POC in order to protect an document upload application feature against "malicious" document submission.

It's the code repository if this OWASP article.

Before to launch a build or execution of the POC, use the script install-non-maven-deps.bat to install dependencies into your local Maven cache.

1. Use the maven command below to run the web container:

mvn -DskipTests tomcat7:run-war

2. Use the following URL to acces to upload form and use the POC:

http://localhost:9090

We will focus our work on the following formats because it's the formats that are often used as attack vector and also to transmit legit information:

• Microsoft Word document (from 97 to 2016),

• Microsoft Excel document (from 97 to 2016),

• Microsoft Powerpoint document (from 97 to 2016),

• Adobe Pdf document,

• Image document (formats supported by the IJ API: http://rsb.info.nih.gov/ij/developer/api).

The reason why Aspose API have been used into this POC are the following:

• There many way to embed Macro into a Microsoft Office document and, instead of manually support all the way that exists on the wild (they evolve every days), we prefer to use features from a company that perform R&D on these formats, precisely DOC/XLS/PPT native formats that are proprietary.

• The open source API POI for DOC native format is not very stable.

• The open source API JEXCELAPI for XLS native format is not often maintained (last publishing on Maven repository date from 27-Nov-2012).

• https://www.greyhathacker.net/?p=872