This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Reflected File Download"

From OWASP
Jump to: navigation, search
(add basic information on RFD and references)
(disable URLs)
Line 6: Line 6:
 
Let's assume we have a vulnerable API that reflects whatever we send to it (the URL was real apparently, now fixed):
 
Let's assume we have a vulnerable API that reflects whatever we send to it (the URL was real apparently, now fixed):
  
     https://google.com/s?q=rfd%22||calc||
+
     hxxps://google.com/s?q=rfd%22||calc||
 
 
 
     {"results":["q", "rfd\"||calc||","I love rfd"]}
 
     {"results":["q", "rfd\"||calc||","I love rfd"]}
  
 
Now, this is normally harmless in a browser as it's JSON so it's not going to be rendered but the browser will rather offer to download the response as a file. Now here's the path segments come to help the attacker:
 
Now, this is normally harmless in a browser as it's JSON so it's not going to be rendered but the browser will rather offer to download the response as a file. Now here's the path segments come to help the attacker:
  
     https://google.com/s;/setup.bat;?q=rfd%22||calc||
+
     hxxps://google.com/s;/setup.bat;?q=rfd%22||calc||
  
 
Everything between semicolons (`;/setup.bat;`) will be not sent to the web service, but instead the browser will interpret it as the file name... to save the API response. Now, a file called setup.bat will be downloaded and run without asking about dangers of running files downloaded from Internet (because it contains the word "setup" in its name). The contents will be interpreted as Windows batch file, and the `calc.exe` command will be run.
 
Everything between semicolons (`;/setup.bat;`) will be not sent to the web service, but instead the browser will interpret it as the file name... to save the API response. Now, a file called setup.bat will be downloaded and run without asking about dangers of running files downloaded from Internet (because it contains the word "setup" in its name). The contents will be interpreted as Windows batch file, and the `calc.exe` command will be run.

Revision as of 09:38, 26 April 2017

This is an Attack. To view all attacks, please see the Attack Category page.


Reflected File Download is an attack combining URL path segments (now deprecated) with web services vulnerable to JSONP Injection to deliver malware to end users.

Let's assume we have a vulnerable API that reflects whatever we send to it (the URL was real apparently, now fixed):

   hxxps://google.com/s?q=rfd%22||calc||
   {"results":["q", "rfd\"||calc||","I love rfd"]}

Now, this is normally harmless in a browser as it's JSON so it's not going to be rendered but the browser will rather offer to download the response as a file. Now here's the path segments come to help the attacker:

   hxxps://google.com/s;/setup.bat;?q=rfd%22||calc||

Everything between semicolons (`;/setup.bat;`) will be not sent to the web service, but instead the browser will interpret it as the file name... to save the API response. Now, a file called setup.bat will be downloaded and run without asking about dangers of running files downloaded from Internet (because it contains the word "setup" in its name). The contents will be interpreted as Windows batch file, and the `calc.exe` command will be run.

Prevention:

  • sanitize your API's input (in this case they should just allow alphanumerics); escaping is not sufficient
  • add `Content-Disposition: attachment; filename="whatever.txt"` on APIs that are not going to be rendered; Google was missing the filename part which actually made the attack easier
  • add `X-Content-Type-Options: nosniff` header to API responses

References:

Last revision (mm/dd/yy): 04/26/2017

Overview