Cookie #4: Turning WAFs into a VirusTotal-like Platform for File Content Validation
As a security engineer, working with low-budget projects has sometimes driven my growth.
📚 Newsletter on Secure Coding and Web Security
The Secure Cookie is meant to help you write safer code, ship secure applications with less frustration, and expand your skills as a security-aware developer. Expect deep dives into OWASP guidelines, coding safeguards, secure architecture designs, and web security tips.
Everything you learn here can be put into practice on tablab.io—the platform I built with passion to offer secure coding hands-on labs for developers who are serious about their craft.
Hi Friends,
Welcome to the 4th drop of the Secure Cookie newsletter.
File type validation won’t tell you whether a file is what it claims to be, as it can be easily spoofed through misleading extensions, manipulated magic number signatures, or altered headers. A valid approach to determine what kind of file we are dealing with is to inspect the file’s actual content and make decisions based on that analysis. However, implementing such a process as a developer introduces multiple security considerations and becomes infeasible—being complex, time-consuming, and often unreliable.
The most effective path is to rely on dedicated platforms that offer specialised capabilities for file analysis, such as VirusTotal. They provide an easier and straightforward solution for file content validation, but this immediately raises a recurring concern for organizations: [more] subscription costs.
To be honest, this is a challenge I’ve often seen among companies based in Spain. Even though many SaaS platforms and service providers claim to offer competitive prices across Europe, these conditions may not always apply to the southern regions, where available budgets are often lower compared with companies located in northern territories.
As a result, many engineers I’ve worked with tend to look for the cheapest or free option available, which managers often approve to move forward. Still, file content validation must be handled carefully, as it it may result in false trust or sensitive data being exposed. For example, when using the VirusTotal platform without a paid subscription, any file you upload can be accessed by subscribed users, which obviously it’s a red flag.
This is where the real challenge begins. The company chooses not to invest in a specialized service, yet still expects you to deliver a robust implementation for file content validation.
Even though it is far from my preferred approach, there is an alternative that can still be applied to move closer to the goal. Keep in mind that simplicity will be crucial—because if the process is not straightforward, developers will struggle, introduce errors, and may choose not to adopt it widely.
A pragmatic solution is to adapt the existing WAF in the infrastructure into a basic file content validation tool by adding a lightweight application that offers a graphical interface, an API endpoint, or both, enabling users and other corporate applications to use it as a specialized service.
Several Web Application Firewalls (WAFs) incorporate file malware detection features in their file upload protection or content scanning modules that could be leveraged to satisfy the file content validation requirements. These modules may offer limited functionality compared to specialized services like VirusTotal, but this approach can demonstrate value gradually and eventually help convince management to finally adopt a full professional service.
Cloud-based WAFs, as opposed to on-premises appliance-based WAFs, are more likely to provide this feature while streamlining the setup for implementation.
Using FortiWeb Cloud as a File Scanning Platform
FortiWeb Cloud is designed to protect web applications against a wide range of threats. When properly configured, it can also scan uploaded files to detect malware, greyware, malicious scripts, and other harmful content, ensuring that a file is legitimate and safe to use.
To achieve this, it uses a multi-layered scanning approach that combines signature-based detection and behavioral analysis for comprehensive protection.
Signature-based detection compares uploaded files against a database of known malware signatures. FortiWeb Cloud uses up-to-date virus definitions and threat intelligence to keep detection accurate and reliable.
Behavioral analysis (via FortiSandbox) runs files in an isolated environment to observe their real-time behavior. This makes it possible to identify advanced threats such as zero-day malware or sophisticated attacks that static methods may miss.
Together, these mechanisms offer greater assurance that harmful content in files is detected before it can compromise systems or applications.
Submitting Files for Scanning
The idea behind this implementation is to provide a simple graphical interface or API endpoint that accepts files for evaluation through the WAF’s scanning features. The solution is expected to return a success status code only when the files are legitimate. It should act as a middleware layer, standardising received submissions into formats supported by FortiWeb Cloud and presenting error messages in a clearer, more digestible way—for example, explicitly flagging when a file exceeds the maximum size allowed for analysis.
👉 At tablab.io, you’ll find a dedicated Lab designed to help you practice submitting files correctly to FortiWeb Cloud for successful file scanning:
Remember you can unlock access to tablab.io by becoming a free subscriber to this newsletter. Jump in, learn by doing, and boost your expertise! 🚀
File upload via multipart/form-data
The multipart/form-data format is the most common and suggested approach for file uploads, as it efficiently handles binary data. FortiWeb Cloud can process and scan files directly from this format, requiring no additional steps.
POST /upload HTTP/2
Host: domain.tbl
User-Agent: Mozilla/5.0 (compatible; MSIE 11.0; Windows; Windows NT 6.2; Win64; x64; en-US Trident/7.0)
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: multipart/form-data; boundary=---------------------------41762806061171117218568726803
Content-Length: 656499
Connection: keep-alive
-----------------------------41762806061171117218568726803
Content-Disposition: form-data; name=”email”
johndoe@domain.tbl
-----------------------------41762806061171117218568726803
Content-Disposition: form-data; name=”file”; filename=”landscape.png”
Content-Type: image/png
[binary file data]
-----------------------------41762806061171117218568726803--The JavaScript code below uses the axios package to send an HTTP request as the example shown above:
const sendFile = (formFile) => {
const formData = new FormData();
formData.append(”file”, formFile);
return axios.post(”/upload”, formData, {
headers: {
“Content-Type”: “multipart/form-data”
}
});
};FortiWeb Cloud can also scan files that are base64-encoded and embedded in JSON objects. Check out the tablab.io lab to learn more.
Whatever the Method, Validate File Content for Safety
File content validation is the third essential block to address when securing file upload features in web applications, alongside file name sanitization, file type validation, and resource limit enforcement.
Files such as PDFs, office documents, and media files can contain various forms of malicious content, including hidden scripts, obfuscated payloads, or parser exploits. In some cases, uploads are deliberately crafted for phishing—disguised as invoices or reports to trick users into disclosing sensitive data.
When it comes to media files, OWASP recommends techniques such as image rewriting to remove malicious code injected into images. For Microsoft documents, certain validation libraries can also be employed to help ensure the content is legitimate.
The specific approach you choose to implement file content validation is less important than ensuring the process is effective. Analysing a file’s structure, using certain validation libraries, or applying rewriting techniques can be more complex and time-consuming, but remain entirely valid.
At the end of the day, the goal lies in adopting a validation process that ensures file content is safe before it reaches your systems or users.
👉 Ready to dive deeper into secure file upload practices?
Reading Picks
Here are a few articles I found valuable in recent weeks:
Cognitive load is what matters by Artem Zakirullin