This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Reflected File Download"

From OWASP
Jump to: navigation, search
m
(Any page that reflects users input can be vulnerable to RFD. Certainly under true conditions, for example Content-Disposition withou filename attribute.)
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
{{template: Attack}}<br>
+
{{template: Attack}}
 +
<br>
 
[[Category:OWASP ASDR Project]]
 
[[Category:OWASP ASDR Project]]
 +
 +
'''Reflected File Download''' is an attack combining [http://stackoverflow.com/questions/2163803/what-is-the-semicolon-reserved-for-in-urls URL path segments] (now deprecated) with pages that reflects user inputs in the response. Generally web services vulnerable to [https://securitycafe.ro/2017/01/18/practical-jsonp-injection/ JSONP Injection] are used to deliver malware to end users.
 +
 +
Let's assume we have a vulnerable API that reflects whatever we send to it (the URL was real apparently, now fixed):
 +
 +
    hxxps://google.com/s?q=rfd%22||calc||
 +
    {"results":["q", "rfd\"||calc||","I love rfd"]}
 +
 +
Now, this is normally harmless in a browser as it's JSON so it's not going to be rendered but the browser will rather offer to download the response as a file. Now here's the path segments come to help the attacker:
 +
 +
    hxxps://google.com/s;/setup.bat;?q=rfd%22||calc||
 +
 +
Everything between semicolons (`;/setup.bat;`) will be not sent to the web service, but instead the browser will interpret it as the file name... to save the API response. Now, a file called setup.bat will be downloaded and run without asking about dangers of running files downloaded from Internet (because it contains the word "setup" in its name). The contents will be interpreted as Windows batch file, and the `calc.exe` command will be run.
 +
 +
Prevention:
 +
 +
* sanitize your API's input (in this case they should just allow alphanumerics); escaping is not sufficient
 +
* add `Content-Disposition: attachment; filename="whatever.txt"` on APIs that are not going to be rendered; Google was missing the filename part which actually made the attack easier
 +
* add `X-Content-Type-Options: nosniff` header to API responses
 +
 +
References:
 +
* [https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf Oren Hafif "Reflected File Download A New Web Attack Vector", BlackHat EU 2014]
  
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
  
 
[[Category:Security Focus Area]]
 
[[Category:Security Focus Area]]
 
__NOTOC__
 
__NOTOC__
 
==Overview==
 
==Overview==

Latest revision as of 15:41, 15 August 2018

This is an Attack. To view all attacks, please see the Attack Category page.


Reflected File Download is an attack combining URL path segments (now deprecated) with pages that reflects user inputs in the response. Generally web services vulnerable to JSONP Injection are used to deliver malware to end users.

Let's assume we have a vulnerable API that reflects whatever we send to it (the URL was real apparently, now fixed):

   hxxps://google.com/s?q=rfd%22||calc||
   {"results":["q", "rfd\"||calc||","I love rfd"]}

Now, this is normally harmless in a browser as it's JSON so it's not going to be rendered but the browser will rather offer to download the response as a file. Now here's the path segments come to help the attacker:

   hxxps://google.com/s;/setup.bat;?q=rfd%22||calc||

Everything between semicolons (`;/setup.bat;`) will be not sent to the web service, but instead the browser will interpret it as the file name... to save the API response. Now, a file called setup.bat will be downloaded and run without asking about dangers of running files downloaded from Internet (because it contains the word "setup" in its name). The contents will be interpreted as Windows batch file, and the `calc.exe` command will be run.

Prevention:

  • sanitize your API's input (in this case they should just allow alphanumerics); escaping is not sufficient
  • add `Content-Disposition: attachment; filename="whatever.txt"` on APIs that are not going to be rendered; Google was missing the filename part which actually made the attack easier
  • add `X-Content-Type-Options: nosniff` header to API responses

References:

Last revision (mm/dd/yy): 08/15/2018

Overview