything else, then you can put another reverse proxy or web server in reverse proxy mode that can handle the SSL before HAVP
Nevertheless, it does not work at upload, so it will not prevent the files to be stored on servers, but prevent the files from being downloaded and thus propagated. So use it with a regular file scanning (eg clamscan).
I honestly think you are best served by either Clam AV on Linux or Trend Micro on Windows.
My boss has come to me and asked how to enure a file uploaded through web page is safe. He wants people to be able to upload pdfs and tiff images (and the like) and his real concern is someone embedding a virus in a pdf that is then viewed/altered (and the virus executed). I just read something on a procedure that could be used to destroy stenographic information emebedded in images by altering least sifnificant bits. Could a similar process be used to enusre that a virus isn't implanted? Does anyone know of any programs that can scrub files?
Update:
So the team argued about this a little bit, and one developer found a post about letting the file download to the file system and having the antivirus software that protects the network check the files there. The poster essentially said that it was too difficult to use the API or the command line for a couple of products. This seems a little kludgy to me, because we are planning on storing the files in the db, but I haven't had to scan files for viruses before. Does anyone have any thoughts or expierence with this?
http://www.softwarebyrob.com/2008/05/15/virus-scanning-from-code/
I'd recommend running your uploaded files through antivirus software such as ClamAV. I don't know about scrubbing files to remove viruses, but this will at least allow you to detect and delete infected files before you view them.
Viruses embedded in image files are unlikely to be a major problem for your application. What will be a problem is JAR files. Image files with JAR trailers can be loaded from any page on the Internet as a Java applet, with same-origin bindings (cookies) pointing into your application and your server.
The best way to handle image uploads is to crop, scale, and transform them into a different image format. Images should have different sizes, hashes, and checksums before and after transformation. For instance, Gravatar, which provides the "buddy icons" for Stack Overflow, forces you to crop your image, and then translates it to a PNG.
Is it possible to construct a malicious PDF or DOC file that will exploit vulnerabilities in Word or Acrobat? Probably. But ClamAV is not going to do a very good job at stopping those attacks; those aren't "viruses", but rather vulnerabilities in viewer software.
It depends on your company's budget but there are hardware devices and software applications that can sit between your web server and the outside world to perform these functions. Some of these are hardware firewalls with anti-virus software built in. Sometimes they are called application gateways or application proxies.
Here are links to an open source gateway that uses Clam-AV:
http://en.wikipedia.org/wiki/Gateway_Anti-Virus
http://gatewayav.sourceforge.net/faq.html
You'd probably need to chain an actual virus scanner to the upload process (the same way many virus scanners ensure that a file you download in your browser is safe).
In order to do this yourself, you'd have to keep it up to date, which means keeping libraries of virus definitions around, which is likely beyond the scope of your application (and may not even be feasible depending on the size of your organization).
Yes, ClamAV should scan the file regardless of the extension.
Use a reverse proxy setup such as
www <-> HAVP <-> webserver
HAVP (http://www.server-side.de/) is a way to scan http traffic though ClamAV or any other commercial antivirus software. It will prevent users to download infected files.
If you need https or anything else, then you can put another reverse proxy or web server in reverse proxy mode that can handle the SSL before HAVP
Nevertheless, it does not work at upload, so it will not prevent the files to be stored on servers, but prevent the files from being downloaded and thus propagated. So use it with a regular file scanning (eg clamscan).