Multipart Request Rejected by Firewall

0 投票
最新提问 用户: (140 分)

I'm working on a Windows 10 project, one of my tasks is to send files to server in multipart request, so I achieve that by the following code, it is working well and files received from server and task completed.


System.Net.Http.HttpContent stringContent = new System.Net.Http.StringContent(imageFileName);
System.Net.Http.HttpContent bytesContent;
var client = new System.Net.Http.HttpClient();
var formData = new System.Net.Http.MultipartFormDataContent();
formData.Add(stringContent, "type");
foreach (byte[] image in imageFileName.GetImagesList())
  bytesContent = new System.Net.Http.ByteArrayContent(image);
  bytesContent.Headers.ContentType = MediaTypeHeaderValue.Parse("image/jpeg");
  formData.Add(bytesContent, "images", "file_" + imageFileName.GetImagesList().IndexOf(image) + ".jpg");
var response = client.PostAsync(resourceAddress, formData).Result;

Then when we've moved to production environment, the firewall rejected this request and caught multiple hack attempts such as:

  • Http Headers Injection
  • SQL Injection by '#'
  • rm execution attempt
  • Backtick command execution attempts
  • vi execution attempts ...... and many more ....

And all this attempts, are caught for the contents of the JPEG file! So I though that I should use HttpStreamContent instead, and tried the following code:

HttpMultipartFormDataContent multipartContent = new HttpMultipartFormDataContent();
HttpStreamContent streamContent;
Stream stream;
foreach (byte[] image in imageFileName.GetImagesList())
  stream = new MemoryStream(image);
  streamContent = new HttpStreamContent(stream.AsInputStream());
  streamContent.Headers.ContentType = new HttpMediaTypeHeaderValue("image/jpeg");
  multipartContent.Add(streamContent, "images", "file_" + imageFileName.GetImagesList().IndexOf(image) + ".jpg");
multipartContent.Add(new HttpStringContent(imageFileName), "type");
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, resourceAddress);
request.Content = multipartContent;
HttpResponseMessage response = await httpClient.SendRequestAsync(request).AsTask(cts.Token);

But Unfortunately I've got same result.

And the most important point is that the same web service (which I'm trying to call) is required to be implemented on Android & IOS with same functionality (multipart request) so the request from Android & IOS will be passed through the same Firewall, and it is working well from Android & IOS even on production!!!!

发表于 用户: 匿名
Are they expecting a boundary value in HttpMultipartFormDataContent()?
发表于 用户: (140 分)
@RositaClerissaSerrao yeah sure boundary is required and it is added implicitly for each part, but I think that's not the reason why firewall rejects my request.
发表于 用户: (140 分)
The Firewall checks the content of JPEG image which is same as what mobile is sending, but for some reason (I'd like to know it), it rejects my request and allow mobile requests.

登录 或者 注册 后回答这个问题。

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。