This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Reflected File Download"
(disable URLs) |
(Any page that reflects users input can be vulnerable to RFD. Certainly under true conditions, for example Content-Disposition withou filename attribute.) (Tag: Visual edit) |
||
| Line 1: | Line 1: | ||
| − | {{template: Attack}}<br> | + | {{template: Attack}} |
| + | <br> | ||
[[Category:OWASP ASDR Project]] | [[Category:OWASP ASDR Project]] | ||
| − | '''Reflected File Download''' is an attack combining [http://stackoverflow.com/questions/2163803/what-is-the-semicolon-reserved-for-in-urls URL path segments] (now deprecated) with web services vulnerable to [https://securitycafe.ro/2017/01/18/practical-jsonp-injection/ JSONP Injection] to deliver malware to end users. | + | '''Reflected File Download''' is an attack combining [http://stackoverflow.com/questions/2163803/what-is-the-semicolon-reserved-for-in-urls URL path segments] (now deprecated) with pages that reflects user inputs in the response. Generally web services vulnerable to [https://securitycafe.ro/2017/01/18/practical-jsonp-injection/ JSONP Injection] are used to deliver malware to end users. |
Let's assume we have a vulnerable API that reflects whatever we send to it (the URL was real apparently, now fixed): | Let's assume we have a vulnerable API that reflects whatever we send to it (the URL was real apparently, now fixed): | ||
| Line 25: | Line 26: | ||
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' | ||
| − | |||
[[Category:Security Focus Area]] | [[Category:Security Focus Area]] | ||
__NOTOC__ | __NOTOC__ | ||
==Overview== | ==Overview== | ||
Latest revision as of 15:41, 15 August 2018
- This is an Attack. To view all attacks, please see the Attack Category page.
Reflected File Download is an attack combining URL path segments (now deprecated) with pages that reflects user inputs in the response. Generally web services vulnerable to JSONP Injection are used to deliver malware to end users.
Let's assume we have a vulnerable API that reflects whatever we send to it (the URL was real apparently, now fixed):
hxxps://google.com/s?q=rfd%22||calc||
{"results":["q", "rfd\"||calc||","I love rfd"]}
Now, this is normally harmless in a browser as it's JSON so it's not going to be rendered but the browser will rather offer to download the response as a file. Now here's the path segments come to help the attacker:
hxxps://google.com/s;/setup.bat;?q=rfd%22||calc||
Everything between semicolons (`;/setup.bat;`) will be not sent to the web service, but instead the browser will interpret it as the file name... to save the API response. Now, a file called setup.bat will be downloaded and run without asking about dangers of running files downloaded from Internet (because it contains the word "setup" in its name). The contents will be interpreted as Windows batch file, and the `calc.exe` command will be run.
Prevention:
- sanitize your API's input (in this case they should just allow alphanumerics); escaping is not sufficient
- add `Content-Disposition: attachment; filename="whatever.txt"` on APIs that are not going to be rendered; Google was missing the filename part which actually made the attack easier
- add `X-Content-Type-Options: nosniff` header to API responses
References:
Last revision (mm/dd/yy): 08/15/2018
