Imperva Cyber Community

Expand all | Collapse all

multipart/form-data : protection against malicious file upload

Jump to Best Answer
  • 1.  multipart/form-data : protection against malicious file upload

    Posted 12-08-2020 08:47

    Dear Community members,

    We recently had a pentest on an on-premise hosted & containerized webapp, which is protected by an On-Premsie WAF.

    The pentester was able to upload an EICAR test file through the webform (multipart/form-data). After reviewing the WAF alerts filtered on this webapp, I can't find it. Therefore I assume either there isn't any signature on the WAF related to the EICAR pattern, or it's not included in different policies applied on this webapp.

    From this introduction :
    - is there an existing Imperva ADC object or policy related to EICAR ?
    - beyond EICAR test file itself, is it the good approach to rely on the WAF to prevent all malicious files to be sent by the webform ? If it is, how can I be sure that I'm applying the right policies for this scenario ?

    Thank you in advance for your help,


    Ugo Schoellkopf
    Amer Sports

  • 2.  RE: multipart/form-data : protection against malicious file upload
    Best Answer

    Imperva Employee
    Posted 12-10-2020 16:31

    If you are referring to the EICAR AntiMalware Testfile ( ), that is an entirely different use case.  Imperva doesn't check for that because it doesn't look for other file based viruses in the stream either.  You could conceivably write a policy for it, but it would only work for the test string (it would help you with pen testing results, but not real security :).

    If you are accepting file uploads, you should scan them separately.  I have heard some people might use ICAP through a router with their AV server, but most will just have a "file DMZ" with their standard AV running in auto-protect mode on a particular share.

    If you have a pen tester that just pasted the string into a field on a web page, I would look into new pen testers.  That isn't what the string is meant for  (see the link above).


    Jim Burtoft